What are the ethical issues of security software engineers?

The main ethical issue would be the question of whether to add back doors and extended logging into the programs. Back doors sound like they are strictly negative, however they can be necessary if security or technical staff need to access the software (a lot of modem/routers that many ISPs issue have 'back doors' which allow technicians to log into the device and troubleshoot/fix problems). Likewise logging, and especially logging which sends user data (like files accessed) over the internet can be used to dramatically improve the software, accurately diagnose problems or simply enhance the functionality of the software so that it's competitive with other similar software -- the problem is that in some cases this data can be intercepted or stolen, and used for nefarious purposes.

Another major ethical dilemma is of whether to follow the directives of Law Enforcement and intelligence agencies who may want access to data, they may either request data directly from the company that the user is developing software for and expect that company to have useful data available (via logging, for example), or they may request or demand that the software contain back-doors, specific security flaws, monitoring, or filtering (censoring) components so that they can carry out their investigations or so the software company can comply with the laws of the government that those agencies serve.

The other ethical dilemma that I can think of is in regards to exploits or security flaws that are discovered in software -- addressing these flaws may present a dilemma for said engineer; the security flaw may be so big and insurmountable that it could significantly delay the release of software, hinder its functionality, or be unwieldy to deliver. If a software vulnerability is known but a fix is not yet available, then there is also the issue of whether to announce the vulnerability (and risk alerting malicious parties who might exploit the vulnerability while it still exists) -- on one hand, announcing the vulnerability may bring negative attention to the company who has developed the software (and could result in job-losses), while alerting malicious parties who may try to exploit the vulnerability -- but NOT announcing a vulnerability could be a bad-faith gesture which leaves your users in the dark and does not alert them of a possible incoming threat that they could have prepared themselves for.