Well, I was talking to a friend of mine, and I was reminded of my biggest pet peeve.

His client (who we shall keep nameless so he can keep his job) is asking him to build a system...  Now any of you who have heard me speak know that I'm famous for going off on an old security rant every now and again.

Now, we all know that you can't do security in an application unless and until you know just what you're protecting and what you're protecting against.  security is a continuum, from wide open on one end to unplugged, encased in concrete and tossed into the east river on the other.  The trick is to find the right balance for the application you're building. 

So the buddy of mine sits down with the client to start the threat profiling process.  The CIO of Moron Inc. wants none of it... on the first hand, the CIO doesn't think he needs any security built into this application.  "We have a firewall"  - ya, good for you, here's your sign.  Once the convincing story of why you still need to write secure applications even with "a firewall" - and not much of one since I can do a remote desktop to his machine inside the firewall from home - is told, the CIO of Moron Inc. agrees that perhaps the application needs security, that my buddy should make it "bullet proof" and that he and his staff don't have any time to be involved in the process....

We all know what happens next don't we? 

ARGH.... will the world ever learn?