From the information security perspective analyzing software risks means identifying vulnerabilities and implementing countermeasures as soon as they manifest in the software you build. Previous research shows that this is more cost effective then testing and fixing what is already being integrated in QA environment or catching and patching what is already being deployed in production. I wrote an article for the February 2008 edition of in-secure magazine with the intent to tell information security practitioners how to perform software risks analysis. In a nutshell software risk analysis means: identify common threats to web applications, find out the exposure to these threats caused from vulnerabilities due to insecure software and estimate the potential impacts derived by exploiting such vulnerabilities. I gave a few examples on common web application threats, how and where vulnerabilities can be identified, the root causes in insecure software and the implementation of countermeasures: http://www.net-security.org/dl/insecure/INSECURE-Mag-15.pdf
The next step after performing the software risk analysis is to document the basic software security requirements that you would like your software developers to follow when developing web applications. Both source code analysis and web application penetration testing will validate that such requirements are satisfied and that the risks posed by the vulnerabilities are mitigated before releasing the application to your customers.