Ok, I saw this on the site of the Veracode folks a while back, but it still bears mentioning, or as they say in some circles QFT.
So lots of folks have been wondering about a security mindset and how that maps to product creation or implementation of software. Some even state that this mindset is in fact part of mathmatics and can be taught there.
Security is about thinking about stuff and how it can be broken, and the usual computer engineering is more busy thinking about stuff can be built. The trick is, we need our builders to think about BOTH while building systems, or we can’t sufficiently and cost effectively move away from security as a separate governance to an engineering process. And if we can’t do that we’ll be stuck paying for security as an after thought, vs having security “built-in”. I see trending that this might be changing at the OS / platform level, however the Web 2.0 and Cloud / Grid folks really seem to need to pick up on this lesson.