If it's worth saying, but not worth its own post, then it goes here.
Notes for future OT posters:
1. Please add the 'open_thread' tag.
2. Check if there is an active Open Thread before posting a new one. (Immediately before; refresh the list-of-threads page before posting.)
3. Open Threads should start on Monday, and end on Sunday.
4. Unflag the two options "Notify me of new top level comments on this article" and "
Doesn't work for me. I am the guy saying "we should not be doing X, because when you google for X, the first three results are all telling you that you definitely shouldn't be doing X", and everyone else is "dude, you already spent the whole day trying to solve this issue, just do it the easy way and move on to the other urgent high-priority tasks".
Probably depends on the type of a company, i.e. what is the trade-off between "doing the project faster" and "covering your ass" for your superiors. If they have little to lose by being late, but can potentially get sued for ignoring a security issue, then yes, this is really scary.
A possible solution is to tell the developer to just do it as fast as possible, but still in a perfectly secure way. Have daily meetups asking him ironically whether he is still working on that one simple task. But also make him sign a document that you can deduct his yearly salary if he knowingly ignores a security issue. -- Now he has an incentive to shut up about the security issues (to avoid giving a proof that he knew about them).
"A possible solution is to tell the developer to just do it as fast as possible, but still in a perfectly secure way. "
Thanks, Satan!