Security-aware Software Development Life Cycle (SaSDLC) - Processes and Tools)

This article talks about a Security-aware Software Development Life Cycle(SaSDLC). It’s main focus is on Next Generation Internet applications but of course the content is helpful, I would say, to any type of application being developed. 
The process is described as follows and a tool was developed to help with the process. Functional requirements are gathered using UML tools, assets are identified, evaluated, and categorized, misuse cases are identified taking STRIDE (Spoofing Identity, Tampering with Data, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege) and C15A (Confidentiality, Integrity, Availability, Authentication, Authorization, Accounting, and Anonymity) into account, an attack tree is developed with each misuse case as a node, threats are then rated using DREAD, threats become categorized as high, moderate, or low, and are then compared to asset values, high values have to be secure and if the threat is too expensive to do in-vivo (within the application), it doesn’t need to be done in-vitro, the threats then become functional requirements and then just iterate through the process. It is also talked about using security design patterns when developing, and the different types of testing that should be done.