The last twenty years have brought dramatic changes to computing architectures and technologies, at both the network level and the application level. Much has been done at the network infrastructure layer, with intrusion detection, anti-virus, firewalls, VPNs, Quality of Service, policy management and enforcement, Denial of Service detection and prevention, and end point security. This is necessary, but not sufficient—more emphasis must now be placed on designing security into applications and in deploying application security infrastructure. While network security focuses on detecting, defending, and protecting, application security is more concerned with enablement and potentially with regulatory compliance (Sarbanes-Oxley, HIPPA, GLB, ...