Our company is working on a strategy to offer our SSDLC (secure software development life cycle) and they're looking to me for help understanding when and how to include security controls in the process.
The only security controls I've worked with so far are DoD controls. Because we want this process to apply to non-DoD customers, I'm looking into other controls such as NIST. I just started reading publication 800-53, "Recommended Security Controls for Federal Information Systems"
I'm not sure if that's the right publication, but it will certainly lead me to the answer.