Broad principles and guaranteed security

I’ve been looking at the security and risk associated with the development of a new web platform. On asking the lead developer to show me some basic documentation (an architecture diagram and functional spec) I received the following reply in my email:

We operate on the broad principle that we’re executing in a secure environment that is provided by the hardware of the infrastructure apart from the exposed servers in the front tier

Sounds like another case of “security bullshit” to me. To cap it all, the person in question goes on to say….

We certainly cannot be compromised by a SQL injection attack as all of our SQL queries are fully parameterized…This is guaranteed by the technologies we use.

I may as well go home then. It sounds to me like there’s nothing whatsoever to be concerned about. In fact, I don’t know why I even bothered to ask…..

Somebody is about to be brought down to earth. Any developer who believes the above quotes ought to be banned from using a computer and made to sit Clockwork Orange style with their eyelids held open and subjected to all the PowerPoint from the last 5 AppSec conferences. What worries me is that somebody might really believe that it doesn’t matter how the code looks because the infrastructure will protect them.

You don’t. Do you?