Trying to improve the security of applications development spread across the globe is no easy task, he said, but with the help of some new tools the effort is making headway.
"We don't have the software development budget of Amazon.com or eBay, it's an incremental process, but we've found that developers are responding more positively to security assessment reports than we had originally imagined," Geimer said.
"When it comes down to it, these people don't want to develop insecure code or get their Web sites defaced," he said. "The first phase is to fix issues before they reach production, and to do that we're trying to drive secure tools and methods into their hands."
One of the technologies USAID is arming its developers with is Atlanta-based SPI Dynamics' Assessment Management Platform (AMP), used to track and measure Web applications security risks.
Brian Cohen, chief executive of SPI, said that his company has been trying to sell its applications testing tools to developers for over two years, but he has only seen adoption begin to grow significantly since mid-2006.
Prior to that time, the only consistent demand for the technology came in the form of partnerships with software development platform providers including IBM, Mercury and Microsoft, he said.
"The message just didn't resonate with end users unless it was something built directly into one of the popular development platforms," Cohen said. "Now we're finally seeing more development groups ask for this technology for themselves; at a high level, organizations would prefer just to block vulnerabilities after the fact, but they've finally learned that they can't afford to maintain that type of approach."
Despite the growing predisposition toward the use of secure development automation tools among businesses, the ages-old question of what types of problems should be handled by software designers -- and which should be tackled by IT security specialists, remains a stumbling block, according to the executive.
"There's still a lack of understanding among security workers and development teams as to who is responsible for what," said Cohen. "But hopefully we'll see experience and education lead to new progress in that area as well."
Mike Weider -- founder and chief technology officer at rival Web application security testing tools vendor Watchfire, Waltham, Mass. -- said that targeted attacks against online transactional and customer service systems at retailers and financial services companies have served as a wakeup call.
With the fear of having their Web sites hacked and facing sharp criticism from regulators and customers when things go wrong, companies are finally embracing vulnerability testing applications designed specifically for use by developers, he said.
In mid-April, Watchfire added features in its new AppScan 7.5 release aimed specifically at users in the development realm of Web applications quality assurance.
Tired of paying high-priced consultants to ferret-out vulnerabilities on a cyclical basis, more large organizations than ever are creating security testing teams within their software development departments, he said.