Security is an illusion at times. It's good to remember quotes from some of the best warriors the world has ever seen when considering real-world security. For example, General George Patton once noted, "Fixed fortifications are monuments to the stupidity of man" (see http://www.military-quotes.com/Patton.htm for other quotes). The implications are obvious for application security, because every piece of code you add to an application is a fixed fortification. Yes, they'll keep the novice at bay or someone who is not truly interested in overcoming your security, but the truly determined adversary will overcome your fixed fortifications — count on it. During the development cycle, you begin to realize just how tenuous the security arrangements in Chapter 7 are when the application testers find ways to overcome them. You don't even have to wait for the reprehensible individual to arrive to test your fortifications.

Of course, the counter to the argument that no amount of fortification in the world makes your application safe is to think about not adding any security at all. Unfortunately, this view is akin to your bank leaving the money piled in the middle of the room because someone who is determined will make it into the safe. Adding security, the best security possible, to your application is always worthwhile; you just can't convince yourself that the fortifications are the end of the road. Security is a process where you ...