Actually, it is a myth.
For every non-trivial system, there are business pressures on
resourcing, deadlines, and acceptable quality (pick any two). Once a
business has set their taste for risk, it makes no sense to spend say
$10m on security controls on a product and delay it for six months
which may only bring in $2m in revenue in total, or none at all if
the company runs out of money to bring it to market.
At the moment, most companies neither accept or assign the risk,
enumerate the risk correctly, nor take adequate steps to eliminate as
much risk as possible. We need to improve all three aspects. Even in
a perfect world, there will still be bugs and security defects. Let's
make sure that the remaining ones are really hard to exploit, and
when the exploit happens, not much loss occurs.
thanks,
Andrew
On 19/07/2006, at 10:59 AM, mikeiscool wrote:
Absolute security is a myth.
no it isn't. pretending it is a 'myth' is an attempt by sloppy
programmers and designers to explain away the reasons for their
applications failing.
smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
