"Developers are responsible for insecurity."
True.
Always.
And to the reply "The PHB made me do it." Make sure you have a record of supplying them with an analysis of what happens (especially how much money) will be lost if the project goes live with their planned arrangements and security is breached.
Biting the hand that feeds IT
