Wresting free from a software straitjacket


I would say "what more can I say", but there IS more that I can say:

1) It's more frustrating because not only do developers not get time to write securely in the first place, or trained to do so, but MOST semantic issues are flaws that are not related to security. Output filtering and input validation are basic tenants of code quality, not specific to security. Developers should be doing these things anyway.
2) Another very large set of software security flaws are not related to the source code itself, but to poor engineering. So not only do the developers need to be re-trained, the engineers really need to be trained.

So the training for developers needs to be focussed on writing quality code, not how to identify SQL Injection, and engineer training needs to be focussed on protecting identity and dealing with proper signature of requests.

But please read the article. Oltsik is a far better writer than I.