Now we’re going to take an irreverent look at some of the excuses we’ve heard over the years from developers, testers, and designers from various companies trying to weasel out of making security design changes or code fixes! The excuses are
No one will do that!
Why would anyone do that?
We’ve never been attacked.
We’re secure—we use cryptography.
We’re secure—we use ACLs.
We’re secure—we use a firewall.
We’ve reviewed the code, and there are no security bugs.
We know it’s the default, but the administrator can turn it off.
If we don’t run as administrator, stuff breaks.
But we’ll slip the schedule.
It’s not exploitable.
But that’s the way we’ve always done it.
If only we had better tools….
Let’s get started.