By building application security into your automated development environment, he said, security "is initiated through events, rather than necessarily a phase where somebody at the end of the line, whose job it is to make sure that you didn't screw up and code a vulnerability," does the testing.