The U.S. Department of Homeland Security (DHS) states that 90 percent of security incidents result from exploits against defects in software. \u00a0That's a big statement - and it implies that poor software development may be the biggest cyber threat of all.You have to wonder if that's an isolated finding in the context of DHS's own experience - or do CISOs, IT security professionals, researchers and analysts, software developers, and application vendors agree?The \u201cForrester Wave: Application Security Report\u201d, which evaluates vendors for security and risk professionals, says many firms have rushed to bring applications online, building out consumer-facing websites, buying commercial off-the-shelf (COTS) products, and developing mobile applications to enable and engage with their customers and partners without thinking about the security of the application itself. As a consequence, businesses are exposing their most sensitive corporate and customer data to possible external threats and breaches.Is the cyber industry over-focused on network security, while applications are the real weak spot?\u201cMany organizations have significant network security in place but it\u2019s not enough as 84 percent of all cyber-attacks are happening on the application layer\u201d said Tim Clark, Head of Brand Journalism at SAP, in a recent Forbes blog. \u00a0SAP, headquartered in Walldorf, Germany and U.S. operations in Newtown Square, Pa. is one of the world's largest application security vendors.Intruders are increasingly targeting the application stack for exploitation, according to the \u201cCisco 2015 Annual Security Report\u201d. Cisco says the rise of cloud apps and the ubiquity of do-it-yourself (DIY) open-source content management systems (CMS) has created a landscape of vulnerable websites and SaaS offerings. Underlying systems\/networking layers managed by IT operations may withstand malicious attacks, but application-level components built by developers are often riddled with vulnerabilities.What's the disconnect between software development and security?\u201dThe SANS Institute 2015 State of Application Security Report\u201d states that many information security engineers don\u2019t understand software development\u2014and most software developers don\u2019t understand security. Developers and their managers are focused on delivering features and meeting time-to-market expectations, rather than on making sure that software is secure. SANS indicates only a small amount of security testing is done by the development team (21.6 percent) or quality assurance personnel (22.percent) \u2013 while the internal security team accounts for most (83.2 percent) Exactly what type of poor software development practices are going on?CNET recently reported that programmers are copying security flaws in to your software. Programmers don\u2019t write all of their code. They routinely borrow code from others, and they\u2019re not checking the code for security flaws. This widespread practice opens the door for hackers to have broad impact with just a few exploits.Why is this happening?\u201cThe security industry is overly-focused on testing and scanning for known vulnerabilities in software after it\u2019s been released, and under-focused on poor software development practices that lead to vulnerable applications that hackers can exploit"\u00a0says Frank Zinghini, CEO of Applied Visions, Inc., a software development company providing solutions in cyber security, business applications, and command and control systems to government and commercial customers worldwide. "Application security has to be part of the early stages of the SDLC (software development lifecycle); not tacked on at the end when finding and fixing the vulnerabilities is far more costly\u201d adds Zinghini.Is there a remedy?In a recent CIO Journal, published by the Wall Street Journal, James Kaplan, a partner at McKinsey & Co. and co-author of \u201cBeyond Cybersecurity: Protecting Your Digital Business\u201d said \u201cA far better model (for software development) would be if you were teaching your developers how to write secure code, were including security architects in the development process from day one of the project, and investing in tools for secure development. Then you have many fewer flaws at the end of the process.\u201d He added \u201cMost developers have not been trained on secure coding practices.\u201dAre corporations planning to beef up their application security?More than half of respondents to a SANS Institute survey expect spending on application security programs to increase over the next year (more than a quarter expect spending to increase significantly), and only 3 percent expect to spend less.Do startups stand a better chance?Bessemer Venture Partners (BVP) \u2013 one of the most well respected tech industry venture capital firms \u2013 authored a white paper that states application software development is the most critical business function in the early days of most startups today. The paper states \u201cthe most important feature of secure development is written and periodic in-person (security) training by your senior developers\u201d.. and \u201cthe second basic feature of secure development is source code analysis \u2013 the automated discovery of vulnerabilities\u201d. \u00a0Arguably startups stand a better chance to get it right since they are not burdened with legacy applications the way most large corporations are.Who can help?Application testing and security is big business, and there are many vendors and service providers specializing in the field.According to market researcher ReportsnReports, North America is the largest market for security testing services. Markets and Markets expects this market alone to grow from $2.47 billion in 2014 to $4.96 billion by 2019, at an estimated Compound Annual Growth Rate (CAGR) of 14.9 percent from 2014 to 2019.Major vendors who play in the application security space include IBM (Appscan) and HP (Fortify). \u00a0Veracode provides application scanning and protection in the cloud. \u00a0Checkmarx is a leading SAST (static application security testing) and DAST (dynamic application security testing) vendor. \u00a0Code Dx, Denim Group, and a handful of others provide niche solutions that integrate with the major vendors. \u00a0High-Tech Bridge provides the Immuniweb service which combines web application scanning and live bodies who provide penetration testing services. \u00a0PwC recently signed a deal to provide the Immuniweb service to its clients.Do your own research and you'll find dozens of application security vendors. \u00a0But the better starting point might be a consultant or services company who can help you get a better handle on the application threatscape - and how to approach the unique application security needs of your enterprise.