In my stints doing QA, I've found that developers seldom look beyond the immediately presented problem/issue, even when that problem makes it apparent that further review and consideration is warranted if not demanded. [1]
Further, all too often, minimum mitigations -- sometimes, the word "solution" cannot even be accurately applied to these -- are conceived and implemented.
When you see repeated problems cropping up like this, based upon experience, I can express the opinion that the organization and/or the individuals involved are not really paying attention or respecting sufficiently the security aspects involved.
Hopefully, the repeated bad press will begin to change this. But... those in the organization responsible for setting or sanctioning such initiative, are often all-to-well insulated from the immediate "real world".
--
[1] P.S. I guess I should qualify this to say that I'm speaking of what I consider to be a typical "corporate" environment. Lots of politics and inertia and, all too often, "just do what you're told".
Further, all too often, minimum mitigations -- sometimes, the word "solution" cannot even be accurately applied to these -- are conceived and implemented.
When you see repeated problems cropping up like this, based upon experience, I can express the opinion that the organization and/or the individuals involved are not really paying attention or respecting sufficiently the security aspects involved.
Hopefully, the repeated bad press will begin to change this. But... those in the organization responsible for setting or sanctioning such initiative, are often all-to-well insulated from the immediate "real world".
--
[1] P.S. I guess I should qualify this to say that I'm speaking of what I consider to be a typical "corporate" environment. Lots of politics and inertia and, all too often, "just do what you're told".