Software security is still a very small space, but in the last few years we have started to see some real successes with large organizations rolling out much improved software security tools, processes, and technologies. As someone who has been out doing this stuff for a long time, I am very heartened by the progress. There is one nit I have though which is that most of the current progress has been driven by technology vendors and financial institutions. These companies have made real progress in some areas like static analysis, and while a medium level of assurance won't defeat a determined opponent,progress is progress and there is a lot of value in raising the floor.
My issue is more to do with the particular focus that technology vendors and financial institutions have. They have real availability concerns and some integrity concerns, but they don't speak for all enterprises. So manufacturers, insurance companies and healthcare companies have much different integrity and confidentiality concerns than financial companies. Particularly when you get to things like authorization and audit these things come to a head. Since the good improvements we have seen recently have been driven by the financial market the solutions are also driven by these concerns. Yet other enteprise's concerns remain, perhaps with stock market hammering all things financial this will reduce spending and the software security vendors will begin to listen to the different technical and deployment considerations that exist for other industries besides financial.
This would be a very big win - long term - for financials as well. Financials like most companies generally want to cost effectively get to a medium level of assurance (side note - Fred Cohen taught me that this is the hardest problem to solve - we know what high looks like, and we know what broken looks like), but here is the thing - there is more than one way to get to medium! If the healthcare, insurance companies, and manufacturers can drive out new deployable medium assurance solutions that augment some of the good stuff that has come out of the innovation in the financial space. Then we all win.
I understand the urge for vendors to dance with who brung 'em, but there is more than one way to do this.
So if you work for a software security vendor and you hear a list of requirements coming from a an insurance, healthcare, manufacturer or other enterprise prospect - don't automatically just compare them to what your financial customers (who have hard edges around processes) do. Instead listen and try to think of how to address, deploy and scale in a new environment. Find multiple paths to medium assurance (not just the financial one) - your customers will be happy and you will make more money.