Is security engineering really just good software engineering?

These days, if you say that you are doing research in the area of computer security you instantly receive attention. Sadly, the same cannot be said of software engineering. But are the two areas really so different? Both seem to be concerned with issues that range from the finely technical to the broadly social and that force us to make difficult tradeoffs among cost, performance, quality, and usability. Both seem to require that we conduct our research in an interdisciplinary context. In the end we realize that fully solving the security problem for ever larger and more complex systems is as intractable as fully solving the traditional software engineering problem. In this talk I will attempt to relate the challenges of security engineering and software engineering, and will argue that security engineering is more of a software engineering problem than many people would like to admit.