Security Onus Is on Developers

I actually read this eWeek article on my way into work in it's print form. (A one hour train ride into NY City every day can do wonders for your reading backlog...) I liked some of the points so much, that I tracked down the online version so I could blog it here.

Essentially, poor code quality can have as much of an impact on security as the hackers themselves.
"In 2004, Internet Explorer had a publicly revealed vulnerability that had not been patched on 98 percent of the days [of that year]. Firefox was vulnerable on 7 percent of the days [ of that year]. That tells you that what the application developers are doing can make a big difference."

David Wagner
I'm a strong proponent of code inspections, especially automation of the more mundane but insane little detail checking. But it has always amazed me how hard it is to get managements approval to purchase inspection tools. It usually comes quickly though, once one of those small mistakes has caused a big problem. Bill Pugh points out the other side of the coin... that everyone makes mistakes, even the smartest of developers.
"A lot of people think that errors and defects and stupid mistakes are things that the "lesser programmers" make. One of the things that I've found is that tools find insanely embarrassing bugs, written in production code, by some of the very best programmers I know."

Bill Pugh