You have to ask yourself: why is there so much bad code? How many times have you heard the statement to the effect of: 'if only the developers had built these applications with security in mind, we wouldn't have these security problems?' At the same time, the developers may say: 'We built to spec, give us security specifications and we will make it happen!'
This document is in PDF format. To view it click here.