"We don't have the software development budget of Amazon.com or eBay, it's an incremental process, but we've found that developers are responding more positively to security assessment reports than we had originally imagined," Geimer said.

"When it comes down to it, these people don't want to develop insecure code or get their Web sites defaced," he said. "The first phase is to fix issues before they reach production, and to do that we're trying to drive secure tools and methods into their hands."

One of the technologies USAID is arming its developers with is Atlanta-based SPI Dynamics' Assessment Management Platform (AMP), used to track and measure Web applications security risks.

Brian Cohen, chief executive of SPI, said that his company has been trying to sell its applications testing tools to developers for over two years, but he has only seen adoption begin to grow significantly since mid-2006.

Prior to that time, the only consistent demand for the technology came in the form of partnerships with software development platform providers including IBM, Mercury and Microsoft, he said.

"The message just didn't resonate with end users unless it was something built directly into one of the popular development platforms," Cohen said. "Now we're finally seeing more development groups ask for this technology for themselves; at a high level, organizations would prefer just to block vulnerabilities after the fact, but they've finally learned that they can't afford to maintain that type of approach."

Despite the growing predisposition toward the use of secure development automation tools among businesses, the ages-old question of what types of problems should be handled by software designers -- and which should be tackled by IT security specialists, remains a stumbling block, according to the executive.

"There's still a lack of understanding among security workers and development teams as to who is responsible for what," said Cohen. "But hopefully we'll see experience and education lead to new progress in that area as well."

Mike Weider -- founder and chief technology officer at rival Web application security testing tools vendor Watchfire, Waltham, Mass. -- said that targeted attacks against online transactional and customer service systems at retailers and financial services companies have served as a wakeup call.

With the fear of having their Web sites hacked and facing sharp criticism from regulators and customers when things go wrong, companies are finally embracing vulnerability testing applications designed specifically for use by developers, he said.

In mid-April, Watchfire added features in its new AppScan 7.5 release aimed specifically at users in the development realm of Web applications quality assurance.

Tired of paying high-priced consultants to ferret-out vulnerabilities on a cyclical basis, more large organizations than ever are creating security testing teams within their software development departments, he said.

"Many of these companies have thousands of applications and developers, and only small teams of security professionals available to do all the work necessary to track and remove all the errors, so security teams are reaching out to development to take on some of this daunting workload," said Wieder. "Everyone from the government to financial services firms and retailers are looking at the regulatory environment and seeing the writing on the wall in terms of being forced to take responsibility for breaches; this is pushing the work down to developers who are creating demand for new tools."

At least one Watchfire customer said that the availability of such security testing technologies is allowing it to make headway in instilling new secure coding practices among its developers.

"We used to hire a third party to do vulnerability assessment of production level code, then we would report their findings to the business units, and unless something was high-level it would just get put on a release schedule," said Ethan Stieger, chief security officer at automotive market intelligence firm Polk Global Automotive, based in Southfield, Mich.

"This technology allows us to fix things when they're being developed, which is the right way to do things, if you wait until production, that's a lot more invasive in environment, and the security issues are exposed to the outside world," he said. "We're still tying to sell this effort internally, but now we can do so on the commercial value of keeping potential attacks at bay."