I read a blog posting by Ed Finkler "Do Open Source Devs Get Web App Security? Does Anybody?".
In it he described disturbing statements contained in one of Open Source Content Management System :
A colleague of mine who is dealing with Plone, a CMS system built atop Zope, pointed me to a rather disturbing documents in the Plone Documentation system, one that I feel is indicative of a much larger problem in the web app dev community.
In closing, Ed Finkler gives blunt statements :
A web developer is not qualified to do the job if he or she does not have a good understanding of web application security concepts and techniques. Leaders of development teams must stop allowing developers who are weak on security techniques to contribute to their products, and managers need to stop hiring candidates who do not demonstrate a solid secure programming background. If they continue to do so, they demonstrate a lack of concern for the safety of their customers.