There’s an interesting article at C|Net, written by Jon Oltsik, who is senior analyst at the Enterprise Strategy Group, about security in general and problems related to insecure software. It says:
Any chief information security officer will tell you that one of the biggest issues related to information security comes down to poorly written software. This should not come as a surprise.
Typical developers have almost no training on secure development. Even if they did, software engineers are usually compensated for adding software functionality and meeting deadlines, not eliminating software vulnerabilities.
As a result of all of this buggy code, IT is often forced into building a post-development security strategy. Security safeguards like firewalls, application gateways, packet filtering, behavior blocking and patching are put in place to overcome software attacks against software vulnerabilities, open interfaces, and insecure features. In a medical setting, this approach might be described as “treating the symptoms rather than the disease.”
Read complete article here.
Also I’d recommend reading one older article titled: “Programmers told to put security over creativity”, also at C|Net. It can be found here.