[r-s]

> This suggests that anything less than perfect security is worthless. Which is better, having pentesters look for vulnerabilities in 50% of your surface area, or having pentesters look for vulnerabilities in 0% of your surface area?

Is this supposed to be rhetorical?

Say you buy a really good front door for your house, and forget to put a back door on your house. I would say that testing the security of the front door is a waste of time.

[csallen]

You should read the rest of that post instead of stopping at the point you quoted. I think he makes a good point: There are real costs associated with expanding security, and there are points at which those costs can become unreasonably high.

I think your point is too extreme. Locking your front door is most definitely NOT a waste of time, because with that move alone, you've automatically protected yourself against the subset of attackers who don't think to try the back door. Are you still vulnerable? Yes, of course. But decidedly less so. As the OP said, 50% is better than 0%.

The real conversation that should be taking place is not whether or not a limited scope should exist (it should), but how far that scope should extend given the costs of extending it.