In a DevSecOps pipeline, at which stage is it most cost-effective to identify and remediate security vulnerabilities?