Microsoft’s Trustworthy Computing Initiative involved retraining loads of developers to code with security in mind. Whilst Microsoft's secure development methods generally follow the traditional waterfall approach, take a closer look at the activities immediately preceding release. “During the release phase, the software should be subject to a Final Security Review (‘FSR’). The goal of the FSR is to answer one question. ‘From a security viewpoint, is this software ready to deliver to customers?’ The FSR is conducted two to six months prior to software completion, depending on the scope of the software. The software must be in a stable state before the FSR, with only minimal non-security changes expected prior to release.” In your organization, does independent security testing occur 2 to 6 months before release?! Of course, even this method is not absolutely perfect: at least one buffer overflow vulnerability in Word somehow slipped through the net.
More security-development integration resources