Plan

The most important thing we can do before writing a single line of code is to clarify the division of responsibilities between us and the customer, as well as the classification of the solution and data. What requirements does the customer have, and what requirements comes from the government or other parties? Application security (AppSec) resources should already be part of the team in this phase to ensure that we meet security requirements and expectations.

We must also outline what we will do when a security incident occurs - what requirements are we facing, what is needed for successful disaster recovery, backup, and similar measures, and what will the consequences of downtime be for the customer?