Which concept involves reducing vulnerabilities by integrating security early in development?

Integrating security early in development means shifting security left in the software development lifecycle. Build Security In promotes embedding security practices from the design stage through coding and testing, so vulnerabilities are identified and remediated before release. This approach includes threat modeling during design, secure coding standards, and automated security testing integrated into the CI/CD pipeline, all aimed at reducing the attack surface and lowering the cost and effort of fixes later.

The other options touch related topics but don’t capture this proactive, built-in approach. ISO/IEC 27034 focuses on governance and processes for application security rather than the practice of embedding security in the development workflow. OWASP provides resources and guidance on vulnerabilities and secure coding, not a formal development-time security integration. WSS refers to securing web services, which is a specific security domain rather than a broad strategy to weave security into development from the start.