I am amazed how specific everyone is being about security vulnerabilities at their employers. Hopefully no one social engineers what company you work at.

... or they do, and management begins to understand the implications of accruing technical debt, such as cutting your sprint or not giving you enough sprint time to finish adding real authentication because:

"The web app already does all the features we want it to do with your latest update. Why are you going to spend another week on it if it isn't going to do anything different?"

And then your "dramatic" explanation of client/server side validation falls on deaf ears: cleaning up debug code, adding try/catches, sanitizing input, or explaining how a user manipulating the DOM, URL, or query string could circumvent or crash everything.

Unfortunately, management tends to not care until they are forced to care. That is how my employer's QA department came to exist.

@MakubeX True, but exposing this kind of thing gets people fired. And it gets the wrong people fired. The whistle blowers are the ones who end up suffering. Not the idiots in management who thought making the password to the accounting database "guest" was a good idea.

The problem with a data breech isn't who's wrong or who's right...it's that one happened. And unfortunately with these dipshits with business degrees, it's an inevitability. So would you rather be the one to get fired for being the whistle blower and telling the whole world what security vulnerability your company has, or would you rather make it just a tiny bit harder for Eve to get your data and be blameless when it happens?