Devs <i>do</i> own application security. What many need to do is realize that.<p>If software has a serious flaw, security-related or not, that's on the developer. If the flaw is in a service/library/component/whatever made by someone else and used by the dev, that in no way means the dev is off the hook. The dev is responsible for the code they release whether they directly wrote it or not. The buck stops there.