On building an application security programme

by Justin Clarke

Is it my imagination, or has the rest of the world caught up, and figured out that having a security programme in place is a good thing when developing applications? Or (heaven forbid), actually training developers in developing securely before an application is 90% finished?

I have met with quite a few organizations in corporate America over the last several months, and there seems to me to be a movement amongst a lot of very large organizations to seriously consider doing something about this. As far as I'm concerned I think it's a good thing, provided efforts actually end up in some practical solution.

Any comments, war stories, programmes gone wrong?