In response to your comment and the parent comment, from someone in InfoSec: security can never be completed in the way a product can be. It's an ongoing war, and sometimes your opponent gets the upper hand for a while. The problem with being the "good guys" in security is that you have to make sure every hole is closed while still letting the business run. It's easier to be the bad guy, because you just have to find one thing the security team missed.
Security doesn't exist without the business and the business doesn't exist without security, but the business tends to trump security for the sake of features and convenience. It's a very delicate see-saw, and all you can really do is trying to run back and forth from side to side hoping that the other end doesn't hit the ground before you can get over there again.
Actually as a solution architect I have to deal with all sides of the problems: people attacking, audit companies, penetration testing companies and software engineers leaving gaping holes.
The only people who deliver little value are the paid up consultants. When a full penetration and code review misses 4 purposely placed obvious vulnerabilities (by myself) they get told to fuck off. Application firewalls which are circumvented trivially. QoS solutions that don't work.
So far, four well known, well respected companies offering certification and testing have missed the holes and have been fired.
That's the problem: no delivery.
My attitude might be wrong in your eyes but I refuse to employ box tickers which is what the entire white hat side of the industry is about. Canned report, where's my cheque?
No seesaw other than a bent twisted one that sucks up cash in exchange for a half arsed job.
