Comment by gpm
4 years ago
I've worked in an environment where all the developers did basic security training, and I've worked (well, interned) in an environment where prod had a default-deny firewall for outbound traffic.
The latter was definitely a hell of a lot more trouble. The latter was also definitely a hell of a lot more secure - and not because I had tons of faith in the code.
I currently work in a place that does both, yet still find questionable things on a weekly basis!
Exhausting, lol