25. Build in privacy, security, and abuse cases
Specify authentication, authorization, logging, privacy, consent, threat controls, misuse cases, data minimization, and breach-related requirements. You will treat security and privacy as requirements from the start, not late fixes.