Listening to the speakers (yes, this time around I was a spectator only... sort of) and the audience from these past 2 days, and specifically at the Web 2.0 Security Summit here at CSI Annual 2008... I've come up with a few things that I think you (the readers who may or may not have attended) should come away with.  These are important points, highlights from a very well organized conference geared towards actual solutions rather than the typical smoke, mirrors, and hand-waving [Trey Ford] you may expect from a security conferences.  A nod to Robert Richardson for the guest pass, and an excellent conference.

From the experts

• Threats continue to escalate and get more clever in their attack
• Browsers cannot be trusted, applications can be compromised - this is not a rosy picture
• End-user (and business) "push" is needed to help move browser developers to produce more secure browsers
• HTML-spec and standards are actually working against security in some cases (see: ClickJacking) 
• Web applications are, and will continue to be, the prime target for attackers
• Few businesses are prepared to drive standardized security throughout their organization
• Metrics - good metrics collection and delivery is one of the secrets to making a security program work for you
• Process, services, secure coding tools, code analyzers/scanners and Web App Firewalls are not mutually exclusive
• Your business must have a short-term tactical fix and long term strategic plan to succeed
• Services and tools are maturing at a great rate - and businesses should understand the purpose of each
• Tools are a support mechanism for automation, standardization, and repeatability - they do not replace people
• Services allow for independent 3rd party verification (satisfying some regulatory and compliance requirements)
• Neither of the above will magically "make your applications secure"
• SaaS (Software as a Service) for web app security provides immediate ROI, implementation, and won't use up your CapEx (instead uses OpEx) spending
• You can't use the Ostrich approach (head in the sand, ignoring what's around you)
• Right now, someone is hacking either your applications, your users or both

The bottom line from the experts?  The web is more dangerous than the wild-west; and things are going south fast.  There is hope.

From the audience

• Managers and practitioners alike are confused and disheartened when it comes to security ... specifically web application security
• Despite wanting to do the right thing, managers facing insecure (or worse, unknown) web applications are finding it difficult to implement a program
• Between integrations, acquisitions, and poor oversight security teams are struggling to keep up with the avalanche of published web apps
• Overwhelming numbers of vulnerabilities presents itself in a feeling of "we're powerless, why not just give up" as one person put it... 
• Managers are confused on where, when, and how to apply tools to web application security programs
• Some managers have their hands tied by long-term contracts with outsource developers which do not properly include information security components
• When code is finally turned over to them, are faced with checking the security of that code on their own
• ... that code, if found defective, will then require re-work at their cost!
• Ineffective contractual obligations are making it impossible to have an effective security program
• Security metrics are typically a problem...
• Some companies don't know what metrics to collect
• ... others collect them and manually try to make sense of them
• ... still others have intelligent metrics but haven't been able to translate them into actionable items yet
• ... still haven't figured out how to take raw metrics and model them for upper-management consumption
• Security outsourced services are still too confusing
• Compliance is causing more headaches than it is solving
• Companies are striving to be compliant... but are still terribly insecure - and managers are getting that but feel powerless to change

The bottom line from the audience?  Make security simple, actionable, and consumable for my organization... and do more than just sell me tools or services - help me build a program.

There is good news, and bad news.
  The good news is that I feel very strongly that we (HP Application Security Center) can help you accomplish your goals.
    The bad news is ... it's still going to be your job to sell it to your upper management and execute...