Citigroup, Sony, PBS, Sega, Nintendo, Gawker, AT&T, the CIA, the US Senate, NASA, Nasdaq, the NYSE, Zynga, and thousands of others have something in common – all have had websites compromised in the last year. No company or industry is immune. It doesn't matter if a business is in financial services, retail, education, gaming, social networking, government, telecom, media or travel. Daily headlines tell the stories of millions of lost credit-card numbers, millions of personal information records exposed, and gigabytes worth of intellectual property stolen. The net result – corporate losses in the hundreds of millions, sharp stock price declines, lawsuits, fines and costly downtime. All signs point to a worsening problem, but the big question is, "what can be done about it?"

Over the last 10 years WhiteHat Security has performed vulnerability assessments for hundreds of organizations on over 4,000 of the Internet's most important websites -- identifying the very same issues the bad guys routinely exploit. There is a tremendous amount to be learned from this volume of data. For example, by comparing the characteristic of highly secure websites versus the highly vulnerable we can identify the business practices that work best. Fundamentally, the answer to the software security question can be found through metrics. By carefully tracking and analyzing metrics, very particular key performance indicators (KPIs), an organization can determine where resources would be best invested.