I tend to hear and attempt to preach about this principle when given the opportunity. The principle here is that testing does not guarantee or validate the security of a system. Testing provides some evidence that implementation bugs may not be present in a system. It is not certain. In fact, testing as I’ve sketched it out has scope that should further qualify my statement. You only have evidence of the absence or presence of bug that you are looking for. Many times a test is viewed as some sort of rubber stamp “secure” label. In reality though these testing efforts are, by definition, narrow and finite and don’t have the evidential ability to confer the label of “secure” on a system that has been tested.

The objective of a secure system is to prevent all unauthorized use of information, a negative kind of requirement. It is hard to prove that this negative requirement has been achieved, for one must demonstrate that every possible threat has been anticipated.

- Saltzer & Schroeder, The Protection of Information in Computer Systems (1974)