Failure is not just an option...

...it is a certainty, so deal with it already. Interview with Richard Clarke in SC Magazine:

If company systems were supported by "decent code in the first place, hackers couldn't get in," says Clarke. "Why don't we go after the cause while we're dealing with the symptoms? We need to have the best experts in the private sector, the universities and the government get together and create a set of best practices and standards for code writing."

Microsoft, Oracle, SunMicrosystems, Apple and others, leading universities and the National Security Agency (NSA) and the National Institute of Standards and Technology (NIST) should develop and agree to these standards.

"Then we can [have] auditors come in and ask companies if they are really living up to those standards," he says. Based on this information, he continues, CSOs could then purchase the safest software.

Designing for failure is an underappreciated art/science in software development, Bruce Lindsay and Steve Bourne explored this issue in an ACM interview.

Security analysis and design in the software development lifecycle is an underutilized art/science as well, see presentation and article series.