While assessing software systems of all types a few common mistakes regularly come up. These aren t mistakes that lead directly to vulnerabilities, but mistakes in how some software companies think about security that can lead to invalid assumptions. The three most common mistakes I see in software are: Failing to understand the real attack surface of their application. Involving an external security company too late in the product cycle too late. Security should be an early and often process, which reduces time and cost needed to integrate security into the product.
Source: https://threatpost.com/thinking-about-software-security-holistically-123011/76044/