I know that sentiment. The most popular phrase I hear is 'Security is a process, not a product,' and I think the second most popular one needs to be 'The weakest element in any IT network is the people who use it.'
Needless to say, now we have procedures for resetting passwords and verifying users on the phone to mitigate social engineering attacks. Now I sleep better at night.
in reply to Re^3: Web Application Security Vulnerability testing
in thread Web Application Security Vulnerability testing