Steve Jones - SSC Editor (11/11/2013)
I'd still argue this is more an internal developer professionalism issue more than a business case.We, as people that teach and help others, need to present good examples and teach people with some level of best practices at all levels. Not dumbing down examples with "blank passwords", no error handling, code that allows SQL Injection, etc.
If people have the skills and knowledge, it becomes less of an issue because it doesn't really take longer to write the code well at the start.
In terms of refactoring, no idea how to present the case that things need to change. Adobe is a good example, though many business people might prefer to roll the dice that their information will not be lost/copied.
I think this is the perfect justification for the implemenation of standards and 100% code reviews. It also justifies special test software that will test the begeesus out of your applications for "penetration". We do both.
--Jeff Moden
Change is inevitable... Change for the better is not.