David Lacey mentions the importance of embedding security into the SDLC in his blog . It’s a view I completely support and frequently see the positive impact on risk status between those products with an embedded process and those that don’t.
Implementing embedded security within the SDLC does not have to be a complex process. In fact, quite the opposite in my opinion. Making the process simple and transparent is the key to success but getting acceptance within large development groups, used to operating in a particular way, is never going to be easy.
The best technical resource that I would recommend is “The Security Development Lifecycle” by M Howard. You can buy it here on Amazon.
But as usual it comes down to how well you can communicate the benefits. Just about every developer and manager I talk to is open to the concept but in practice the pressures of delivery and costs are seen as being overwhelming. So my advice is to set small, achievable objectives rather than to try to rush headlong into a new all-encompassing process. It’s working for me here.