The security at the building was tight. Seven serious looking men, probably ex-policemen, sat behind the The Security Desk. Not a female face in sight. Visitors had to report to the desk for a printed ID card – which they wore throughout the single building floor they had access to. On one such occasion, I had to visit a client in the building and walked up to The Desk. The conversation went pretty much as follows.
“Your name?” asked Serious Security Guy; there was definitely no smiling or humor of any kind at The Desk.
He tapped away for several minutes. Since it was a courts building I presumed that he was using my name to query a criminal database for matches. Despite my record being clean I felt a little nervous. But he was pretty overweight - I speculated I could run faster than him if he happened to type my name incorrectly.
“Here's your card and barcode to let you up to floor 14. You must carry it with you at all times”
He handed me a square of paper like it was a speeding ticket.
It read (and you can't make this up) “Mur$ry Barnden>” so obviously he hadn't checked my name against anything real. The testosterone festival was all for show.
The secure entrance gate looked like it would cut your legs off if you tried to slip through, so I scanned the barcode. It didn't work and a loud buzzer sounded. I tried again with no luck. Feeling the heat of their eyes on the back of my neck, I wondered if attempt number three would rake me with bullets or release some dogs. I began to sweat.
I heard an embarrassed cough at my shoulder. It was Serious Security Guy.
“Uh...we've been having problems with the printed barcodes all day. Here. Let me let you in.”
He swiped his own barcode (invalidating the one-entry, one-exit system completely) and in I went to the elevators. But he called after me.
“You might have the same problems on floor 14 but just ghost in behind someone else OK?”
So it doesn't matter how many staff you populate on the front desk, your security can still be rubbish.
This is a real world example, but it happens in software too. For example, there is no point encrypting passwords being stored in the database if there are other security holes. Users might be able to submit information in the HTML form that isn't validated or do SQL injection via the login form.
Security must be an end-to-end control situation. The weakest entry point can render all the other expensive security measures ineffective.