The case of the Halting Problem is often brought up to suggest that it is impossible to write perfect application security assessment tools. While this is formally true, take the limitations posed upon the abilities of static code analysis tools for example (true, but static code analysis tools are useful regardless, more on this below), I’ve come across numerous situations where people invoke the Halting Problem to form irrational arguments. The conclusions reached in these situations may end up being true, but the arguments are themselves illogical if the premises and inference do not flow into the conclusion.

Interesting tack. Invoking terms incorrect is something that plagues many industries, including security.

I’ve noticed that marketing departments of some information security companies like to throw around the limitations of Turing’s problem to sell their consulting services. I agree that a human brain must always be involved during security assessments (a fool with a tool is still a fool), so much so that I consider assessment tools to only be a first-pass sweep for vulnerabilities during any security assessment.

It is impossible to build a house using ONLY a hammer. But it sure helps to have one, along with all the other necessary tools.