There’s an amusing saying about alternative medicine: “What do they call alternative medicine that has been proven to work? Medicine.” We can adapt this to secure software. “What do they call software that does what it is supposed to do securely? Software.”
This is inspired by a quote I read sometime between May 2000 and May 2002. In my mind I have attributed it to Eric Allman of Sendmail, but I can’t find a source to confirm it. The quote I remember¹ is something on the order of “my code is secure because it does exactly what I intend it to do—and nothing else.” While that’s full of hubris, it’s got a certain truth to it. If you really are that good, security is almost an afterthought. Some of the security guys I admire , like Scott Matsumoto and Jim Delgrosso, approach software this way. They get the software right to begin with. And then it’s not such a difficult stretch to dot some I’s and cross some T’s and make it secure.
¹ Do you know what quote I am thinking of? Let me know in the comments.