There is no such thing as being "done" with security. You can as deep as you want, with as large a team as you want, and never be able to say "okay, we're secure now."
If basic ethical grounding requires security to be the top priority, and security work is inexhaustible, then it must be unethical to ever work on the product being secured.
No, but there is such a thing as "following best practices".
An ethical approach requires you to reason about which actions are moral, not to be "done" with something. As I said, even a basic knowledge would be really helpful.
It's easy to reference amorphous "best practices." As Tannenbaum said, it's nice to have so many to choose from. The real challenge is deciding which practices apply, and what authority to figure to recognize when determining "best."
I agree. But following best practices is a completely different thing from treating security as the top priority. Best practices include tradeoffs that balance security risk with cost and businesss needs.
There is no such thing as being "done" with safety. You can go as deep as you want with as large a team as you want and never be able to say "okay we're safe now."
If basic ethical grounding requires safety to be the top priority, and safety work is inexhaustible, then it must be unethical to ever work on the product being safe.
Absolutely correct. Safety is about managing risks, not eliminating them completely at all costs. An airline which truly saw safety as the top priority would never put a plane in the air. Making money is the top priority; safety (or security) is one consideration that influences how you go about it.
If basic ethical grounding requires security to be the top priority, and security work is inexhaustible, then it must be unethical to ever work on the product being secured.