Often I hear phrases such as "if the application is truly built secure inside-out, then there is no need for other security layers". Truly secure application is a far fetched statement. 

1. What is the application made of? - Complexity.

2. How was the application built? - Methodology.

3. Where does the application run? - Environment.

#1. Complexity - Applications are developed using one or more of open source software, third party libraries, re-used libraries (from the past), middleware, database and the run-time environment. In order to develop a truly secure application we need to ensure security in all of these components that go into building the application.

#2. Methodology - The development methodology that is employed to build the application. This brings up several issues: customization work, secure coding practice, outsourced development, offshore development, peer review, development tools, security requirements as a part of the design, source code scanning, threat modelling and penetration testing.

#3. Environment - Application exist in an environment. This brings up several considerations such as operating system, virual operating system(such as VMware), other applications that co-exist with this application, CPU hardware, storage, network and lastly whether the application runs behind the firewall or in the DMZ.

It is overstatement to say that the application built using secure development methodology is secure. All the three factors Complexity, Methodology and Environment should be considered to make a judgement call about application security. The pragmatic approach is to build application that is secure enough that poses risks that are acceptable to business (customer) this is what I would like to call "Application Due Care".