If you look at the common security controls that we are building into our web applications, you'll notice that they often do not have a feedback mechanism which tells the developers how the controls are performing against real threats in a production environment.
This lack of feedback is a lost opportunity to gain a better understanding on real and imminent threats, which in turn could help developers to prioritize and improve their secure development efforts:
Discovering generic attack indicators to build security controls that require less maintenance and can be used in different parts of the application.
Being able to see design flaws and rebuilding parts of an application which are secure by design.
Building detection points that look for threat indicators and make the application respond defensively when a number of those detection points are triggered.
Utilizing this feedback to drive the security efforts of your development team is known as attack-driven defense.
As this form of defense seems to be rather uncommon, I would like to hear your thoughts as developers on this, especially regarding the possibilities and shortcomings you see with this defense model.
If you are keen to learn more on how to utilize detection points to make your application attack-aware, have a look at this article where I give a brief introduction to this concept: