Of note, Cyberspace Solarium Commission released a transition plan [1] for Biden and there are some great policy recommendations in there. I feel like the only way forward to actually address this is to push for legislation to address these issues.
I have worked in security for about 15 or 20 years now and over the last 2-3 years have become very desensitized/burnt out because most companies just don't have the incentive to do security in an acceptable manner. Sure there are companies that are crushing it and kicking ass but the industry as a whole feels almost like it has regressed. If it weren't for ransomware that actually stops the business from doing anything, I almost feel as though many companies would not do any meaningful investment at all.
[1] Transition Book for the Incoming Biden Administration - https://www.solarium.gov/public-communications/transition-book
Ask HN: What are your thoughts on how we can address or start to chip away at this issue?
Increase penalties so that it gets priority, you point about legislation, is probably the number one way. Or in other words, software needs more regulation
In part it has been a product of the move fast and fix things later, plus how easy it has become to create applications for the inexperienced.
The shortage of developers and new entrants to the field, I suspect, has lowered the average years of experience. Security mindset and understanding all the complex ways that things can and are broken (the security frontier) takes a long time.
Cloud plays into this, more complex and harder to get right, also easy to spin up insecure defaults. (See Helm)
Unpopular idea most likely, but what if creating software was more akin (legally) to doing chemistry than writing books? (Not advocating, just posing a thought experiment)