Developing secure software and systems is hard. Even if the most experienced engineers use the best tools and follow best practices, bugs and vulnerabilities can slip through. Add to that the amount of legacy or 3rd-party code in use today, developer turnover and the use of outsourcing, and we can see that it is very difficult to eliminate all vulnerabilities from within a solution. This is why security by design and defence in depth are important principles. By designing-in security right from the start, and having multiple independent and overlapping methods of protection, the impacts of vulnerabilities can be reduced.