I think this should be an nice question tu argue, and this because of many of us dedicate to security. Java, .NET are the future of applications and web services so where does buffer overflows and format string bugs goes? Accionally many of the vulnerabilities that we exploit are cause of this miss undestanding of safe programming. Millions of lines of codes have been patched againts this flaws.

So where do you think security is going, to Social Engineering (boring), to anit virus technologies (kind of Social Engineering), to IDS/IPS tech.

In Past Conventions on Defcon and BlackHat, nothing new or even intersting.

No new attacks techniques?

so were are in a dead spot, or it is really the end of security as we know it.

The security of a program isn't always about sanitized validated inputs and dropping invalid data.  A program can only be as secure as the environment in which it resides: hard and software. Millions of lines of less than secure code notwithstanding the further consideration of what code interacts muddies the situation significantly. http://www.ntguard.com/article.cfm/id/341504 further underscores that as we add complexity, we risk adding vulnerability.

Coders are under time,financial, and interoperability constraints that inject inevitable flaws into their end product.  Good practice and QC become limited by client needs, production schedules, and limitations of manpower. Manufacturers mitigate these needs as reasonably as they can within these limitations.  Flawed code doesn't seem to be going away.

Social engineering is never going to go away because we're flawed creatures. we want to be helpful, useful, liked, and appreciated.  We'd have to take the human element out. 

AV technologies will continue to struggle to keep up with the virii available if only for the percieved protection they provide.  Per the refernces in the link above, I dare say AV technologies might have become near self-perpetuating.

I wouldn't attribute the lack of new tools and techniques to a lack of them existing, rather a lull in publishing.  People can only explore so much before repeating research.  This career has been punctuated by bursts of frenzied discoveries based on other research.  We are just as likely to be experiencing the calm before the storm.

nothing like lowering the tone.......

As stated, application security is far more than buffer overflows and format string vulnerabilities.

I've rarely found exploitable (as in arbitrary code execution) buffer overflows on externally visible resources (internal is a different story).   I've frequently found application vulnerabilities such as SQL Injection (much less common in .NET than classic ASP).   Even more common are business logic vulnerabilities -- not so much technical (like SQL Injection, XSS, CSRF, etc.), but flaws in the business logic of the application that lead to a compromise.   Things like having the price of a store item as a hidden form field.

Or having a form to allow users to download VCS files from an online calendar application....and not checking the file location that is passed into the download app.   Just had that recently -- allowed me to download any file on the server if I modified that hidden form field.   Downloaded the SAM and SECURITY files from the repair directory, cracked them and logged into the server as an Administrator.

The skill (and the fun) in hacking is finding those vulnerabilities wherever and however they present themselves, not in trying a pre-defined set of tests and seeing what works.    The application layer is where the majority of exploits have migrated to.

Heck....SE is some of the most fun you get to have as a hacker

I'm not sure that I agree entirely on the rarity of shell access remotely through web apps, though.   I just pulled one today (SQL Server 2k5, with an ISS IPS in place, so it was a bit tricky).   

I will certainly agree that they're becoming more scarce in current iterations of web programming languages (.NET is vastly better with security than classic ASP)....but legacy code and vulnerable applications in current languages are not too difficult to come by....at least, not yet

Certainly....though to avoid derailing the thread, we should probably take it to PM (or a new thread, if you prefer).

For your enjoyment:

http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,2814.0/