In the current environment, it is wise to incorporate security into your software development lifecycle as early as possible. Historically, security checks were a pre-release gateway for a software team: if you passed, your product/service could go to production. At the same time, security checks used to require a code and environment freeze, while audit preparations led to chaos and a non-systematic approach in collecting important security documentation. All these elements led to a bottleneck for the project team. However, a long wait for security testing results is no longer an option since the typical project pace has significantly increased. Various project models suggest their own approaches for introducing security into software development.
For example, in the Spotify model, it is recommended to look for “security champions” - active members of a team with dotted-line reporting to a central Security Team. Classic scrum-based models assume that a project team and product owner are responsible for cybersecurity. The main question is how to achieve acceptable results since most developers are not security professionals and only a few have security knowledge. Consequently, each project requires dedicated security specialists.