An organization’s software development team and process determines the attributes of its code. A well-designed process will lead to better software. The particulars of the process will drive specific attributes in the output. If developers are well-trained on application security and static application security testing (SAST) tools are routine, it’s likely that more-secure software will result.
A well-designed process is table stakes, but what’s on paper may not be what’s in practice. Only a well-governed and well-disciplined organization can stick to best practices. Too often, business pressures can drive development awry. Of course, a full security code review makes sense, but when the project is behind and the deadline for the release is looming, will the team stick to the plan? Often they don’t, and the shortcuts they take accumulate as “technical debt.”