Make it clear that security is a cost like any other in SDLC
Security shouldn’t be seen as “addition” to the product development. It’s a part of it like all other activities and can be counted as a part of Quality Assurance, because nowadays customers demand high quality products and safety is one of elements defining quality.
Middle-management is more eager to spend resources on security, when they perceive it as a regular, necessary cost of software development, because there is never enough money and time to invest in “additional” activities. Security is often perceived as a no-ROI time-waster which adds complexity and slows down development process. Unless you explain how and why security is important you’ll have tough time pushing security related changes into existing SDLC. Continue reading “Outline SDLC/NDLC improvements | ESM part 4”