Software should be secure by default. No defense of honor is necessary.

> This line of thinking has lead to many foreign wars of choice, where we send young men to die and our nation recieved nothing in exchange. "It was the right thing to do" is uttered by those who did nothing

I am not able to find any references to the war of regression or the battle of cve-2021-44228, so I'll have to call nonsense on this one.

Why?

What was paid that now this is owed?

We've become too accepting of trivial bugs and logic issues that could have been identified through proper quality controls.

You should protest.

Demand your money back.

Security should be free (or rather, things should not be released if they aren’t reasonably secure) for a couple reasons.

We’re all on the same internet, people getting taken over and used as ddos nodes, leveraged for further attacks, or leaking PII is a pain for everybody.

Skimping on security is always easier, and security is hard to detect for the end user. We shouldn’t have a race to the bottom on this stuff.

For volunteer projects, like a lot of open source, we can’t really make demands. But I think it is still unethical to release an open source project that invites itself to used in an insecure manner. It is like an “attractive nuisance” (typical example: In some jurisdictions, you might be responsible for an un-fenced pool on your property if a kid falls in it, even if getting to it required trespassing, because we don’t want a society where uninformed people die avoidably). Without a customer service relationship, open source developers don’t have an obligation to make something useful, but nobody should put harmful things out into the world.

> Why is security free?

People don't want to get hurt, physically, emotionally, financially.

> Not just in software but in general?

People being harmed is very expensive.

> you need to pay tribute to those who can

This is a very primordial view of things. Security and safety are literally the underpinning of modern, western society. The cost of that security is baked into prices for services and products, taxes and law.

> People don't want to get hurt, physically, emotionally, financially.

People don't want to be hungry, people don't want to be cold, people don't want to be bored.

Security is a basic non functional requirement for all software.

Then don't use it? It's non-functional right? I don't get where the complaints come in.

Side note: Security in these discussions is often something more like "It works with my single sign on system" or "It lets me check this box on my audit form". Security doesn't only have to happen at the app layer and it's completely doable to isolate any software in a way that is is secure despite itself. So it's less security and more convenient security that is being demanded for free most often by people who offer nothing for free themselves. The entitlement is really extreme.

> Security doesn't only have to happen at the app layer

Agreed and once an application has differentiation between a “super user” and users of fewer privileges, it needs an application security model. Additionally once there are differences in which data a user may access, it needs a data security model.

Not only do I demand secure software by default, but I actively work to terminate relationships with companies who feel how you do. They can have whatever ideals they'd like, just none of the money I steward.

In that case it isn’t really security at all, right? Integrating with some SSO system is fine to charge a premium for, as long as the default form of authentication is reasonably secure.