We talk as if we know what security is, and this is a grave mistake. Sure, for any given problem we know how to secure against it.

The problem is, security *isn't* one problem, it's a googleplex of problems, each feeding on another to spawn millions of new ones.

There are certain broad practices (like encrypting passwords, Sony I'm looking at you!) but by and large a program is an unprovable mathematical construct with an astronomical number of possible code paths.

The problem is we're trying to secure against the "unknowable unknowns". We can handle the known problems, and even the known unknown problems, it's the unknown unknown problems that new hacks are made of.

And you will *NEVER* secure against those.

Having said that, most hacks are incredibly lame, and yes, we should have better solutions against those. Of course it would help if SQL Server was less mind-numbingly complex...