[JohnFen]

Devs do own application security. What many need to do is realize that.

If software has a serious flaw, security-related or not, that's on the developer. If the flaw is in a service/library/component/whatever made by someone else and used by the dev, that in no way means the dev is off the hook. The dev is responsible for the code they release whether they directly wrote it or not. The buck stops there.

[bendechrai]

Author of the article here, and I completely agree. With 25 years in web development, I've talked to many devs and given talks and workshops on developer security. In that time, I've seen many devs who want to care about security, but business priorities often push feature releases over security.

In the past, we handed apps to testers and moved on. Now, with PaaS (and to a certain extent IaaS), we sometimes get a false sense of security from network-layer protections.

Perhaps I'm too optimistic, but I'd love to see web devs equipped with the tools and knowledge to advocate for proactive security measures

[JohnFen]

> I'd love to see web devs equipped with the tools and knowledge to advocate for proactive security measures

I agree entirely. Not just web devs, either. All devs.