Most security work starts after the code is written.
Ours starts at the theory — what is the language of this input, and can a machine accept exactly that language and nothing else? When it can, we build the parser that does it. When it can't, we tell you that, too.