Bingo. Do it right the first time. I'd rather take an extra hour on a bit of code the first time then go back and spend 2 hours refactoring it later on.

Ship too late and none of it will matter.

I guess shipping is more important to you than the possibility of losing user details (or worse). Christ, I hope I never give my details to a company you found.

Shipping quickly is important but it's also important to write quality code. Small bugs that can easily be fixed are fine but security problems or bugs related to payments, for example, are not.

so, maybe, just maybe, you take a bit more time on parts involving security (that is to say, handling of user credientials (includes session management, cookies, etc) and payment related things)?

How many companies have failed because of security flaws in their code?

Companies don't normally fail because of security flaws, in the same way Boeing doesn't go bust when it has to ground 787s. But in both cases you end up potentially taking a huge hit in costs. Off the top of my head, Sony had to write down $170 million in costs when PSN was compromised, and TJ Maxx ended up paying out $800 million in costs, damages, and compensation after their payment terminals leaked credit card details.

These are not figures you want to see on your bottom line.

If your first reaction when someone talks about security flaws in payments is 'will it make my business fail' rather than 'is this going to fuck my customers' you need to re-evaluate your priorities.

This is a straw man, right? Not all bugs are payment security bugs. Not all bugs are harmful to users. And spending more time writing cleaner code does not mean you'll have fewer bugs.

> In fact, rushing to ship / meet deadlines is probably responsible for most of the vulnerabilities in software.

I think the unspoken secret here is the probability*loss for security issues is far less than the cost of missing features / delays.