Security is a habit, not a phase. The builds we audit that go cleanly through a penetration test weren't harder to build than the ones that don't — their teams just carried a short list of non-negotiables that made the common classes of mistake impossible to ship.
The baseline
Every production deploy at Bluehall carries the OWASP ASVS level 2 baseline: authentication with proper session handling, content-security-policy, rate-limited endpoints, output encoding, parameterised queries, and dependency scanning in CI. That list has not changed much in ten years, which is exactly the point.
Past the baseline
Above the baseline, the priorities depend on the product. Handling payment data? Tokenise before it hits your perimeter. Storing health data? Put PHI in a separate, audited data store with its own access-review cadence. Running agentic AI? Your threat model now includes prompt injection — treat untrusted text the way you'd treat untrusted SQL.
