Problem introduction and disclaimer.
Security Review Heuristics Zoo.
Or rather a few closing notes...
Can you quantify "product security"?
Usually when people start talking about "X being 23% more secure than Y" I just snort. However, with the notion of features interaction complexity, we can at least try to approach that problem from a quantitative side.
The idea is to assign a numeric security measure L to a product if all features interactions up to the complexity level L for most industry-recognized representations of the product have been analyzed and checked for security. Yes, "most representations" is not very precise, but as in practice there are not so many of them (about 10?), this still may offer a workable yardstick for a quantitative assessment. The scale would look then something like this:
Level 0. No systematic security work has been done even with individual features. Well-recognized security industry standards are likely violated (e.g., credit card numbers are sent over WiFi in clear). A product almost certainly contains glaring security flaws easily discovered by non-professionals.
Level 1. Security coverage has been achieved for isolated features of a product. It is probably free from the most common security failures associated with its domain of operation. No pairwise component interactions have been seriously considered though, so security weaknesses still arise in corner customer scenarios; those would require some basic level of security expertise to recognize them. (e.g., a customer is authenticated at the product's Web site, but critical operations do not verify that the Authentication has not expired yet, so a CSRF is considerable).
Level 2. All elements and their pairwise interactions are covered for most of industry recognized ways to re-factor a product into elements. Theoretically, a well-done Threat Modeling can achieve that at least from the design standpoint. Finding a security hole would require pushing a product very far into an unexpected state. Most pentesing vendors would still be able to discover scattered holes in such a product with enterprise-level funding (e.g., via fuzzing).
Level 3. Exhaustive verification of all three-way interactions is conducted for multiple re-projections. A product is solid against most flavors of nearly all industry-recognized attacks. Finding a new security hole in it costs O(N4) effort with respect to the number of elements logically comprising a product. In practice this would require at least billions of attempts. State-sponsored agencies can probably still run effective security offence against products at that security level, with costs expressed in 8-9 digit figures.
Level 4. All 4-way interactions have been verified as safe. I would say this is what a military-grade security *should* look like. Compromising such a product would take computational resources of leading world superpowers and cost significant chunks of their yearly GDPs. Security holes at this level would literally be solitary, unique in nature, and kept under high secrecy as important military assets.
And so on.
Security Career Roles
Every company needs "security people", but whom exactly? While most security specialists can wear multiple hats at the same time, they also have their natural preferences. And those preferences could be classified within the definitions of this article as following: