Don't get me started on this one (if not stopped, I will rant on until deep in the night..... :p)

[rant]

As a (senior) developer myself I've always, always stuck to the rule that any kind of hardcoded configuration in application source-code is reason for immediate termination of contract. Even for one-off applications that will run as an only instance on the only known machine in the company itself for that one-off occasion to do a one-off process.

It's shocking how often I've received a piece of code from one of my developers that wouldn't even run for testing on my PC because the developer hardcoded the database-connection to his own PC-name (and of course user PCs are configured not to accept any SQL-connections from the network, basta!)...

Alas, security in general seems to be a topic everyone will try to avoid until burnt hard personally. How can I tell my son (18) that if he does not install firewalling and anti-virus, he is essentially a willing part of criminal organisations who use such "open" targets for their criminal intent (gone are the days where hacking was a sport with harmless effects like leaving "killroy was here!" messages on your screen.

But the general public and even a large portion of software developers just don't seem to grasp that leaving your PC open for attack is the same as leaving your car-keys in your car in front of a bank with a sign saying "free get-away car for grabs!".

[/rant]

Spread the word on the importance of building security into software from the inside-out, bolting it on top as an afterthought is just not good enough anymore and should not be accepted from any of your vendors.