If software development was a true profession, then I firmly believe that many developers would be struck off for extreme negligence or incompetence.<p>I’ve found and reported serious security vulnerabilities to many companies that I’ve worked with, and become very disillusioned with some of the responses. Companies that operate in fields which materially affect people's lives (such as healthcare, finance and telecoms) will deploy software that is so badly designed that there is often no need to break any technical aspect to get access to private and sensitive data.<p>Yet, when I report a breach, the same people who deployed software with broken (or sometimes no) authorisation models, access control, etc, are suddenly competent enough to investigate their own failure. Invariably, they always have perfect logging and reporting that could not possibly have been evaded and which proves that no breach occurred or data was exfiltrated before the vulnerability was reported.<p>If another professional, say an engineer, lawyer, or doctor, had demonstrated the incompetence or negligence in their field that I’ve seen some software developers display (sometimes wilfully - “It’s a feature”), they would never be allowed to work again. Software is now so important that I believe that some of the developers and technical leaders that I have dealt with in resolving security vulnerabilities should never again be allowed to work with software that interacts with personal or sensitive data (or, more generally, with software that could affect human life, safety, or privacy).