We've learned much about application security during its lifetime. We've honed assessment techniques and improved vulnerability discovery tools. This mastery hasn’t resulted in secure software, it’s piled up bugs. The recent push to place better testing tools in the hands of developers will do little more. It’s time we _Fix_the_damned_software_. It’s time we _build security_in_. It’s time to _design_securely_. Using experience and BSIMM survey data we look at what this challenge means and how we can meet it today, with today’s dev frameworks and tools, dev cultures, and security memes.