To me, it is their fault.
Part of the blame has to go to the company execs and programming managers of a company that stakes its reputation on protecting and delivering peoples' credit card data. But the programmers also work for them and have to understand what their work affects every day they come in and sit down with a cup of coffee and a freshly booted PC.
I know, I know. Deadlines, budgets, tight time schedules, someone else promising you will deliver on an impossible schedule...all causing security to get baked in later if at all.
You know what? Get Over It.
This blog will hopefully educate, entertain and help us all out. This will be a no holds barred look at web app security, from an ASP.NET standpoint mostly. PHP guys/gals...get over it. (See a theme here?
) The stuff on this site will hopefully apply to you too, and you can go figure out how to code those things I put in as ASP.NET logic. I will try to keep things as language agnostic as possible, since I would prefer all web devs have the knowledge, but there will be days when I post ASP.NET or IIS specific things, whether exploits or fixes.
So no more excuses! You can learn this stuff pretty quickly and stop many many attacks dead. You can be the hero.
I will start my next post talking about XSS. Never heard of it? Please tell me you don't build websites...