> I'm just curious if it's the security industry itself is particularly in need of better communication of best practices and things to avoid.
The thing is, there is no such thing as a security industry that would be interested in pushing such best practices. It's a little bit like occupational safety. There are companies that sell hearing protectors, i.e. solutions to some specific aspects of occupational safety, just like there are companies selling firewalls to protect against some specific aspects of IT security. But you cannot sell one product to protect against all IT security threats that emerge in a software company as there are security concerns in every aspect of an IT product. On the server side it is about protecting the user content against outside threats (firewalls, SQLi, password hashing, log protection and redaction, strong SSH logins, DoS, etc), on the protocol side it is about authentication and encryption (MITM attacks, content separation (think about the beast attacks), strong crypto, using the right crypto for the job, DoS), on the client side it is about folk security models and social engineering (strong passwords, password resets, two factor authentication, social engineering, UI design).
Occupational safety on a construction site has to be considered by every worker and in every part of the construction. IT security is just as much pervasive to software engineering. You think implementing a search feature for your website is not security sensitive? You might just have compromised your user login because of cross site scripting. Logging debug information is harmless? Not so much if your database password is output to the user in case of a poorly written exception filter. Heck, even simply storing some user data in a dictionary can be the cause of a DoS [1].
Basically what I saying is that IT security is not the responsibility of some specialised security industry, but of the whole IT industry.
The thing is, there is no such thing as a security industry that would be interested in pushing such best practices. It's a little bit like occupational safety. There are companies that sell hearing protectors, i.e. solutions to some specific aspects of occupational safety, just like there are companies selling firewalls to protect against some specific aspects of IT security. But you cannot sell one product to protect against all IT security threats that emerge in a software company as there are security concerns in every aspect of an IT product. On the server side it is about protecting the user content against outside threats (firewalls, SQLi, password hashing, log protection and redaction, strong SSH logins, DoS, etc), on the protocol side it is about authentication and encryption (MITM attacks, content separation (think about the beast attacks), strong crypto, using the right crypto for the job, DoS), on the client side it is about folk security models and social engineering (strong passwords, password resets, two factor authentication, social engineering, UI design).
Occupational safety on a construction site has to be considered by every worker and in every part of the construction. IT security is just as much pervasive to software engineering. You think implementing a search feature for your website is not security sensitive? You might just have compromised your user login because of cross site scripting. Logging debug information is harmless? Not so much if your database password is output to the user in case of a poorly written exception filter. Heck, even simply storing some user data in a dictionary can be the cause of a DoS [1].
Basically what I saying is that IT security is not the responsibility of some specialised security industry, but of the whole IT industry.
[1] http://events.ccc.de/congress/2011/Fahrplan/attachments/2007...