Know what you code, and what you run. Don't be fooled by words and
   shapes, code does what code does, that is all.
   We seriously need a way to detach code from mental models to expose
   hidden features. Basically, all computer law is rubbish because
   everything you run on your computer, exploits and all, is something you
   run by choice. But there's no way you could validate the sheer bulk of
   code. If you want to really solve security flaws it'll involve somehow
   validating the possibilities of the code run.
   It's a discipline that touches on visualization, automated testing and
   simplification. Simplification meaning, reducing possible states and
   "execution paths". And just making code easier to comprehend.
   The problem is that there's either no market for "truly secure"
   computing, or there's just nobody filling the gap. Banks with their
   Cobol are laughed at, mostly, and accused of lacking innovation. They
   do lack innovation in the technical field. And Cobol is definitely not
   an ideal language. But "truly secure" is worth a lot to them. L4
   validated is a step in the right direction, but catches a lot of wind
   saying it's still imperfect and therefore worthless.
   I'm utterly bored by code review. Maybe it'd be better if there were
   some nicer tools to help out. I'm really sure someone has great
   recommendations regarding this. (That don't even require Cobol :)