It turns out that less than 10% of vulnerabilities disclosed through June 2007 were targeted at Operating Systems. More than 90% of vulnerabilities targeted at the application layer. In his blog entry How Vulnearable are Software Applications?, S. Somasegar, Senior Vice President at Microsoft's Developer Division, addresses the Security Development Lifecycle (SDL) as a way softwae companies can address the threat.
He says, "All software development organizations need to really think about security as it relates to applications" And he's help lead Microsoft in his Developer Division that makes Visual Studio.
He explains, "The Microsoft SDL is the industry-leading software security assurance process. SDL has played a critical role in embedding security and privacy in Microsoft software and culture. Combining a holistic and practical approach, SDL introduces security and privacy early and throughout the development process"
For more information, see Security Development Lifecycle (SDL) on MSDN. Training materials and other resources are available at Microsoft Security Development Lifecycle (SDL): Training and Resources.