Just as you can't test quality into software, you can't bolt security features onto code and expect it to become hack-proof. Security must be built in throughout the application development lifecycle. Software security touchpoints are based on good software engineering and involve explicitly pondering security.
The Cigital "Software Security Touchpoints" shows how software practitioners can apply specific activities to the various software artifacts produced during software development. This means understanding how to work security engineering into requirements, architecture, design, coding, testing, validation, measurement, and maintenance.
Attacks do occur, regardless of the strength of design and implementation, so monitoring software behavior is an essential defensive technique. Knowledge gained by understanding attacks and exploits should be cycled back into software development. Bonus touch point: External analysis (outside the design team) is often necessary when it comes to security. We have barely begun to apply solutions. But, if you have properly-trained staff who can apply the seven terrific touchpoints outlined here, you'll be making a solid start toward secure software.