Given the choice, every organization would want secure Web sites and applications from the Web application development phase all the way through the software development life cycle. But why is that such a challenge to attain? The answer is in the processes (or lack thereof) that they have in place.
While individual and ad hoc Web application security assessments certainly will help you improve the security of that application or Web site, soon after everything is remedied, changes in your applications and newfound vulnerabilities mean new security problems will arise. So, unless you put into place continuous security and quality assurance controls throughout the software development life cycle, from the initial phases of Web application development through production, you're never going to reach the high levels of ongoing security you need to keep your systems safe from attack—and your costs associated with fixing security weaknesses will continue to be high.
This document is in PDF format. To view it click here.