Exceptions can taint assumptionsThis phrase came suddenly in my head when I heard someone mentioning something as an assumption that I knew it wasn't in place. That's something that happens quite often with security controls. Someone decides stuff such as "no unapproved software will be allowed to run on the corporate desktops", and from that moment it stops being a goal and starts to be an assumption to remove threat vectors. That's a very good example of threat modelling and risk assessment going wrong, "we don't need to worry about this threat because non-authorized software does not run in our desktops". They often forget about those dozen exceptions filled and approved the week after that rule was instated. So, next time you hear someone mentioning a control as an assumption to disregard a threat vector, consider the exceptions for that control. How many exceptions are necessary to invalidate that assumption?