16. Assess in real time and impose assessor SLAs
When integrating technical assessors into the SDLC, it is important for them to assess implementations and monitor security vulnerability scan results as they happen - not in large batches after the fact. It’s not only fair to product teams, but encouraged to impose an SLA on assessors to ensure they don’t resort back to the “slow is secure” mentality. If they can’t meet their SLAs, it might be time for continuous improvement (process improvement, automation, etc.) or to hire more assessors.