ABSTRACT
With events such as buffer overflows, SQL code injection, and arbitrary code injection, we are faced with
a continuous flood of vulnerability and threat information for our systems, our applications, and our
networks. Whether the information comes from a customer, an employee, or an auditing or assessment
firm, organizations are continuously addressing the endless cycle of vulnerability and threat identifi-
cation, measurement of risk, and the implementation of some appropriate corrective action (also referred
to as a control). Surely, there must be some measures that organizations can take when developing
software to proactively address security and in turn reduce potentially negative publicity and the costs of
development and ongoing maintenance for themselves and their customers.