if you ever arrive at concluding these tests before someone of marketing says that it has been enough and that you should stop so they can launch their product and who cares if it isn't secure, all the other websites aren't secure either and they don't get blasted for it, people just accept that you put code on the web that would make planes crash and nuclear installations explode if they would use the same methods
than there is something that should be done - even when the code is online because you couldn't stop this big data tanker from going online even if it will be leaking data all the way (but as long as the press doesn't know who cares ?)
"The ugly truth is that unless you have someone who not only understands what the code should do under normal conditions - but also what it should never do, you will continue to have applications with security issues. This is why automated scanners fail. This is why static analysis tools fail. This is why penetration testers can still fail - unless they're thinking outside the code and thinking in terms of application functionality and performance.
The reality is that for those applications that simply can't easily fail - you not only need to get it tested by some brilliant security and development minds, but also by someone who understands that beautiful combination of software development, security, and application business processes and design. Someone who looks at your application and says: "You know what would be interesting?"...
this is when it really becomes interesting
it would have been even more interesting is this kind of guy would have been included from the beginning in the process and not when everything is finished