When you think about building security into your web application, the first thing that likely comes to mind is penetration testing.
It's easy for a group to produce something, reflect back on it, and identify issues with the thing (after all, hindsight is 20/20 as they say). However, this method is also the most expensive way to identify vulnerabilities within a web application. The earlier you start building security into your web application, the less expensive and easier it is to accomplish.
Making the investment to train your developers in secure coding can significantly reduce the number of vulnerabilities identified through a dynamic application security test (DAST), and consequently the number of resources required to fix a vulnerability.
Similarly, reviewing the application source code prior to pushing it to production will benefit you in few different ways:
- Avoid critical risks getting it into production.
- Identify vulnerabilities prior to any sort of penetration test and provide an opportunity to fix the risks at a lesser price point.
- Identify areas where your developers can improve their skills with effective, targeted training.