The abbreviated surprises, listed in reverse order as in the article, are as follows:
- There are no magic software security metrics
- Secure-by-default frameworks can be very helpful
- Web application firewalls are not in wide use
- Involving QA in software security is non-trivial
- Software security resources come from the program rather than the audit department
- Architecture analysis is harder than expected
- Researchers, consultants and reporters care more than practitioners about the who/what/how of attacks
- Training is considered the most important software security practice
- The role of penetration testing is diminishing over time
- Fuzz testing is widespread
As a long-time IT and information security practitioner, I found the greatest surprise to be that many of these items were surprises to the authors. This might suggest that the biggest benefit of the BSIMM report is in educating researchers, consultants and reporters about the “real world” of application security. While there is not space to discuss each of the assertions here, let’s look at a few.
Popularity: 4%
