Security is a matter of usability and one of elements of quality of a system. ain’t it literally a matter of “safety”? how come Quality does care about a defect related to safety of a user in physical world but not the virtual world?
security bug is named differently: security vulnerability, but ain’t just a bug that needs to be taken care of during quality controls? security has been always part of quality, we just ignored it, and by “we” I mean software developers and system designers.
let me state again: Security has to be part of Quality Assurance. Security bugs aka vulnerabilities, have to be addressed just like any other bugs to make the software “Usable” and with better Quality.
I personally think if years ago we really understood ISO 9001, we would not need to have a new framework or standard for Security! everything in 9001 imply improving Quality of a Product, Processes which support the Usability of a system.
and it is about willingness to do, when we are not willing to do, does not matter how different you say or how many different standard or regulation we make, we will ignore it, and that’s why I believe none of those (standards, regulations, frameworks…) are really adding any value to security community, as long as we ignore.