Kuehlmann: There is a tension if the organization is not set up properly. You see this very often in organizations where the security team is separate from the development team. Where security is kind of an afterthought, and the security team performs some security testing after the development process. This typically results in a kind race: The development team is ready, features are complete, they are ready to ship. And then the security team comes in: Oh no no, you know, there is a vulnerability, and they do code review and find all kinds of issues. Our experience is: you need to move it to the developer. You need to enable the developer early on to address security issues as they code.
Smart2zero: In a nutshell: The earlier in the process it is discussed and understood, the better is the chance to have a high quality and secure software in the end. And the cheaper it is to find out if there is a kind of vulnerability.
Kuehlmann: Right, right, Exactly right.