The threats facing government agencies and enterprises today come from a variety of sources: individual attackers, professional organized crime groups conducting data-theft and bank fraud operations and nation-state actors engaged in corpoate and international espionage. They have different backgrounds and motivations, but they share one common characteristic: They all prey on software vulnerabilities. Finding and fixing flaws in operating systems and applications has been an ad hoc process for decades, with software makers often prioritizing features and speed to market over fixing flaws during the development process and then scrambling to patch them after they’ve been discovered by others. But there is a new scientific approach taking hold in some of the larger software vendors and private companies that is based on rigorous methods of threat modeling and disciplined development designed to find and eliminate potential vulnerabilities and areas of attack before deployment. Much of this can be traced to an effort begun at Microsoft in 2001, and it has spread and evolved to encompass dozens of organizations in recent years. This talk will discuss some of the methods being used to build security into code from the beginning of the design process all the way through deployment, the use of a maturity model to assess the progress of software security programs and present data showing the success of such a program in one of the larger software vendors in the world.