I've said it before, tradeoff's pop up in programming all the time. They are often difficult decisions, with no easy answer, and we often make the wrong decision.
Security is no stranger to trade-offs, here are three trade-offs that often limit security:
- Security Vs Performance - The biggest example of this is SSL. Your site may have a SSL certificate, but you probably only utilize it on certain parts of the site since SSL is slower.
- Security Vs Usability - You could set your session timeout's to 5 minutes, but people don't like to login repeatedly.
- Security Vs Cost/Time/Effort - This is often the biggest hurtle to writing secure software. We need this done yesterday, often means we skip or skimp on things like validation.
These aren't the only reasons for security vulnerabilities, often they are due to bugs, or from a lack of knowledge about the vulnerability.
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token
- The cf_sql_ is optional in cfqueryparam
- Cookie Expires / Max-Age 1969-12-31T23:59:59.000Z
- Burst Throttling on AWS API Gateway Explained
- How to Resolve Java HTTPS Exceptions