Ask HN: How does your company handle application security?

How does your company ensure the code you produce (or consume) is secure?

Do you have in-house security controls? Third-party penetration tests? Independent code audits? Bug bounty programs?

Do you forsake security entirely in favor of getting it shipped?