I was having an email conversation with Nick Sivo from Loopt where he contrasted network and web application security in such a way I found very insightful.
"I should mention that many of our hires have come straight out of school. I think it's quite
possible people who have worked in industry for a while have picked up security knowledge, but it would be useful if it were covered in school as a requirement. I think that the biggest problem with web-app security is that it hasn't yet reached the point where a few very knowledgeable people can secure something. This, I think, *has* happened on the network side.
I can hire 1-2 (we're small) people to configure all of my networking equipment to be secure. It's also possible to verify that things are configured appropriately in a finite amount of time. There are still risks like buffer overflows in IOS or IIS, but those seem to be few and infrequent. Most importantly, developers don't need to even think about the network issues, except in rare and well defined cases when they need access rules changed.
On the web-app side, a developer can't really introduce a buffer overflow or a network bug, because they're using C# and don't access things at that low a level. They can't do much to affect network security accidentally. However, they all need to be aware of, and can greatly influence web-app security. 1-2 people can't secure our web application alone. It has to be a joint effort. Even though we use ASP.net, stored procedures (with no dynamic SQL), and some self-built hardening modules (ASP.net plugins that run for every request), I can't be sure I've got even most things covered. A developer can forget to encode something, or forget to check input, or use an exponentially expensive regex to validate user input. For an application to be really, really secure, each developer needs to be able to look at their code and think of all the attack vectors (new ones are discovered weekly). It's nearly impossible to achieve that."
Nick is onto something here. Network security can be handled by a handful of (market-available) people at most any normal enterprise. Web application security on the other hand touches so many others (that isn't widely market-available) that has a drastic impact on over all security. One mistake by any person and bam... well... you know the rest. Imagine that, if an organization REALLY wants to improve their webappsec, they'll still have a hard time because the skill-set isn't yet out there. This will take time, but its coming....