10 surpresas em segurança de software

Um artigo interessante fruto de um conjunto de entrevistas:

Software [In]security: Software Security Top 10 Surprises
By Gary McGraw, Brian Chess, Sammy Migues
fonte: InformIT

As 10 surpresas:
9. Not only are there are no magic software security metrics, bad metrics actually hurt.
8. Secure-by-default frameworks can be very helpful, especially if they are presented as middleware classes (but watch out for an over focus on security "stuff").
7. Web application firewalls are not in wide use, especially not as Web application firewalls.
6. Involving QA in software security is non-trivial... Even the "simple" black box Web testing tools are too hard to use.
5. Though software security often seems to fit an audit role rather naturally, many successful programs evangelize (and provide software security resources) rather than audit even in regulated industries.
4. Architecture analysis is just as hard as we thought, and maybe harder.
3. Security researchers, consultants and the press care way more about the who/what/how of attacks than practitioners do.
2. All nine programs we talked to have in-house training curricula, and training is considered the most important software security practice in the two most mature (by any measure) software security initiatives we interviewed.
1. Though all of the organizations we talked to do some kind of penetration testing, the role of penetration testing in all nine practices is diminishing over time.
0. Fuzz testing is widespread.