"It is necessary to develop a security mind-set. This means understanding the threats and risks, and keeping these in mind during all phases of software development and deployment," said Robert C. Seacord, senior vulnerability analyst with the CERT Coordination Center at the Software Engineering Institute at Carnegie Mellon University.
The problem starts at the college level, experts say, because most aspiring software engineers and developers get little or no security education in school.
"Many of the introductory books on coding fail to discuss security, and as a result, many of the same vulnerabilities that were problematic for developers several years ago remain a problem today," said Michael Cobb, founder and managing director of Cobweb Applications.
Compounding the problem is the fact that the top priorities for most software projects are functionality and shipping the product on time. Developers aren't asked to think about security because consumers haven't asked for it. Security is often an afterthought, and many organizations still don't have a good handle on how to integrate security into the project requirements.
"Every application vulnerability is the result of some error during the development of the application," said Jeff Williams, chairman of the Open Web Application Security Project (OWASP). "The most common issues in the development process include the failure to define clear and detailed security requirements."
It's clear that developers unfamiliar with secure coding practices can't change their ways overnight, particularly given that application security is a relatively new concept. But there are some best practices that can be employed to improve the security of Web applications.
For one, organizations can start providing hands-on security training in an attempt to correct educational flaws. Chris Wysopal, CTO of Veracode, said showing developers how vulnerabilities appear in the code they write will help developers become more grounded, and understand that an application free of bugs isn't necessarily a secure application.
From there, developers should start adhering to common secure coding practices when writing and developing code, including validating all user input, avoiding the use of hidden form fields, keeping up-to-date on the latest security attacks, and practicing defense-in-depth.
Still, producing secure applications shouldn't be the sole responsibility of developers.
"To successfully develop secure systems, it is necessary that security is a focus of the entire development organization," said CERT's Seacord. "Software project managers need to ensure that secure software development processes are in place and that the developers understand and follow these processes. QA can assist in the process by testing for common vulnerabilities in addition to ensuring the overall quality of an application. CIOs need to emphasize the importance of producing secure code and ensure adequate organizational support."
While some say that even with these practices the industry is fighting an uphill battle, many experts are confident that the state of software security is improving. As evidence they point to the existence of communities, publications and vendor products once unavailable to the field.
But, improvements aside, the one thing that many say will push community thoughts and practices in a new direction is consumer demand. It may be only a matter of time until consumers explicitly ask for security like they ask for functionality.
As OWASP's Williams pointed out, "People are starting to rely on applications that will do things that will change their lives, and as we trust the software to do more and more things we will tend to see security increase."