Front-line programmers default to insecure practices unless they are instructed to do otherwise

This study has so many flaws, I don’t even know where to start. It amazes me that anyone would expect any other outcome.

To name just a few, these are freelancers, recruited internationally through a job board, doing a cheap, short job ($100-$200 for a well-engineered solution? Give me a break.). Just setting it up this way puts expectations in the minds of the freelancers about what kind of effort they are willing to put into it, and also they have expectations about what the client wants when they recruit that way. It’s a self-selected group of freelancers who would even go for that kind of cheap, quickie job.

And there are so many affiliated assumptions, like if you are only expected to work on it for a few hours, you know you are not going to spend several hours communicating with the client about the specific design requirements, trade offs, and recommendations, which need thoughtful consideration by the client, and a delay in getting the job done.

If you offer $200 on an internet ad board for random people to build you a race car, you MAY get a soap box derby racer; you definitely won’t get a Formula 1. It’s not reasonable to expect anything else.

17 Likes

Front-line programmers script kiddies default to insecure practices unless they are instructed to do otherwise

FTFY

7 Likes

What would be the hourly rate for a one hour job?

I don’t think this is remotely surprising. If you care about code quality, you do it in-house, with code reviews and regressions. If you don’t have the means to do that, and you’re just making a website, you go with a company that’s been around for a while and has a reputation. Anyone who will even write a single line of code for $200 is not someone you want to be hiring.

8 Likes

The most important take-away from this study is that people think “programmers” are a monolithic block akin to seasoned software engineers. They are not. Programming is a skill akin to reading or writing. If the study had instead concluded that 85% of writers – by which we mean people who responded to an online advertisement, saying, “yes, I know the English” – can’t write an entertaining screenplay, then it would be clearly a non-story.

21 Likes

Yeah, my college courses never went indepth on best practices and they focused mostly on the abstraction of computer science. It’s not to say that’s not worthwhile but sometimes I felt that the teachers weren’t willing to get into the guts of how to write a program that fits with requirements and best practices. Plus there was no decent software architecture class so I’m just learning this years after I’ve earned my degree. It’s kind of annoying too since I’ve probably learned more in the last two years applying what I know on real world projects than I have with all the “build a chat server” example projects.

Heck, even my graduate studies didn’t dig into the details until I took one course on databases. It’s just wild how uneven some college programs are with respect to computer science and/or engineering.

11 Likes

If you work for a company long enough, it’s definitely “your code”. Not in the sense that you can sell it on your own, get royalties, or own the copyright. But, you’ll get calls to support it for years, decades, or basically forever. If it’s a big enough company, and you switch roles a dozen times, you’ll still get calls about “your code” from the first role you had many years later.

12 Likes

I got a call last year about a program I had written 15 (yes, fifteen) years ago.

I was stunned that it was still in use.

7 Likes

If you have ever worked in internal IT development for a big company, you can see where this comes from. There’s basically 3 types of programers there:

  1. Finds an answer on StackExchange, works to understand what it does and why, adapts the answer for the problem they’re trying to solve.
  2. Finds an answer on StackExchange and plugs it directly in, hoping it works. Tries again when it doesn’t. Has no idea why it does or doesn’t work, or what it’s really doing.
  3. Doesn’t even know what StackExchange is.

The third one is less dangerous than the second.

12 Likes

Wait until they call back in another 9 years when it’s 25 years old. :smile:

3 Likes

I wouldn’t know. My last freelance job was several years ago, and only for a friend. Even back then, that would only buy two or three billable hours max.

Edit: I do front end work. We get paid less than Java devs, but as long as I can pay my bills I’m happy. Also, I didn’t consider myself a senior dev back then.

2 Likes

Like @mmascari says, it’s my code in the Git repository. It’s code that when I have moved on, years later will still be maintained. There is a certain pleasure in seeing code praised that money cannot buy. Or in having it seen as an example of how to do something elegantly.

6 Likes

If someone payed me 100$ (or €) for something like this, I’d do the bare minimum as well. Hell, even just the research to learn how get it working securely would take more hours than 100 or 200 pays for.

people even taking this job shows the job market is quite desperate.

For 200 I’d maybe get you a ‘proof of concept’ full of placeholder code. To be built out when the final budget gets known.

5 Likes

If properly contextualized, I do think it’s an important finding for the sole reason that people actually do ask for this kind of work to be done on freelancer websites, and do expect it to be this cheap. The real lesson of the study is “don’t go sticking your sensitive information in any old socket on the internet…”

I started out taking jobs on freelanceswitch, and the amount of people asking for someone to build “Facebook, but with this one killer feature” and having maybe $500 on hand was staggering.

11 Likes

It wasn’t until I was nearly done with my CS program that I realized that some universities focused on abstraction while others focused on the latest languages, platforms, SDK’s and so on. My program was very abstract and hadn’t integrated any of the new exciting stuff going on out in the wild. At the time I felt cheated and under prepared for going out and interviewing.

Twenty years later… I am really glad my school taught in abstract concepts and wasn’t chasing the latest craze. All the stuff I felt I had missed out on is long since dead. The abstractions you learned will allow you to continually evolve with the times.

16 Likes

How many lines of code? :smirk:

I have no qualms with freelance job boards. But it’s what you said earlier: you get what you pay for.

OS changes can be really bad for this, because it’s when you upgrade to the new version and your old system doesn’t work anymore that you go to StackExchange looking for the problem. But the problem is something brand new in this OS so the StackExchange answer is likely out of date. Your best hope is that it’s a problem in a commonly used subsystem (oh SystemD changes, again…) and thousands of other people will have already had the problem.

1 Like

Nothing major, just the entire user registration and authentication system…

4 Likes

For a hundred bucks I’ll talk to them on the phone and explain why they should spend a thousand.

Edit: In retrospect that sounded like bragging so to clarify: job boards are great for different types of tasks / levels of experience, and there’s definitely dev work that can be done for that kind of money. But your auth layer isn’t one of those things.

9 Likes