The security mechanisms that are a responsibility of the application need to be system-tested properly. Any included authentication and authorization must be verified as part of the Continuous Delivery pipeline. This means that you should verify the functionality in automated tests, to not only verify it once, but continuously, after changes in the software.

It's especially important for security-relevant tests to include negative tests. For example, the test must verify that incorrect credentials or insufficient permissions do not allow you to perform specific application functionality.