James Smith* was the manager of information security at a large healthcare company. After several years of primarily running penetration testing, and a few limited source code reviews, James successfully made the case to internal IT leadership that security needed to come earlier in the software development life cycle (SDLC).

James had heard many people talk about the concept of secure SDLC at a high-level, but was having trouble planning concrete steps. What specifically should they change about requirements, design, development and testing?