Actually, it is a myth.

For every non-trivial system, there are business pressures on resourcing, deadlines, and acceptable quality (pick any two). Once a business has set their taste for risk, it makes no sense to spend say $10m on security controls on a product and delay it for six months which may only bring in $2m in revenue in total, or none at all if the company runs out of money to bring it to market.

At the moment, most companies neither accept or assign the risk, enumerate the risk correctly, nor take adequate steps to eliminate as much risk as possible. We need to improve all three aspects. Even in a perfect world, there will still be bugs and security defects. Let's make sure that the remaining ones are really hard to exploit, and when the exploit happens, not much loss occurs.


On 19/07/2006, at 10:59 AM, mikeiscool wrote:

Absolute security is a myth.

no it isn't. pretending it is a 'myth' is an attempt by sloppy
programmers and designers to explain away the reasons for their
applications failing.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -

Reply via email to