in reviewing some information here and googling, it appears that "step 0" in securing our applications, would be to perform a risk assessment. there, of course seems to be no shortage on information on this topic. but i did have two questions:

1) is risk assessment "step 0" in looking to secure, nay protect our applications, or is there a step before this?

2) beside the links below that i will list, has anyone come across a proven way to better protect their apps?

site risk assessment - i thought some good general steps, page 3 has the "5 Steps": http://www.hse.gov.uk/pubns/indg163.pdf

Network Computing article on subject: http://www.networkcomputing.com/1121/1121f3.html

U.S. GAC technical paper, page 7 has a good map i think: http://www.gao.gov/special.pubs/ai00033.pdf

any others or advice on this topic? as we do not currently have anything in place, i believe we should start off with basics of looking at risk and start reviewing our application and project charter against that. as you may be able to ascertain, we will be retrofitting security into our apps. tia!