Clients (and agencies) need to understand the security risks before making decisions about which systems to use but there does not appear to be a uniform standard for assessing the maturity of a web application. If we were able to apply the principles of the Capability Maturity Model to web applications we would be able to develop a solid foundation for assessing the maturity of the software product itself.