So, in honor of George Carlin, here is a list of 7 things that you can’t say if you are a security consultant:

7. Anti-virus has not and never will work.

6. Your vendor’s security product (X) will NEVER make you more secure.

5. Compromise is inevitable and there is nothing you can do to stop it.

4. Security professionals are completely unqualified for what they are doing.

3. Code will never be secure.

2. Defense in depth doesn’t work.

1. Security is an illusion and won’t ever be perfect. It hasn’t worked the physical world, and certainly won’t work in virtual worlds. Ever.

A little tongue-in-cheek, but let me know what you think.

Feel free to add to this in the comments.

I stumbled upon these Firefox plugins the other day that allow you to test websites against a set of predetermined XSS or SQL injection parameters on a given website. The tools include XSS-Me, SQL Inject-Me, and Access-Me, all designed to test the security of the website in an easy fashion:
http://www.securitycompass.com/exploitme.shtml 

I thought these were pretty cool. I ran it against a corporate email website that is commonly used and was surprised by the amount of XSS that was successful. Be careful not to fiddle with Firefox while this is running because it will destroy the test. Also, Firefox 2 ate up a lot of memory while doing this, so I wouldn’t run it on that 486 sitting in the corner.