[eli]

Because it's easy to do things the wrong way and a site built the wrong way still works, it's just insecure.

[dragonwriter]

i.e., the problem is that "properly secures access to data" is all too often not part of the definition of "works" applied to systems.

[eli]

Sure, probably true. But I would assume most people who write insecure code do so because they don't know how to do it the right way, not because "must be secure" wasn't in the requirements doc.

[dragonwriter]

If security (operationalized properly) was part of the requirements against which it was evaluated prior to release, insecure code wouldn't be released.

("Must be secure" is a much higher level requirement than anything that is testable, but a high level requirement is meaningless except to the extent its operationalized into lower-level requirements that are testable -- or analytically provable, but that's even harder.)