Which approach reflects integrating security activities into the software development lifecycle?

Integrating security activities into the software development lifecycle means making security an ongoing part of how software is designed, built, tested, and deployed. By modeling threats during design, teams identify potential attacker goals and weaknesses early, guiding safer architectural decisions. Incorporating security testing into CI/CD brings automated checks into the build and deployment pipelines, so security is evaluated continuously as code changes, not clumped into a later step. This shift-left approach helps find and fix issues sooner, reduces costly rework, and embeds security into daily workflows. In contrast, waiting to address security in production, only doing security reviews after deployment, or removing security considerations from the design phase isolates security from the development process and increases risk and cost.