Larry Ellison of Oracle has spoken numerous times about how bad security is in the industry. However, I don’t think he acknowledged the problem; Programmers are under skilled and require guidance.
Anyone can be a Java, C or C# programmer, but how good are they at their job? Unfortunately, businesses are asking the wrong questions when hiring individuals, especially granting highly coveted visas to these individuals. Sure it is easy enough to program Java, but do they know how to program an enterprise Java application? Most likely not. That’s not an issue when the management has a very talented person above them who helps others in programming a JEE application and shows the less educated in the organization best practices. Unfortunately, that is not the case today.
Most of the programmers I deal with from other companies program by Stack Overflow and don’t understand why it maybe be better to use something different. In the case of JEE, I see lots of third-party frameworks and libraries added to each project. When I ask why they chose what they are including, even though JEE includes everything programmers need, programmers usually come up with some excuse. The real excuse is that no one told them how to program properly on an enterprise scale.
This is where security is threatened. An application may contain over a hundred megabytes of frameworks and other third-party libraries that never get upgraded. The operating systems, application servers, transaction processors, and so forth are usually upgraded on a schedule, but the application themselves are never upgraded until the applications cannot be used. Case in point, if an application cannot be upgraded from Java 6, to Java 7, to Java 8 without major rewrites to the application, then there is likely a security issue with the application as well.
The other issue with programmers is that they are never told how to secure their applications. This is a huge failing from the organizations. They may have third party software dealing with security, but if the application is not secure itself, then it is only a matter of time before it is hacked. Organizations usually do a good job of securing the outer walls, but do a poor job of securing the inner workings if a hacker got passed the out walls.
Organizations must remain vigilant, hire people that know how to write enterprise applications and have them lead the way. If Equifax was hacked because of using Struts 1.x, there are lots and lots of other organizations doing the same thing. I actually know this to be a fact. They rely on static code reviewers, which don’t catch all the problems. This is why it is important to have someone do a code review and walkthrough with someone who knows the business.