Why is it that everytime some 'security guru' wants to disparge FOSS that pick on a seriously messed up software package like wu-ftp?
Yes, there is bad FOSS just as there is bad closed source commercial software.
They are worried that open source developers are too much "hacker" and too little "engineer," cobbling together solutions without going through a structured software engineering process (such as requirements, specification, and analysis).
When someone decries the lack of "requirements, specifications, and analysis" it tells me they think inside the box of a comp. sci. training program. Yes, that is a structured process that can help acheive quality code (emphasis on 'can'). But there is more than one way to get there and that is something they do not teach at university.
No, I am not going to provide additional support for my argument in this post. It will require a lengthy essay that is working its way up my 'to-do' list. Hopefully, someone else will write it before it gets to the top of my list but be that as it may.
P.S. I have "Secure Programming Cookbook" on my shelf though I not done more than the initial browse at the bookstore that induced me to bring it home.
I think, therefore, ken_i_m