While we all try to implement security from the get-go, with security by design and defensive programming, software is constantly evolving. Packages fall out of support, encryption standards become deprecated, legislation changes, and real-world deadlines mean security technical debt builds as developers "stick it on the laterbase" (yep, a Johnson quote).
Clients and regulators will request unexpected penetration tests, the failure of which might invalidate their contract with you. I've worked with external CREST-certified penetration testing companies, focusing on web applications, APIs, and thick client applications to ensure robust applications, development practices, and server configuration that stands up to external scrutiny. I take the results of these reports and work with development teams to explain the findings, schedule the remediation work into upcoming iterations, and implement best practices going forward.
Dependency management has become a major security factor, especially in this era of package managers. I treat this as "ahead-of-time modernisation," keeping an eye on the horizon for upcoming dependency changes and factoring required work into the development team's delivery process.
Anecdotally, in a previous role I absolutely dropped the ball on keeping a dependency up to date, and the knock-on effect was grim. Not in terms of exploits, but a significant customer threatening to walk away unless it was solved in an emergency hot fix. This caused major disruption to the dev team, delivery schedules, and other customers. So I learnt that painful lesson the hard way.
I have successfully hardened various application architectures for organisations including NHS and Geneva's municipal government, implementing security recommendations from independent CREST-certified assessments. Key implementations include securing authentication mechanisms through account lockout policies, eliminating verbose information disclosure in response headers, implementing granular database access controls, and replacing direct database connections with token-based authentication models.
Application hardening is about more than implementing OWASP guidelines, CORS policies, and server-side validation. It's about the overall deployment and configuration as well, and critically it transcends departments. It should be the focus of dev teams, product owners and DevOps teams. To ensure developers are given the time to implement best practices, deployments are configured with the minimal permissions they require and APIs are only exposed to their intended consumers.