In a traditional approach, we think of security as something very explicit. Think of tasks that would be prioritized and implemented. We then probably look at the following list: attack vectors, 0-day exploits, web vulnerabilities, OWASP to create our backlog. Afterwards we would prioritize the backlog.

This way of working has the shortcoming of not being future proof. We focus our attention to known security problems and we try to mitigate them today. It also has the disadvantage of having your developers and everybody involved actively and explicitly thinking about security. Sometimes a problem is so difficult that it is very hard to actively think about security, somebody might forget something. Everybody involved in the project also needs to be a security specialist, everything we do has an impact on security. If we would change something in the project you would need to know what the security impact is for that particular change. This also means that we need to be aware of every concept into the application.