ZDNet reports on John Pescatore’s talk at the Gartner Symposiumin SF this week. John is probably the best security analyst at Gartner and an influencer of many a CIO. It’s a good article and there are links to the hype cycle slides for threats and security solutions.

Two key messages: (1) a false sense of security is emerging and (2) building perimeter defenses is not the answer–we have to look for ways to build + buy more secure software.

“Every time there’s a piece of software built there should be evidence of vulnerability testing and the software lifecycle,” says Pescatore. “If I buy a shirt, I see it was inspected by checker 27. Where is 27 when I buy software?”

With SaaS, Web 2.0, Web services + mashups, the security landscape (both attacks and solutions) will get quite interesting.  There are two core principles of information security that have prevailed over time: defense in depth and the weakest link breaks the chain. Defense in depth would suggest that we are likely to see more layers in the security solution onion as the nature of applications and their interactions become more complex. The weakest link principle would suggest that we’re likely to see a lot more broken chains and interesting front page articles in WSJ about fraud and data loss.

Source: » Are businesses getting complacent on security? | Between the Lines | ZDNet.com