This talk by FX is related to today's earlier post, its from 2007, but for security archs its just as relevant today as then. If you think of the attack surface as the set of methods, data, and channels an attacker can use against your system, and then you think of the evolution of software then you can clearly see the way security systems are
evolving staying the same in the face of the vulnerabilities.
today's firewall is:
a multiprotocol parsing engine
written in C
running in kernel space
allowed full corporate network access
holding cryptographic key material
...and still considered a security device?
design systems the right way
defense in depth is one of the few hopes
get used to the fact that things break --
adding another security feature isn't reducing the complexity at all