What else can possibly explain such a massive increase in published vulnerabilities? I sure don’t think it’s just the software developers somehow getting better at finding weaknesses in their code base. I also don’t think it’s rational to conclude that the security product and service vendors that spend time ferreting out weaknesses in software are getting that much better at their work.

That’s the real message that we should be reading in stats like this. As my colleague Gary McGraw says, “Build it and they will break it.” I suppose there’s somewhat of a corollary here in the form of, “If there’s money in it, they’ll break it vigorously.”

Gone are the days when software developers could safely write code in the absence of a keen understanding of what their adversaries might do to the code they write. We have to assume — at every step along the way — our software will face a determined and profit-motivated adversary who will go to great lengths to find even the most subtle of weaknesses in our software. And that goes for server as well as desktop software.

We information security folks need to get involved in our respective organizations’ software development efforts and help ensure that security is being represented at every stage. We need to help ensure that secure development practices like those described in Gary McGraw’s “Software Security” book or on DHS’s “Build Security In” portal are being followed in our organizations. We need to be as integral to the software development process as the software developers are now.

That’s not going to be easy, and there will be a major learning curve for us as well as for the software developers, but we’ve got to find ways of getting it done.

Regardless of how we approach it, I sure hope it’s evident to all of us that it’s time to stop hitting the snooze button with regard to secure software. Otherwise, all we’re doing is reacting to every alarm that comes along. And that’s a horrible way of doing business.