War-time guide to application security for SaaS startups

For more than 8 years I've been dealing with application security. First few years as a software developer, fixing security issues, then as a security consultant - finding them and helping developers fix them too.
This talk is an essence of the conversations I had and lessons I've learnt from the cooperation with developers.

Using WWII stories I will tell you why:
- your IT security team (if you're lucky enough to have one) have to be as close to developers as possible
- penetration testing of your precious platform from time to time won't be enough to make it secure (surprise, surprise) and what would be
- offensive security trainings for developers are fancy (for some developers) but generally useless (for the rest of the developers) but security aware mindset is crucial
- IT security requirements (to the platform and in your SDLC) at some point will get your attention (if your SaaS will grow enough) and better treat them seriously

This talk is for anyone involved in software development to whom application security is either dear or is a potential problem and unknown.