The most long term cost effective and preventative approach to software security is to build software in a secure manner. SDLC security is more than just secure programming but involves all aspects of the software development life cycle. From the initial phases of the SDLC such as requirements gathering, functional specification to design and development, security should be involved at all phases.
Using for example the OWASP SAMM (Software Assurance Maturity Model) or BSIMM (Build Security In Maturity Model) we assess the weaknesses and strengths within the complete development cycle from IT governance to a technology/coding perspective. We then recommend approaches to remediation and assist in deploying new methods in order to aid continuous improvement.
As part of a SDLC assessment we perform some code review on either systems currently in development or specific applications to gauge the most common areas of risk to your business from a technical perspective.