We’ve all heard of “security from ground up”, “security is not a feature, it’s a process”, “Embedded security”, “Security awareness”. All of this sounds like self-censorship applied to the software developer.
Today, i chanced upon James McGovern’s Firewall 2.0 which reminded me of a discussion i had recently with Marc Blanchet about how Security section became mandatory in every RFC. My argument could be formulated this way : “This move goes against a basic good design principle : separation of concerns“. Then i acknowledged that this fits into a more general movement in favor of security.
Generally speaking, security comes at the cost of freedom. There is no workaround. Whereas freedom is essential to development. Including software development. Security and Development are two antagonist values, and there should be two antagonist powers behind them. None should care about security and development at the same time. Otherwise he will certainly break both.