We have been in a world of faith based security for far too long. Probably the biggest factor is a lack of innovation and dynamism in the discipline of information security. Consider this rough timeline of software development progress since the dawn of the web.
People pretty quickly realized that plain HTML was not enough, so developers invented CGI/PERL for more dynamic sites. Once they wanted to scale and pool they built out ASP and JSP, then to deliver middle tier components they developed EJB, J2EE, and DCOM. After that there were a lot of heterogeneous systems that needed to talk to each other so SOAP and XML came along to address that. This path diverged into ultra-simple (REST) and more powerful but baroque (SOA), and finally, the user side got some love with Web 2.0 technologies. That's a heck of a lot of engineering and innovation by the software development community for plus or minus 8 years.
Now lets' check in with the developer's brethren over in information security. Well, once the web came along the information security community quickly realized that network address translation was going to be important, and further that encrypting the communication channel between the browser and the web server was also crucial. And then, they addressed all the security issues ASP, JSP, EJB, J2EE, DCOM, SOAP, XML, REST, SOA, and Web 2.0 with....umm...more of the same!
That's a pretty poor showing for innovation considering the enterprise investment into information security. Sure the software developers' have a bigger budget, but come on infosec - show some pride!
Infosec types like to throw developers under the bus for security issues, but its a collective failure. Sure developers need to learn more about secure coding, but as the table above shows - security is not keeping pace, and the gap is getting bigger.
Here is another dimension to the problem - attackers *do* evolve. The new technologies provide far greater attack surface (data, method and channels) for the attacker's to exploit and/or launch attacks from.
Because the defenses have not evolved its a simple evolutionary adaptation for attackers to go around or through the 1995 defenses. Its not about SOAP going through the firewall, its about never bothering to secure the apps and the data. Its like saying to your opponent, remember the how the Detroit Lions played defense in a certain game in 1995, we were just going to do that.
So with the software developer's latest evolution we get Mr. O'Reilly's famous Web 2.0 meme map
but where is the co-evolution in infosec? there is non. There is co-evolution in the attacker space. here is a sample web 2.0 attacker meme map
So the firewall offers great protection if your adversary is using Visio, but otherwise its mostly useless.
So we would want to see two things happen - developers start writing more high assurance code and second - infosec needs to evolve its security services to form fit to that which they are protecting. Hint - it ain't a Visio diagram.
The thing is - we are getting getter tools. Static analysis is a very powerful tool to improve your software security from a bottom up perspective and it can scale. These tools continue to get better. We are are getting better standards - WS-Security, WS-Trust, and company enable fundamentally new security architectures. And we're getting better primitives, especially in the identity space - SAML, Cardspace, and friends will one day let us live in a world where users are not typing username and password into a web browser to do online banking.
So maybe the innovation tide is turning, but there is a lot of ground to catch up, infosec about a decade behind the developers and probably close to that far behind the attackers. Its going to take something special to catch up, but is there any other way? I think a big part of catching up is putting together a realistic pragmatic blueprint to evolve your security architecture - a roadmap that addresses your people, processes, and technology. There are standards, primitives, and tools to leverage, but by themselves they are just pieces, they have to be brought together into a cohesive design. Its not an overnight thing to realize this, but the point is for infosec to *begin* the evolutionary process. Now. For real use cases. Using the security protocols, mechanisms, and skills we have available now.
The Road goes ever on and on,
Down from the door where it began.
Now far ahead the Road has gone,
And I must follow, if I can,
Pursuing it with eager feet,
Until it joins some larger way
Where many paths and errands meet.
And whither then? I cannot say.
-J.R.R. Tolkien,The Hobbit