Wonder why software security sucks? Looks no further than what software developers and architects do and talk about, hint - it ain't software security. To wit, JAOO is one of the leading software conferences. It presents a "broad range of topics in professional software development." Many of the leading names in software development speak there. Surely with all our apps getting ripped to shreds by malicious hackers, getting improved security into the apps is a hot topic, right? Guess again.
The tracks go over in exhaustive detail app frameworks, complexity, scalability, quality, variability -- come to think of it, the tracks address every word in the English language that ends in "-ity" except security.
Sadly this incessant navel gazing is nothing new. Here is TIm Bray's comparison of web app frameworks - PHP, Rails, and Java, the criteria for the comparison for web apps, must surely include security, right? Nope its - Scaling, Dev Speed, Dev Tools, Maintainability or summarize as - what is easiest for the developer. Hey they all have support for SSL, right? (Note- I am picking on Tim, but I could have pulled almost any software guru's slides)
Anyhow, maybe we can take up a collection to send Brian Chess, Ryan Berg, James McGovern, Ken van Wyk, Gary McGraw, and others to JAOO, maybe they'd even given them their own track - Why Your Software is Broken and What you can do to Fix it. If not, maybe OWASP can sponsor a tent out in the parking lot.