In traditional waterfall development, system security is largely an afterthought. It's a "nonfunctional requirement" that, like quality assurance, is often tacked on at the end of system development. DevOps-minded shops have security engineers working side by side with developers, embedding their recommendations much earlier on in the process.They build security into the product, not at the end.