Some argue that it’s not possible to measure software or network security because there are always bugs, many of which may lie hidden for years, miscreants are always out there trying to exploit those bugs, and trying to find ways to misinterpret features to their favor, etc., so there’s no way to build secure software or networks, so there’s no point in trying to measure security.

Let me demonstrate by the same method that it’s not possible to build a secure house. Continue reading →