For many years in secure coding training, I have used this quote from Gary McGraw- "Software security is the idea of engineering software so that it continues to function correctly under malicious attack."
This simple yet powerful statement encapsulates many of our challenges, however I have one nit to pick, and it makes our job harder. Our job, in my view, is to engineer software so that it continues to function correctly under attack. Note that I left out "malicious."
Many times we don't care if the attack was on purpose of accidental. If someone types rm -r and the database is gone, on many levels- intent, both going forward and avoiding this mistake, is not the main issue.
An example I use in training is whether its an actively malicious attacker or a legit employee, say Homer Simpson, falling asleep on his keyboard, if the data is gone its gone.
Looks like the latter has happened:
A German bank employee accidentally transferred 222,222,222.222 euros ($295 million) from a customer's account when he fell asleep at his computer.
The bank clerk had been attempting to transfer just 62.40 euros ($82.80) for the customer, a pensioner, when he dozed off with a finger on his keyboard's "2" key.
The bank did catch the issue on the backend, but its a good reminder that threats and threat intent is of secondary importance when compared to protecting assets.
This makes our jobs harder because we have to work to avoid both malicious acts as well as attempting to anticipate mistakes.