Security and Privacy in the SDLC really needs to start with the requirements. There are Non-functional Business requirements that can
capture Security but, generally, are considered as afterthoughts for projects in some organizations. By placing more emphasis on Security
and Privacy at the inception of a project, the team can then have a better opportunity to carry those concepts into the designs/architecture
and the building of the code. Likewise, those components must then be tested, accordingly by the QA team. Having a Requirements
Tracebility Matrix helps the team to track those requirements through each phase of the SDLC and to better ensure that the product
build and deployed to production is what the business actually wanted. Due to recent breaches, it seems organizations are getting
a more serious approach to incorporating Security and Privacy into the SDLC, let's just hope the business buys into it as well.
"So this is how liberty dies - to thunderous applause" -- Padme (Star Wars - Episode III)