I've said it before, tradeoff's pop up in programming all the time. They are often difficult decisions, with no easy answer, and we often make the wrong decision.
Security is no stranger to trade-offs, here are three trade-offs that often limit security:
- Security Vs Performance - The biggest example of this is SSL. Your site may have a SSL certificate, but you probably only utilize it on certain parts of the site since SSL is slower.
- Security Vs Usability - You could set your session timeout's to 5 minutes, but people don't like to login repeatedly.
- Security Vs Cost/Time/Effort - This is often the biggest hurtle to writing secure software. We need this done yesterday, often means we skip or skimp on things like validation.
These aren't the only reasons for security vulnerabilities, often they are due to bugs, or from a lack of knowledge about the vulnerability.