I need to build a small web app that will ultimately need to be launched via SSL.
My question is, can I design and test it as if it was an ordinary application and only later add whatever is necessary to make it secure ? Or I have to test it over SSL right from the start.
You'll be fine waiting on the SSL while you develop your app. Be careful not to hard-code any http:// urls, and I don't think you'll run into any problems for the bulk of your development. Just make sure you do plenty of testing after making the switch to the SSL before going live.
Besides http url's watch out for port numbers your https traffic will not be on port 80.
You can test with non-SSL, but there are a few things to watch out for. If you're loading images or components (like a CAPTCHA, for example) off third-party sites, you'll want to make sure you can call them over SSL. Sometimes a tracking pixel for web analytics software can cause pain here too.
Proxy all your requests through a non-https resource on your domain specially if you are using ajax calls. I ran into an issue (make AJAX calls from non-SSL page to a SSL URL) a while back.
My question is, can I design and test it as if it was an ordinary application and only later add whatever is necessary to make it secure ? Or I have to test it over SSL right from the start.
If by whatever is necessary to make it secure you mean enable ssl then sure, go for it. But if making it secure requires other things such as authentication, authorization, role-based access and what-not, then no. The conventional wisdom is to include security at all phases of development because you can't just "switch it on" at the end. Most of the issues in implementing a secure system with a rich set of access controls won't occur to you unless you are actually testing the core functionality while restricted by those controls and also have the opportunity to test both the "happy path" and the "unhappy path" through the code.