Why are sites insecure? Because security is treated like a feature.
Features are things we add to the product because we think the user wants them.
Some features have value, some don’t.
The only thing users care about is value,
because the only thing of value is what users care about.
So we don’t want security to be a ‘feature’.
We don’t want security to be a helper function.
We need security to be the product.
It’s why people come to your site,
It’s why people would ever pay your site,
It’s why people would ever trust your site.
If you can offer security, as your product,
then you can literally offer anything else you want
from that moment further, was zero friction.
Think of it this way.
Security, as in ‘authentication, authorization, and accounting’,
is the collection of platform primitives
that can be used to implement any other feature.
Likewise, there isn’t a single feature that can be implemented,
It is the foundation of the entire platform.
It is the cornerstone of the product line.
Security isn’t a feature. Security is the product.