It sounds to me that the problem you are facing is more related to an organizational commitment to security though. If delivering a product on time is allowed to be used as an excuse to deliver a poor product with significant security flaws, the problem doesn't necessarily lie with the developers, but with the business leaders that allow those things to happen.
Have you seen any other ways people tried to force development's hand to address security issues more seriously and with more of a sense of urgency?
Jeremy Wittkop wrote:While I like the idea of letting loose a security Chaos Monkey you've rightly stated that would likely be frowned upon due to the disruption it could cause. One less intrusive method you could use...
girl power ... turns out to be about a hundred watts. But they seriuosly don't like being connected to the grid. Tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koophttps://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton