Suppose an object B holds some dangerous authority x which must not be abused. B is designed to attenuate the authority and at the same time make it more convenient to use. Suppose that there is a bug in B that enables those who can call B to make arbitrary malicious use of X. The classic case at hand is to send a malformed message to B where B mistakenly lacks the logic to detect the malformtion. Buffer-overrun is the common case. The above, so far, is a very common pattern.

An important situation to consider, however, is that the callers of B are a closed set and that none of them form malformed messages to B. This situation is fairly common because abstraction layers are often designed for orthogonality, rather than security.

I believe that B should be coded to verify any input that it acts upon. The point here is to explain why such bugs are not always fatal. In the rare cases where tradeoffs dictate that this checking cost is too high then at least the documentation for B must say that B is gullible.