There's a massive difference between having procedure up-front (staging, etc.) and just writing correct code.
For instance, properly escaping output, parameterized queries, password hashing -- all those don't require more work (or if they do, it's so, so minimal). I mean, jeez, you're writing the code, just do it right.
That's a far cry from setting up multiple servers, certificates, etc. and having a real operations process. I can forgive, say, not having automatic builds. But there's no excuse for having a SQL injection in 2012.
You're right and I agree. I just meant one may as well try and do it all properly from the outset since it really isn't all that hard/inconvenient and imho the pay-off is worth it. If you want to build a secure system part of that is putting some planning effort in to your architecture and dev process before you breakout your text editor and start coding like a maniac. If you're a one man band, it doesn't have to be too OTT. Make the dev and staging boxes virtual machines on your desktop, create a *.mytestdomain.internal self signed cert that works on a dummy internal domain, use Trello as a bug tracker, keep a list of who has access to what and why on Goodle docs, subscribe to a few key security and vendor mailing lists, write a simple bash or Fabric script to deploy your site, keep sensitive project related login codes in a truecrypt container on a USB pen drive etc. Simple stuff but it all helps.
For instance, properly escaping output, parameterized queries, password hashing -- all those don't require more work (or if they do, it's so, so minimal). I mean, jeez, you're writing the code, just do it right.
That's a far cry from setting up multiple servers, certificates, etc. and having a real operations process. I can forgive, say, not having automatic builds. But there's no excuse for having a SQL injection in 2012.