I often hear technologies or controls disregarded on the basis of “It can’t protect against X scenario.” or “It doesn’t completely protect me.”
For example, take a web application firewall. It can be boiled down to a regex, and possibly some fancy behavior analysis. It CAN be subverted. Encoding, session splicing, other types of evasion can defeat them.
That’s not to say technologies and products shouldn’t strive for more. It’s just accepting the reality of the situation that you can’t completely control your environment.
It’s not about creating a perfect defense. It’s about raising the bar.
Security only works as a process, only as defense-in-depth. There is no silver bullet that can protect against all scenarios. Everything breaks when its assumptions are violated.
The whole security industry is wrapped up in an arms race. As soon as you add another layer of protection, an attacker is forced to work that much harder, and they will.
The question becomes, does the arms race ever end? (Hopefully not. It’s paying my bills.)
Smarter people than i have written about this.