chapter  1
Pages 56

This book was written for several reasons. First, over my career, I have had to research numerous, seemingly disjointed topics, only to discover two consistent trends: Things are quite often designed or built in a knowledge vacuum, and the same mistakes get made over and over. I attribute this to several issues, one of which is the simple truth that everyone cannot know everything, and this is especially true when it comes to information security. In 2002, Donald Rumsfeld was quoted [70] describing the known and the unknown conditions in his report to the North Atlantic Treaty Organization (NATO):

Scenarios for information technology might include a Web designer who knows nothing about general security, a business analyst designing a new application who may know nothing about the current state of protocol vulnerabilities, or a software engineer using cryptography who may know nothing about key management. The consequence of not knowing about information security is that applications and systems are consistently vulnerable to rudimentary attacks. And even if systems or applications are designed with security in mind, the next modification or enhancement performed by another group-without benefit

or knowledge of the prior group-will invariably open or unlock the analogous security window or door that was previously secured.