We want to weave security into the entire development lifecycle.
That means we need a goal: what is security? What is the objectices of secure software? What are the standards we expect?
The first step is to create a security strategy roadmap: we need to pay attention to security during each phase of the project and continually re-assess the risk as we go through the development lifecycle, as which each phase, the risks get clearer and clearer.
We also want to have the component tested against security.
The NIST Secure Software Development Framework starts with preparing the organization. This means having policies, training and standards that will help the development projects.
Protect the software: from unauthorized access or modification
Produce well-secured software: minimize vulnerabilities
Respond to vulnerabilities: appropriately (respond in an appropriate manner)
Then, we want to mandate adherence to standards and policy. All software must be secure, as even the smallest could be used as an entry point to internal networks.
A security culture is required, as security is everyone’s job. We also want requirement to pass security audits before product acceptance and release to production.
See also Incorporate Security into the SDLC