Why is lack of security a surprise?
The general public don't give a dingo's kidney for security - that's why faecesbook and google etc are so profitable, and why Amazon manages to sell internet-based home "security" kit.
Why would the average software bod care? They should - yes. But in reality, no. I used to run a commercial website based on an open source framework osCommerce. I found out very quickly that most of the people developing with it didn't give a shit about security, either of their web site or (most depressingly) their customers. The problem is not limited to e-commerce of course.
One problem is that good security is difficult and most people don't know where to start with it, and have little inclination to find out. And if Bill Bloggs develops a program to twiddle some stuff about, as long as it works for him then he's likely happy; it's not his problem if someone picks up his program and gets borked as a result. I think it's more a reflection of the sad state of humanity than poor engineering practice (which it is, of course)
Biting the hand that feeds IT
