In software development there are 5 stages: Define, Design, Develop, Deploy, and Maintain.
OWASP released some more overall testing methodology. When to test is the question? Ideally one tests at all stages of the SDLC (Software Development Life Cycle).
But where is it most optimal to test?
If one tests during development, then the effort can be modified as it is still being created.
If one tests during definition and design some aspects may not become apparent until actual development.
Testing during deployment and maintenance is almost too late, although it has to be done either way.
In my opinion maintenance and deployment security testing has to be done.
But if one can security test during development one can affect for the better the project and create a truly secure application effort.