I"d like to point you to an article by Noam Eppel http://www.securityabsurdity.com/failure.php
and the subsequent followup by Marcus Ranum http://www.ranum.com/security/computer_security/editorials/failure/index.html
Both of these people are not unknown in the security community, and I would have to believe that Marcus is probably as close to a household name as there is in this industry.
I'd like to disagree with them, but unfortunately there is a lot of truth in what they say. The security vendors make, and so called security professionals (another discussion for another day) keep deploying, technology that is ill-conceived, flawed, and overly complex. Why? To attempt to satisfy protecting application technologies that are ill-conceived, flawed, and overly complex. The solution is not easy, but as long as this arms race continues, the attackers will continue to hold the upper hand.
The first step as always in security lies with people...in educating users, in educating security professionals, in educating application developers and senior managers, and CEOs. Unless they all begin to understand the implications of the applications being deployed this will get a lot uglier before it gets better.
Rick
