The root cause of security breaches

Java father James Gosling was asked in a recent interview to identify the biggest security threat to enterprises. 

The number one biggest threat to enterprises is the inherent fallibility and laziness of humans. We can make the software as solid as we can but if someone says the root password of the machine is "nothing," anyone can walk in and [log onto the machine].

It's amazing how many people will do something like that because it makes their life easier. The world is filled with IT operations where the staff has gotten annoyed with all the security so they just turn it off. Or they'll do really dumb things like put a copy of their entire customer database on their laptop hard drive and then go on vacation and lose the laptop. 

Indeed, humans are a root cause of security breaches, but that doesn't absolve programmers from writing more secure code. As Li Gong, the primary architect for the Java security model while he was at Sun and formerly the managing director for Windows Live China, has said:

The industry is currently defaulting to a small number of platforms–Windows, Java and a few others. Once the platform is built it is hard to make it more secure. You only get one or two chances to make it more secure, especially once it ships. Because its layers, you have to solve the security problems at each layer. The problem is that people repeat the same mistakes every time they create something new, such as with the Web or AJAX. They forget about lessons learned in the past.