There’s no such thing as “done” with application security

If you’re like most companies in the software business, you’re relentlessly developing new features, streamlining workflows and improving the user experience. But every single change to your platform also changes how you might be attacked. As you develop new code, you’ll almost certainly inject new vulnerabilities. Those need to be addressed. 

Technology evolves so quickly that it requires you to constantly revisit your security to stay ahead of new vulnerabilities. The process never ends. As one director of application security described it, “Once you know the rules, the game changes.” 

The best way to deal with this is to treat security as a cycle, a process that continually repeats. However, many people tend to think of security as a one-and-done process, something that is linear with a start and finish, after which it doesn’t need attention again.

But that’s wrong. Security is not a line; it’s a loop.

The only constant is change

Change is inevitable. 

For example, your customers’ demands change. Sometimes they require new security controls. Sometimes they want to change their model, such as moving from software that is hosted on-premises (which runs at their physical site on computers they own and control) to software that is cloud-hosted

Read More: https://resources.infosecinstitute.com/topic/theres-no-such-thing-as-done-with-application-security/