As far as I know tacking on security after the fact usually leads to issues.
It should be a primary concern from the beginning. Even if you don't do it 100% right, you'd be surprised how many issues you can avoid by thinking about this during (and not after) development.
Dropping your rights to open files as soon as possible, for example, or thinking about what information would be available to an attacker should they get RCE on the process.
Shoehorning in solutions to these things after the fact tends to be so difficult that it's a rare sight.
I have been recommended to think of security as a process rather than an achievable state and have become quite fond of that perspective.
Dropping your rights to open files as soon as possible, for example, or thinking about what information would be available to an attacker should they get RCE on the process. Shoehorning in solutions to these things after the fact tends to be so difficult that it's a rare sight.
I have been recommended to think of security as a process rather than an achievable state and have become quite fond of that perspective.