How do security requirements, abuse cases, and OWASP ASVS fit into the SDLC?

Most vulnerabilities are missing requirements, not coding mistakes — so security belongs at the requirements stage. Abuse cases (a.k.a. misuse cases) flip user stories: 'as an attacker, I want to replay this token,' forcing teams to design controls up front. OWASP ASVS provides a leveled, testable requirements baseline (L1 basic, L2 most apps, L3 high-assurance) you can assign per app by risk tier and verify against during review and testing. Together they make security verifiable and consistent rather than ad hoc: requirements define what 'secure enough' means, abuse cases stress the design, and ASVS gives the checklist that maps to test cases.