Could I suggest that we look at the statement like Security can not just be added-on but must also be baked-in?

You have to have multiple lines in the sand. You have to depend on your perimeter to keep them out, but you also need to plan on having the perimeter fail. Secure code comes from secure design within a secure architecture. There are multiple layers of defense. You would never leave your child vulnerable on the side of the road thinking they were secure because they had on a heavy jacket. In reality that is what a firewall is protecting your application. There have to be other measures, and layers of protection in place.

You have to put the best you have out there bolted on to the perimeter, and at the same time bake-in as strong a security strategy as you can afford. You can not just hope you will not get hit, you have to prepare for getting hit and plan for stopping, recovering, and rethinking and making it better the next time.

Remember, it is not a question of if you are going to get hit, it is when are you going to be hit?

M.