If you want to get clear on the best strategy for software security in your organization, you must first get clear on the problems. Many organizations identify the problems as cryptography, insecure SSL practices, or authentication issues.
Mistaken beliefs about software insecurity have far more impact than the most prevalent individual vulnerabilities that you’ll find on the OWASP Top 10 or SANS Top 25. These lists are the industry’s way of visualizing the problem. However, the reason behind the infection lurks inside and needs deeper analysis in order to be healed. If you keep fixing the visible signs of the problem without understanding the root cause, your efforts will never be successful.