| Security is not a Boolean. It's on a continuum from "You must be fucking joking" (early versions of IE) to "Not perfect, but workable with training" (literal weapons-grade air gapping). Perfectly secure software does not exist. More secure and less secure software certainly does exist. Which is why software should be expected to provide some basic level of protection. In any org there will be a proportion of idiots who cannot be trusted to do the right thing, and software should be designed to minimise the damage their idiocy can generate. This isn't enough to make an org secure, but it's a good start on whack-a-mole with the most obvious attack vectors. The real problem is that too much of the industry - both management and devs - lacks maturity and professionalism. There's too much casual hobby tinkering, too much "But that's too expensive", and too much "Get it out the door and worry about it later". There isn't enough conscientious attention to detail and far, far too little understanding of the disastrous - literally potentially explosive - consequences of serious security failures. And CS courses teach far too little of all of the above. Academic algo noodling is one thing. But the reality is that computers can literally be as dangerous as weapons - and should be treated as such. |
In some sense security is binary - if your software happens to have even a single mistake that results in RCE or authentication failure, then it's totally exploitable and does not provide any level of protection whatsoever. And as experience shows, we seem unable to write any software without such mistakes, even if we try really, really hard by skilled people with security in mind, as far as I recall every popular piece of software that needed to be secure has had vulnerabilities.