In the early years of software development, you would often design it, build it, and only then think about how to secure it.
This was arguably fine in the days of monolithic applications and closed networks, when good perimeter-based protection and effective identity and access management would get you a long way towards minimising the risk. In today’s highly connected, API-driven application environments, however, any given software component or service can be invoked and potentially abused in so many different ways. Add to this the increasing pace of change through iterative ‘DevOps-style’ delivery and ever-faster release cycles, and many understandably assert that security management and assurance nowadays needs to be an ongoing and embedded part of the development and delivery process.