Most people would be aware of OWASP WebGoat or Foundstone's Hacme Books and Hacme Bank. These are deliberately insecure applications to teach beginners about common security vulnerabilities.

On the contrary I have not been able to locate any application that is intentionally secure. Granted that no such application is completely secure, but are there any applications that would implement a collection of best practices that most other applications should follow ?

PS: To clarify my needs, I'm looking for a 'secure equivalent' of Webgoat, or even better, a secure Pet Store application. Design tradeoffs for security, that are discussed in a paper/website/blog would be a bonus.

PPS: This is now community-wiki, especially since there can/could be several right answers - this is not language specific.

The OWASP Guide contains this information.

I think a more interesting question is "can you show me a code that can securely do X and Y" - reusable snippets of secure code that take some input and produce security-validated output.