Comment There is no silver bullet (Score 1) 244
Too many times have I said this. There is no silver bullet.
Security is not an option, it's inherent in the system or not all.
Nothing fixes bad code. Nothing can. Now there are things you can do to prevent writing bad code, like scream when your code goes and screws up stuff. You can automate the things you might do wrong, use a garbage collector, use prepared statements, use a filter to check for input. And it's hard work, but that's why you get paid. Now management can help you too (my boss gives me work that "needs to be done right, first time") by ensuring they don't make you cut corners. Most of us want to do the best job we can, but we're not allowed to - "Just Ship it and put a patch next month", because security is not really a feature that sells, it's assumed to be present and cannot be monetized properly. Bruce Schenier explained it brilliantly in - Market for Lemons.
But there's no silver bullet, in fact there's not even a silver band-aid. And sometimes the bug is in the shield itself. My usual policy is to have as little code as possible, so that I can read and verify it all the time. Smaller the chunks I build, the easier it is to test it apart. Easier it is to tear it apart, to replace a part or just anything. Code in ADA will be more auditable than code in PHP (trust me, I work with php all day). But eventually, you can't really write bad code, push it production and slap security over it.
So tell me, how will you fix this bug that was there in your security tool, Recursive Ventures?