Virtually everyone I've ever spoken to will agree that security is always better "baked in" to the design from the beginning as opposed to "buttered on" at the end. Why is it, then, that we always seem to have so much trouble getting there? It seems as though we have implemented our systems development processes in a way that prevents us from reaching this state. While there are great frameworks out there like the Systems Development Life Cycle (SDLC), the systems are only as secure as the requirements that they are developed to. This, I believe, is where we most often go astray. Security must be a requirement, just as throughput or port density are requirements. The challenge, then, is to get security practitioners to develop requirements that will drive the design and assist in the tradeoff decisions between security, functionality, and cost that will inevitably occur. These tradeoff decisions must be backed up by solid risk analysis and not just compli