Grossman also recommends that organizations hack themselves in an effort to understand how attackers will approach their Web sites. Additionally, he says organizations need to understand their benchmarks: which vulnerabilities are most prevalent in their Web sites, what's their time-to-fix, their remediation percentage, average window of exposure, etc.
If you consistently see vulnerabilities of a particular type, like cross-site scripting or SQL injection, it's a sign that your developers need education in that issue or your development framework may not be up to snuff. If your time-to-fix is particularly slow, it's a good bet that you have a procedural issue-your developers aren't treating vulnerabilities as bugs. If you consistently see vulnerabilities reopening, it suggests you have a problem with your 'hot-fix' process-high-severity vulnerabilities get fixed quickly but the change is back-ported to development and a future software release overwrites the patch.
"Understand your software development cycle," Grossman says. "Understand where you're good, where you're bad and make your adjustments accordingly."
Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Thor at firstname.lastname@example.org
Read more about security in CIO's Security Drilldown.