One of the major security issues of the day is how little responsibility developers take for making applications secure.

We have more or less created a culture where responsibility for securing the overall computing environment fell to network professionals because that seemed like the first line of defense. But in actuality, the network perimeter is typically the first place we become aware of the attack. And more often than not, that attack is taking place because the people perpetrating that crime have a high degree of confidence in the fact that once they get past the perimeter the applications they find are going to be relatively wide open.

In recent years, providers of application development tools have been preaching the critical need for developers to follow best practices when it comes to security. But any number of issues can get in the way of that actually happening, including a lack of security knowledge on the part of the developer to concerns about performance penalties and feature tradeoffs.

Fortunately, with the advent of multicore processors the issue of performance and features as it relates to security should melt away. We have plenty of raw horsepower available now to support whatever overhead security imposes on developers. But what the providers of application development tools have yet to do is make it easier for developers to incorporate best practices for security during the application development process.

IBM has taken a step in the right direction recently by incorporating scanning technology it recently acquired into its Rational application development suite. IBM acquired AppScan from Watchfire in 2007, but for the most part the AppScan technology was something used only by security professionals to discover problems after the fact. What IBM has now done is incorporated AppScan technology across the entire development environment so developers can more easily check their code for flaws all along the development process.

There is no serious developer out there that wants to build an insecure application. It's just that there are any number of time constraints that they frequently work under that conspire to make the overall application less secure.

Unfortunately, we're soon approaching a time when some company will be sued for security breaches related to an application. The reasoning will be that there is no real good reason for making data that belongs to somebody else available to people who shouldn't have it because the application was not secure. In time, a court is going to see that kind of activity as a form a reckless disregard equivalent to a car manufacturer selling cars with faulty brake systems.

Developers live in a brave new world full of auditors, regulators and lawyers. Like it or not, that means that software development lifecycle is changing to reflect the mission critical role more and more applications are playing across the world.