My second monthly column is up over at Dark Reading; The Perils of Predictions & Predicting Perils.

This is not your ordinary year-end prediction special. Here’s an excerpt:

As the end of the year approaches, a strange phenomenon begins. As we relax and prepare for the holidays, we feel a strange compulsion to predict the future. For some, this compulsion is so overwhelming that it bursts the bounds of late night family dinners and explodes onto the pages of blogs, magazines, newspapers and the ever-dreaded year-end specials on TV. Ah, year’s end. Legions of armchair futurists slobber over their keyboards, spilling obvious dribble that they either predict every year until it finally happens or is so nebulous that they claim success if a butterfly flaps its wings in Liechtenstein. As you can tell, I’ve never been the biggest fan of these year-end predictions, especially in the security business. Since the days of the slide rule, scores of pundits have consistently, inaccurately predicted a devastating SCADA attack or the next big worm.

Instead, I focus on two major threat trends and the security innovation they are inspiring. My favorite line in the column is near the end, so I’ll pull it out:

Vulnerability scanning, secure software development, and programmer security training cannot solve the Web application security problem.

I’ll leave you with two words: anti-exploitation, but you should really go read the article.