How do You Make Sure Security Practices End Up in Production?
How do you ensure security practices end up in production?

In my previous post, Why baking security into products is important, I examined the reasons for pushing security leftwards in your development process. Assuming teams do this, how do you ensure security elements added earlier in the development process actually end up in production? Or more importantly, ensure that nothing is in production that shouldn’t be there. In other words, how do you prove your security and compliance process is achieving what it was intended to do.