Here's their list (summarized):
9. Not only are there are no magic software security metrics, bad metrics actually hurt.My Perspective?
8. Secure-by-default frameworks can be very helpful, especially if they are presented as middleware classes (but watch out for an over focus on security "stuff").
7. Web application firewalls are not in wide use, especially not as Web application firewalls.
6. Involving QA in software security is non-trivial... Even the "simple" black box Web testing tools are too hard to use.
5. Though software security often seems to fit an audit role rather naturally, many successful programs evangelize (and provide software security resources) rather than audit even in regulated industries.
4. Architecture analysis is just as hard as we thought, and maybe harder.
3. Security researchers, consultants and the press care way more about the who/what/how of attacks than practitioners do.
2. All nine programs we talked to have in-house training curricula, and training is considered the most important software security practice in the two most mature (by any measure) software security initiatives we interviewed.
1. Though all of the organizations we talked to do some kind of penetration testing, the role of penetration testing in all nine practices is diminishing over time.
0. Fuzz testing is widespread.
Now, probably because I'm coming from a security practitioners and consulting perspective, I'd didn't find them overly surprising - but at least they did some real interviews and have stats to back up their findings (which is great).
The most noteworthy "surprises" were (7) and (1), and I figured I'd briefly comment on those ones.
(7) I remember when vendors were first going around to their clients touting Web Application Firewall (WAF) technology back at the start of the millennium, and the trouble my clients had in understanding why their WAF hadn't stopped us during the penetration test. Within a year, most of the major client organizations had shelved their WAF's and become rather hostile to anyone that saught to sell them a new flavor of WAF. Over the last year or so, I've seen several organizations take a fresh look at the WAF technologies and redeploy smarter varients basically as IDS solutions tuned to a particular Web application they want to observe.
I think that most of the valuable security components of WAF's (such as the selective whitelisting and SQL/XSS Injection protection) have now been absorbed in to the standard commercial IPS boxes out there - i.e. WAF is (already) becoming a feature of IPS.
(1) While their analysis found that most organizations make use of external penetration testing consulting, they concluded that the role of pentesting is decreasing. In one sense I agree, yet in another I don't.
As major corporations have developed and matured their SDLC processes and adopted the use of standard automated testing tools (fuzzers and vulnerability scanners), they are catching many of the bugs that used to fill up the final reports issued by the external penetration testing companies. So, in that sense, I'd say that the role (and value) of traditional (i.e. "classical") pentesting has decreased in value.
However, the field of application security is particularly dynamic, and many of the major pentesting companies have become more boutique in their offerings and offer niche services that compliment an advanced SDLC strategy. So, in that context I'd say that the role of pentesting has increased.