The common approach to securing applications is to try to identify and remove all of the application's security vulnerabilities at the end of the development process. However, this bug-finding approach is not only resource-intensive, it's largely ineffective. To have any chance of exposing all of the security vulnerabilities that may be nested throughout the application, the team would have to identify every single path through the application then rigorously test each and every one. And any error found would be difficult to fix, considering that the effort, cost, and time required to fix each one increases exponentially as the development process progresses. Most importantly, the bug-finding approach to security fails to address the root cause of the problem - the fact that security, like quality, must be built into the application.