Butler Group analyst Maxine Holt said, to be effective, testing processes should be built into a project from an early stage.
And there needs to be a carefully controlled change management programme to ensure that any changes in design are fed back into the testing process.
"The test script should be developed early on. That means you have your required objectives for the project and you make sure those outputs are being achieved," she said.
Commercial automated testing tools can be helpful, but they need to be used with care, said Daniel Dresner, security consultant at NCC.
"You have to realise that whatever changes you make to the system can affect the test tools. If you set up a test sequence based on a certain design of software and you change your software, the testing sequence is not valid," he said.
It is important not just to test the update you have made to a website, but to check that the update has not affected other parts of the website. This means regression testing - running predefined data through the system to check that it produces the outputs you expect from previous runs.
Financial services firms can add further protection to their sites with application security firewalls. These devices can detect and block unusual activity, said Dresner.