"This will surprise some of your readers, but my primary interest is not with computer security. I am primarily interested in writing software that works as intended"
About this Quote
Venema’s line lands like a polite slap to an industry that loves treating “security” as a glamorous specialty rather than a basic property of competent engineering. The surprise he anticipates is the tell: readers have been trained to see security people as paranoid priests of worst-case scenarios, obsessed with edge cases at the expense of “shipping.” Venema flips that framing. Security isn’t his primary interest because, in his worldview, it shouldn’t need to be a separate interest at all. It should fall out of a simpler, older discipline: making software behave.
That’s the subtexted rebuke. Vulnerabilities often aren’t born from exotic attacker genius; they’re born from programs that don’t do what their authors think they do. Memory corruption, input handling, privilege boundaries, default configurations that quietly betray intentions - these are correctness failures before they’re breach headlines. By anchoring security to “works as intended,” Venema drags the conversation away from fear-driven patch cycles and back to specification, constraints, and humility about complexity.
Context matters: Venema is a builder with scars, known for pragmatic infrastructure software (Postfix) and security tools. He’s not dismissing security; he’s refusing the marketing category. The statement also contains a quiet warning: if you can’t crisply articulate intent, you can’t defend it. “Intended” is the slippery word here, implicating product managers, rushed timelines, and ambiguous requirements. Security becomes a mirror held up to the messiness of intention - and Venema’s point is that the cure starts long before the firewall.
That’s the subtexted rebuke. Vulnerabilities often aren’t born from exotic attacker genius; they’re born from programs that don’t do what their authors think they do. Memory corruption, input handling, privilege boundaries, default configurations that quietly betray intentions - these are correctness failures before they’re breach headlines. By anchoring security to “works as intended,” Venema drags the conversation away from fear-driven patch cycles and back to specification, constraints, and humility about complexity.
Context matters: Venema is a builder with scars, known for pragmatic infrastructure software (Postfix) and security tools. He’s not dismissing security; he’s refusing the marketing category. The statement also contains a quiet warning: if you can’t crisply articulate intent, you can’t defend it. “Intended” is the slippery word here, implicating product managers, rushed timelines, and ambiguous requirements. Security becomes a mirror held up to the messiness of intention - and Venema’s point is that the cure starts long before the firewall.
Quote Details
| Topic | Coding & Programming |
|---|
More Quotes by Wietse
Add to List
