The business case for security frameworks

One of the reasons why vulnerabilities are still common-place is because new generations of developers are making the same mistakes. I don't put the majority of the blame on them because they may not know any better. Many of the people that I know who've attended college don't have training for programming securely and the few that do only have these classes available in grad school (and this isn't the norm). Even then these courses are only covering buffer overflows and don't get to cover some of the popular vulnerability types such as sql injection or xss. For starters the majority of programmers don't have masters degree's or access to secure development training, and need direction on security practices which can take months, even years to develop on their own. The problem is that until they have these security skill sets they may be writing vulnerable code.

I've been in the IT industry for many years and find that everyone states focusing on education, performing security assessments (post production), and (depending on the situation) using a tool or two as the most acceptable solutions. I am all for education, but as stated above it takes time and money, and until these people are properly trained they can open up your application to risk. Admittedly they open your application to stability and performance problems but let's stick to security for the time being. Having been involved with finding people with security knowledge/training, I can tell you that finding people fitting into this group is extremely difficult and can be impossible when you're trying to find 5+ people. From my experience managers seeking people with this skill set find themselves not finding either the amount of heads to fill their headcount, or people with the right skill and end up hiring ok people. One can argue that this could be just bad management but those of you who've been in similar situations know each one is different and that you can't stop business from happening.