I understand the need to raise money for projects, but the attitude[1] that security is an optional "premium" feature needs to end.
It should be no different from shipping broken code. You can't just say, "oh, well we offer a premium build that actually works, for users that want that." Everybody needs it.
Evernote made this mistake initially when SSL was originally a premium feature. They fixed it.
Granted, there are degrees of security but protection from MITM attacks is fundamental. (Especially for executable code!)
UPDATE: @weekstweets just deleted the tweet I was referencing where he described security as a premium feature "for users who desire it" or words to that effect.
But will users in aggregate pay more when extra effort and resources are expended on security? Will you?
If the answer is no, then the smart developer has no financial incentive to do so, and every reason to segment security out as a premium feature.
Maybe MITM vulnerability counts as broken code. But as always, markets win. I don't think the status quo will change until users consider security assurances worth hard dollars.
Good luck getting your users to come back and trust you after a major security incident that compromises their systems. I would turn it around and think of it this way, is it worth giving up some profit to help ensure you don't have embarrassing and damaging security issues? It's like insurance, you pay the premium and hope you never need it.
The software that runs the repository is nearly irrelevant for the purpose of this discussion. The question is solely about services, which are a lot more difficult to fund at scale.
By that logic, smart developers have no financial incentive to fix bugs unless it's for a paid upgrade.
Think through that a little more and I think you'll find there is long-term ROI in the form of customer trust and goodwill. You'll buy the product because it works and won't hurt you, and basic security should be part of "won't hurt you".
Think through a little more of what the parent poster said. If companies truly did gain that much more trust and good will from secure code, they would all be doing it.
But they are, with increasing intensity. Companies really suffer from security blowups and customers are becoming more aware of its importance. This is why the attitude I cited is so dated and needs to finally come to an end.
I've heard "companies are finally taking security seriously" mantra for almost 20 years.[1] Maybe it's true this time. But often the customers don't give a hoot whatsoever, and so the company doesn't either. Admonishing them might feel good, but unless you are paying them money, your opinion is not really an issue to them.
[1] I had a boss who insisted that TJ Maxx was going to collapse because of their security holes. Nope.
It should be no different from shipping broken code. You can't just say, "oh, well we offer a premium build that actually works, for users that want that." Everybody needs it.
Evernote made this mistake initially when SSL was originally a premium feature. They fixed it.
Granted, there are degrees of security but protection from MITM attacks is fundamental. (Especially for executable code!)
[1] https://twitter.com/mveytsman/status/491298846673473536
UPDATE: @weekstweets just deleted the tweet I was referencing where he described security as a premium feature "for users who desire it" or words to that effect.