Oftimes, security people and developers are not on the best of terms. The standard script is that the developers build something, the security people thrash and find how its broken. Making a living by telling people their baby is ugly may be correct and even helpful but it does not win many friends.
As AppSec becomes a bigger part of IT, one of the areas security is moving is upstream into processes like SDL. Its been a slog. Its hard for security people to win a high percentage of battles because 1) security in code is new to most developers 2) it adds time and cost (run away! run away!) 3) adds project risk. Its steadily getting better, but its still a slog.
But there's another issue. The key assumption is that security people know better than developers how to build things securely. The seemingly never ending stream of vulns have taken an interesting turn recently - the issues are being found in some of the most widely used security libraries and code. This week its OpenSSL's turn.
The lesson here for anyone doing AppSec and SDL is clear: Infosec Heal Thyself.
Events like Heartbleed should be a huge wakeup call for anyone in AppSec and SDL. Its not a one off or a recent trend by the way, Veracode's state of security report found that the least secure code is not HR or ERP or CRM code, its security products! That really takes the wind out of the countermeasures sails, eh? It should. Infosec, like any other area, is built up on assumptions, but there's no good reason to assume that security code is any more likely to not have issues.
In fact, due to complexity, poor integration and lack of usage, its more likely to have issues. Both software development and infosec departments are filled with people who believe they are the smartest people in the room. Infosec is trying to move upstream in the SDL and take more control over design, its a good idea, but it should be done with humility.
Infosec certainly does not always know best and any recommendations should be scrutinized carefully. In reality, there's a neat total lack of feedback loop for many security products, because they say security on the label and are purchased by the security team they get in through the side door and avoid the assurance testing that other apps get. That's backwards, infosec teams have good assurance tools and talent, it should rigorously applied to all security services first before rolling out any of those services to the wider enterprise.