@Caute_cautim wrote:
But then again we go back to the root of the problem - who was the developer who programmed and what were their morals, ethics and objectives?
Very true, but I've sometimes found that part to be even more of a daunting task --- it makes imparting user awareness & changing organization culture seem trivial.
To exemplify this, I'll relate 2 cases in an earlier organization, both involving an communication / collaboration application obtained from a provider.
Case 1: There were instances of the application's services experiencing issues due to malware & I reminded the provider to secure the platforms they ran it on with an EPP --- their lead then insisted that there was no concern because it ran on Linux!
Case 2: After observing events that pointed to 'broken authentication,' I communicated with all entities using the system / providing dependent services, and concluded that the issue was with the application itself. In a report to management, I recommended that the application be checked for vulnerabilities & its code properly reviewed.
The end result in both cases: what happened was quickly forgotten & quietly buried --- courtesy of someone high up in the hierarchy having given the provider a go-ahead at the start.
So back to your earlier question, the root of the problem often becomes 'Who authorized implementation & use, with no security controls properly implemented from the start itself?'
At this point, one can't help but envy the cats. 
