I did a podcast with Gary McGraw which is available here. Gary's questions were great, I could have written a ten page whitepaper in response to most of them, but tried to sum up my thoughts on "what is security", and how you might approach security in SOA, Web 2.0, and federation spaces. Gary is always interesting to talk to since he has done a major percentage of the valuable work in security.
One point I raised in the podcast is that I see a common misconception in the industry which I sum up as the "what got you here won't get you there" problem. We have had a long hard slog getting support for software security, and now, thanks to Gary's and others' work, its finally starting to take root. It is taking root especially in financial services. One thing I see though is that vendors commonly make a big sale or three in a financial services player, then they go to an insurance company, a manufacturer, or other large player and say "hey do what Ginormous globobank is doing." Problem is - their business models are different, their IT is different, and so on. We have done a decent job bootstrapping some security practices in financial services, but we need other models for other verticals.
