The document summarizes the results of a survey about application security and the responsibilities of developers. It finds that while developers feel personally responsible for security, many lack clear security policies and processes from their organizations to enforce standards. It also finds that security testing is often not automated and occurs late in the development cycle, and that testing of open source components, which make up a large portion of applications, is lacking. The survey suggests organizations need to define security policies and processes and integrate security testing earlier to help developers prioritize security.