Companies make the mistake, during this phase, of not including members of the IT security team in this process. It's our opinion that IT security should have input throughout the software development life cycle, lest a security issue surface later in the Web application development process--and what could have been a small problem is now a big problem.
Putting these types of processes in place is difficult work, and may seem onerous at first. But the truth is that the payoff can be huge: your applications will be more secure and your future security assessments won't feel like fire drills. There are software development life cycle models and methodologies that could help direct you, such as the Application Security Assurance Program (ASAP), which puts a number of guiding principles in place necessary for building secure code, including executive commitment, considering security from the beginning of Web application development, and the adoption of metrics to measure coding and process improvements over time. A good primer is The Security Development Lifecycle by Michael Howard and Steve Lipner (Microsoft Press, 2006).