« Changes to Computer Misuse Act will turn security professionals into criminals | Main | How to explain Open Source to a non-technical crowd »

Defect-free code is vulnerability-free code

July 29, 2008

I've come to realise that our efforts to improve the state of security through focus on the software development life cycle (SDLC) are flawed. Although we may see some improvement in the short term (a span of a few years), such an effort is a waste of time as it cannot solve the problem. If you think it can then you are looking at the wrong problem. (Borrowing Mark Curphey's favourite line.) Underneath all our security issues lies our inability to write defect-free code. Solve that and we've solved the security issues. Focus on the security alone and we won't solve anything.