IT security is about using software; application security is about creating it.
Just as with IT security, application security is everyone’s responsibility. Unfortunately, when everyone is responsible, sometimes no one is responsible—everyone thinks that somebody else took care of it. As Lily Tomlin puts it, “I said, ‘Somebody should do something about that.’ Then I realized, I am somebody.”
The security of an application is the culmination of decisions made at all the phases of development. Weaknesses can be introduced anywhere.
Just as with IT security, you can’t simply buy tools and apply them to the problem. It won’t do you any good to locate and eradicate code weaknesses if the design of your application has inherent weaknesses.
If you go the other way and do only threat modeling, you might eliminate some of your design weaknesses, but you might write horrible, buggy code when you implement that design. Let’s say you look at security in both the design and implementation phases of your application, and you find and fix both design and code weaknesses. That still won’t do you any good if you deploy the application on an inadequate container image.
And maybe you do everything right by incorporating security when designing, implementing, and deploying your application. Even so, if a new vulnerability comes up in one of the open source components you used in your application, you still have a big problem.
When we say that security needs to be part of every phase of software development, we really mean every phase, from design to maintenance.