"I believe a fair bit of the blame can be laid at the feet of developers, but this sort of thing may not be part of their core competency"
never was truer word said.
Security needs to be a core competency, but interviews for high skill jobs are just a self fulfilling prophecy in that you get you developer to interview the next developer and so on, and if that skill set or you SecOps/InfoSec dude is not on the interview panel it is unlikely any security competency questions will be asked, but then how many Info sec people understand programming enough to be able to ask relevant questions? "this sort of thing may not be part of their core competency"
Biting the hand that feeds IT
