The reason software security sucks is because as a developer/architect/user, they mean different things to each one. As a developer, it's a pain to implement it. As an Architect, it's a pain to define it. As a user, I don't really give two cents unless it prevents me from doing my job.
Now, I guess I should back down from post title. But it's true. Developing and designing applications with security in mind is a very daunting task. In my opinion, and of course, it's all mine, web applications seem to provide the biggest scare to employers and users. Desktop application for some reason gives everyone a sense of security. Could it be that it's primarily self contained?
There have been hundreds of white papers, blog posts and books written about software security. A company I worked for not long ago, which sells security software, had two security experts on staff. Guys who all they do is help define the security concerns for the architecture of the software.
[just had a thought about testing and security, next post]
I know this, in the end, when it comes right down to it, most companies will bend and forgo any security in software, especially if their current development staff doesn't understand the necessity of security. Sure they may learn some, but it will be weak at best.
OK, I admit it. I'm one of those guys. As I was looking at a project I'm working on today, I was a little stumped as to where the security holes were. Or were there even any? As the leader of an enormous one man operation, I should know this stuff. So, I set off to learn more about the security of software development.