Security cannot be bolted on at the end of a project; instead, it must be considered throughout the process. It’s better, faster, and cheaper to integrate security into your system development lifecycle. All the tools and approaches you need are readily available, most for free.
* Security is an emergent property of the overall quality of a system. CISQ, led by OMG, does a great job of explaining how security and quality are tightly integrated.
* Security must be fully integrated in to the SDLC. Microsoft’s SDL is a great approach to doing so but you can roll your own approach as well.