I've just read this small article from Paul Graham, called "The other half of 'Artists Ship'". The key point of the text is this:"For good programmers, one of the best things about working for a startup is that there are few checks on releases. In true startups, there are no external checks at all. If you have an idea for a new feature in the morning, you can write it and push it to the production servers before lunch. And when you can do that, you have more ideas.At big companies, software has to go through various approvals before it can be launched. And the cost of doing this can be enormous—in fact, discontinuous. I was talking recently to a group of three programmers whose startup had been acquired a few years before by a big company. When they'd been independent, they could release changes instantly. Now, they said, the absolute fastest they could get code released on the production servers was two weeks.This didn't merely make them less productive. It made them hate working for the acquirer."Assuming that writing secure code and the complete Secure Development Life Cycle can be described as "checks" and "controls", it would be natural to assume that good programmers don't want to work for companies with a SDLC in place. That is certainly an important thing to consider when considering a more secure approach to software development. We know that a SDLC works for generating more secure code. But can we keep the good programmers while doing that? Can this issue be a problem big enough to make a company choose to not implement a SDLC?