Security cannot be bolted on at the end of a project; instead, it must be considered throughout the process. It’s better, faster, and cheaper to integrate security into your system development lifecycle. All the tools and approaches you need are readily available, most for free.
* Security is an emergent property of the overall quality of a system. CISQ, led by OMG, does a great job
of explaining how security and quality are tightly integrated.
* Security must be fully integrated in to the SDLC. Microsoft’s SDL is a great approach to doing so but you can
roll your own approach as well.