Security products: Best of breed or create your own monster?

Good enough security

Unfortunately, the deeper you drill into the stack from silicon on up you realize that complete security is unfeasible. You are left adopting some sort of 'good enough' security and in many cases people take the off-ramp that says 'plausible deniability'.

It is like that old joke -- two guys are out camping when an angry bear shows up. One guy turns to start running and the other says "Are you crazy? You can't outrun a bear" to which the other replies "I don't have to outrun the bear, I only have to outrun you."

A strategy that I would favor would be to go with an integrated vendor for part of it to cover the 'plausible deniability' angle, a 'moat' of sorts comprised of various honey-pots and enough home-grown armor to make your system a less attractive target than others.

It really drives me nuts that we *could* have good security but we are fighting uphill against our own governments. That leaves us settling for 'good enough'.

The bad news is that real security is impossible. The good news is that 'good enough' security is not only possible, in some ways it is pretty easy.

Fluffy article?

Not that individual points are invalid or not well made, but this discussion can be held for any kind of stack: web applications, traditional client applications, anything that is part of a process etc.

It's just that I suspect the security solutions are too fragmented/immature that anything but a single vendor/coordinated vendor solution is likely to involve a humongous amount of duck tape/custom programming that may not be worth the investment etc.