It's taken years, but finally organizations are starting to understand the economic benefit of building more secure applications. The costs of fixing an issue after software is deployed are an order of magnitude higher than doing it when the software is being built. Thankfully, I don't get many arguments about that anymore.

But it still leaves a general question: how early in the process you should be thinking about security? The right answer is "as early as possible," but the real answer is, usually, "wherever you can." Thus, I'll start with the obligatory plug for a secure development lifecycle, where security is built into every step of the process.

Great, now that I've said that, we can talk about what will really happen. You (presuming you are either a security professional or evangelizing the need for application security) will face resistance. A lot of developers think security is cool, until they learn their code is like Swiss cheese and secure coding practices set them back two to three months. It's not so cool then.

We'll need to walk before we run, and that usually means doing some type of code review. This means you are analyzing code to identify potential security vulnerabilities that could lead to security breaches. You certainly could look through every line of code you have manually. For most organizations, you should probably set aside the next 200 years to take care of that. Yeah, that's not really feasible.

So you'll need some automation, and that's where source code analysis tools come in. This class of security product has been built to automatically analyze your code and pinpoint areas of concern. The good news is that these tools will find problems with your code. The bad news is that these tools will probably find a lot wrong with your code -- and then you'll need to figure out how to prioritize what gets fixed and what doesn't.

There are lots of different aspects of these products. All give you a lot of options in terms of just doing simple code analysis, all the way up to a sophisticated developer workflow that plugs into your existing IDEs and manages the entire build/fix process from soup to nuts.