Indeed, a risk assessment should factor in the potential damage of information disclosure either in the form of fines or the loss of customer confidence. And this assessment should be shared with executives, project managers and developers in ways that each group can understand and act on.

MasterCard's Stanley is a proponent of using outside labs to test the security of the devices—hardware and software—used around the globe to authenticate credit card holders. "We are dealing with 23,000 banks, thousands of processors and 30 to 40 million different merchants on a wide range of platforms," he said. "We need people who can test the hardware and software."

But who tests the code testers? Click here to read more.

Coffee added that many companies would do well to seek the services of a consultancy focused on security, spreading the development load. "There is no reason to bear the burden of developing and maintaining the skill set for your company when it can be more efficiently leveraged across multiple clients of a security assessment firm," he said.

While Stanley wouldn't say how much the organization's secure software assessment program costs, he did offer a cost guideline. The process of gaining formal software security assurance for an application—such as the Common Criteria assurance, a set of IT requirements distilled from U.S., Canadian and European agencies—will likely cost as much as the development of the application and will likely double the time frame for application delivery. According to Stanley, it takes three to five years to put an effective software security assurance program in place.

The trick is to balance resources and risk—no easy task, according to Cigital's McGraw. "We need to figure out how to still produce code and still earn revenue while also balancing out the security equation," he said. "It's a question of risk management."

Qualcomm's Rose is looking to automation to help his company achieve this balance. "The idea is to improve our software development process to the point where it's just automatic that security issues are taken care of, and we'd like to meet that goal in the next couple of years," he said.

There are several automated code checking tools available to aid developers in their security quest, and many are now available as services. Compuware, for example, offers two days of on-site code checking services using its DevPartner SecurityChecker 2.0 for $6,000—a price that allows even smaller, resource-strapped companies to avail themselves of this type of service.

Read more here about DevPartner SecurityChecker 2.0.

Part of improving the software development process is opening it up to all vested parties. Company executives will require a well-documented impact report that details the costs associated with a software breach. Development project managers and other middle-management groups—acknowledged by all the experts we spoke to as the hardest group to reach—will be swayed by peer comparisons such as reports that show the number and cost of security errors compared by project.

Regardless of which tools or services are selected, all the experts we spoke with agreed that awareness and commitment are needed at all levels of the organization to ensure that security is a core component of any new application.

E-mail Technical Director Cameron Sturdevant at cameron_sturdevant@ziffdavis.com.

This article was originally published on eWEEK.com.

Check out eWEEK.com's Application Development Center for the latest news, reviews and analysis in programming environments and developer tools.