In theory Secure Software is possible, but in reality all software has bugs. How can Secure Software be trustworthy? One example of this happening is Heartbleed. It is a malware that hit security software running on the vast majority of web servers. It exploited a software bug in one of the most reviewed pieces of security software: OpenSSL. This is the software layer responsible for performing an authentication between two parties when establishing a secure internet connection (this is the “s” in https). While this software is open source, reviewed by thousands of security experts continuously, a very simple bug allowed access to server passwords and keys. Here is how it works. Imagine a client (a web browser software), sending to a request the server of a specific type and length. If the length stated was longer than the request, the adjacent memory was transmitted back to the malicious remote client. This is an obvious example of secure software, heavily peer-reviewed, subject to leaking secrets, passwords and keys. The solution is very simple: never mix software and secrets.