I was reading a very good post about a Application Security Program implementation from George Hulme and saw something that is mentioned quite frequently in this field: don't try to boil the ocean when pushing security to your developers. It's kind of obvious when you read it, but there is an important question to ask when you assume that you'll prioritize on the most important apps and more critical vulnerabilities; what about the rest?

It's an extremely valid question, specially when you take a look at some recent breach stories. Take as example HBGary, who was breached through an SQL Injection in an app that wasn't considered "critical". I've seen dozens of similar cases, so we can certainly say that it's not that easy to dismiss non critical apps or vulnerabilities. So, if we can't leave them behind, does that mean we have to go with the "boil the ocean" approach?

Not necessarily. There are multiple options to tackle application security issues. Building a robust SDLC and having developers who understand security is certainly "the best" way to avoid vulnerable applications, but we cannot forget those other "reactive" alternatives, such as IPS, WAF (Web Application Firewalls) and other "silver bullet" boxes. So, if you want to prioritize your critical applications and  the most critical vulnerabilities in your SDLC, be sure to add some other control to deal with "the rest". That's all about protecting everything that can be exploited, but with different assurance/quality levels according to the importance of the assets and cost of controls.