Real talk: Accessibility interferes with security audits

2 minutes read

Let me paint you a picture of stupidity in action. You can stop reading if you've never been in a similar situation.

Say you're working on fixing accessibility on the site.

You already knocked out a bunch of issues and are excited to ship. Then management calls a meeting. "We need to talk." That's rarely a good sign.

"Security says we can't ship the accessibility fixes just yet."

You nearly choke on your coffee. "They're blocking accessibility improvements for a security audit?"

Apparently making the site usable with a keyboard poses some existential threat to the integrity of the system. You can't add alt text to images or ARIA labels to buttons because it might interfere with penetration testing. Everything has to remain baseline stable during the audit window.

Proper alt text, keyboard navigation colour contrast. This is real stuff that real people need. It's done, tested, ready to ship.

But oh no, it can't go live because security is conducting their annual audit and has put a blanket freeze on all front-end changes. Your accessibility improvements are held hostage while someone checks if your web server software is up to date and your password requirements are strong enough.

You've got people who literally cannot use your site.

Some weeks later and those accessibility fixes are still sitting in a branch while users with disabilities struggle. But hey, at least the password meets the requirements of minimum 12 characters, two numbers, one special symbol, no dictionary words and must be changed every 30 days, right?

Brilliant work.

Since you've read so far, I bet you've lived through something eerily similar to this, haven't you?

Sent on

Did you enjoy this bite-sized message?

I send out short emails like this every day to help you gain a fresh perspective on accessibility and understand it without the jargon, so you can build more robust products that everyone can use, including people with disabilities.

You can unsubscribe in one click and I will never share your email address.