"(...) security in software requires a fundamentally different business model from that which exists today. In fact, the current state of security in commercial software is rather distasteful, marked by embarrassing public reports of vulnerabilities and actual attacks, scrambling among developers to fix and release patches, and continual exhortations to customers to perform rudimentary checks and maintenance."
Jim Routh, Forcing Firms to Focus: Is Secure Sofware in Your Future, in Beautiful Security, O'Reilly, 2010
"We wouldn’t have to spend so much time, money, and effort on network security if we didn’t have such bad software security. Think about the most recent security vulnerability about which you’ve read. Maybe it’s a killer packet that allows an attacker to crash some server by sending it a particular packet. Maybe it’s one of the gazillions of buffer overflows that allow an attacker to take control of a computer by sending it a malformed message. Maybe it’s an encryption vulnerability that allows an attacker to read an encrypted message or to fool an authentication system. These are all software issues."
John Viega e Gary McGraw. Building Secure Software. Addison Wesley 2002.
"S&P: Modern encryption plays a big role in commerce. Given the strength of today’s algorithms and implementations, what are the current weak links in an end-to-end system?
Zimmermann: I think the weak links are mostly the operating systems, mostly Windows. The encryption is strong enough that you usually don’t have to worry about someone breaking the encryption. Think of encryption as having a steel door on your house that’s three feet thick – but someone could bust a window, stick their hand in, turn the doorknob, and open the door – because of the OS."
Phil Zimmermann (criador do PGP), entrevista à IEEE Security & Privacy, Jan/Feb 2006
"We at Oracle have (...) determined that most developers we hire have not been adequately trained in basic secure coding principles (...) We have therefore had to develop and roll out our own in-house security training program at significant time and expense. (...) In the future, Oracle plans to give hiring preference to students who have received such training and can demonstrate competence in software security principles."
Mary Ann Davidson, Chief Security Officer da Oracle, carta enviada às 10 principais universidades americanas entre as quais a ORACLE contrata engenheiros (2008)