There is no doubt that today's applications must be secure. We are living in a world of data and communications, in which the most valuable asset is information.
Everybody knows that valuable assets must be protected.
Security Standards are created to insure products will implement security measures to protect their data.
Security is an "all-inclusive" term, which means it must be implemented "everywhere", in all levels:
Users: Train your users and build awareness to help them to reduce the risk of performing irresponsible actions which will be used by the attacker.
Infrastructure: Firewalls, Network Admin, Host & Server Hardening, Network traffic encryption etc.
Application: Authentication, Authorization, Input validation, Encryption, Configuration management, Parameters manipulation, Auditing, Error Handling etc.
The application must be designed and implemented while taking security issues into consideration. We have to remember that the attacker needs to find just one security breach while we have to protect everywhere.
Leaving one of the above levels unhandled will result in a completely unsecured product.
Application security is not just another feature. You can not just turn it on.
Application security demands a lot of thinking. A lot of design work must be done, and many concrete actions must follow in every phase of the development cycle.
To bring Application security into your product a known and tested methodology must be followed.
Many issues must be taken into consideration and so check lists, published guidance and tools must be used.
Bringing application security into your development cycle is a great management and technological challenge.