July 15, 2026
The Security Team Is Not a Gate
What I learned rolling out Application Security inside a large engineering organization

By Andrews Ferreira
5 min read
Most Application Security programs don't fail in the tooling. They fail two sprints after the tooling starts working.
You stand up a scanner. You wire it into CI. The dashboards fill up. And then, quietly, engineering learns to route around you. A build gets a waiver. A repo gets excluded "temporarily." A team ships through a pipeline nobody told you existed. The scanner is green. The program is already dead.
I've watched this happen more times than I'd like to admit, and the uncomfortable part is that the security team is almost never wrong about the finding. The rule was correct. The dependency really was vulnerable. The problem was never the finding. It was how the finding arrived, who had to deal with it, and whether anyone had earned the right to send it.
Developers don't resist security. They resist bad security engineering.
That sentence is the whole article. The rest is why.
Why AppSec programs fail
The default playbook optimizes for the wrong number. It optimizes for coverage — repos scanned, findings open, pipelines gated. Those are control metrics. They measure how much security you've imposed. They say nothing about how much security actually runs.
Here's the failure in a single motion: buy a scanner, turn it on everywhere at once, set it to break builds, hand engineering the backlog as their problem. Coverage hits 100% on the slide. Trust hits zero in the codebase. Same week.
Underneath it is a category error. Security acts like an approval authority — a gate you pass through — when the thing it's trying to change is an engineering practice. You cannot gate your way into a practice. Practices are adopted, not enforced. Enforce without adoption and you don't get security. You get very sophisticated avoidance. Engineers are exceptional at avoidance — it's the same muscle as optimization, pointed at you.
Why developers resist
The lazy explanation is that developers don't care. Across the teams I've worked with, I've met that developer maybe twice.
What I meet constantly is a developer with a full sprint, a deploy deadline, and a tool that just dropped 400 findings on them — no severity order, no exploitability, no hint of which twelve are real. That tool didn't hand them security. It handed them my triage. We automated the easy half — finding things — and shipped the hard half — deciding what's real — downstream, to the people with the least context to decide it.
Resistance to that isn't a culture problem. It's a correct reading of the incentives.
Then there's the false positive, which quietly does more damage to an AppSec program than any real vulnerability ever will. The first time a scanner breaks a build over noise, the developer doesn't lose faith in the rule. They lose faith in you. And they're right to — you spent their afternoon and handed back nothing. Credibility gets spent one finding at a time, and it does not come back at face value.
Developers also resist decisions made about their code without them in the room. A control that arrives as a mandate reads as security claiming ownership of something that was never theirs. Even a correct control feels like a trespass when it shows up that way.
What actually works
The shift is easy to say and hard to live: stop approving engineering's work, and start doing engineering's work with them.
A few concrete things.
Understand how the teams actually work before you ship a single control. Sit in planning. Learn the deploy cadence — daily, or once a fortnight behind a change board? Find the quality gates they already trust, because that's where security belongs: inside a gate they respect, not a new one you invented next to it. If a team already fails builds on coverage, your check speaks that language or it doesn't get spoken. Security that ignores the existing workflow will always feel bolted on, because it is.
Every organization wants to enforce on day one. Almost none are ready for it.
So don't. Start in report-only. Nobody's build breaks. You run the scanner and you say nothing to the teams yet — because the findings aren't fit to be seen by anyone but you. This buys the single most valuable thing in the whole rollout: a window where the cost of a false positive is paid by security, not by engineering.
Then own the triage. This is the part every struggling program skips, and it's the part that buys trust. Before a finding reaches a developer, security and the team have already worked through the questions that matter: is it reachable, is the sink exploitable here, is the vulnerable function even called. When it lands, it should already be defensible. Do that for a quarter and the meaning of a message from security changes — from "here's more unplanned work" to "this one's real, and I already checked." That reputation is the entire game. Guard it like production.
Prioritize by risk, not by the scanner's opinion. A critical on an internal tool behind three auth layers is not a medium on an internet-facing payment endpoint, and treating them the same tells engineering you don't understand their system — the one thing you cannot afford them to believe. Every time you ask a team to stop and fix something now, you draw from a budget. Spend it only on what moves real risk, and they'll keep funding it.
Do threat modeling as a design conversation, not an audit. The highest-leverage security work happens before the code exists — on a whiteboard, in forty-five minutes, at design review. You're not there to approve the design. You're there to ask where the trust boundaries are, what happens when this input is hostile, what this service can reach if it gets owned. Threat modeling done early makes engineers better at security. Threat modeling done as a release gate makes them better at scheduling around you.
Review architecture as an advisor before you're a requirement. Be the person who catches the auth flaw in the design doc and saves a team a two-week refactor. Useful first. The authority to require the review is granted after you've proven it's worth having — never announced.
And make every control survive one question: why does this matter. If a developer asks and the honest answer is "compliance says so," you've already lost the control — you just don't know it yet. Controls engineers can reason about get maintained. Controls they can't get disabled the first time they're in the way. The why isn't politeness. It's what keeps the control alive when you're not in the room.
Then — only then — start enforcing. Gradually. Not on everything. On new criticals, in code being changed right now, with the old backlog explicitly out of scope. You ratchet from there over months. Enforcement lands clean because by the time it arrives, it's confirming a standard the team already called reasonable — not imposing one they never agreed to.
What I'd tell a new AppSec lead
Reduce the cost of doing the right thing before you raise the cost of doing the wrong one. Both change behavior. Only one survives you leaving.
Never let a false positive reach a developer if you can catch it first.
Attach to the workflow that exists. Don't build a second one beside it.
Your "stop and fix this now" is a budget, not a right. Every low-value interruption you send costs you a high-value one later.
Be someone the engineers can name. The programs that work are run by security people who sit in the planning meeting and answer in the team channel the same day. AppSec is a relationship before it's a control set.
The part no dashboard shows
You can measure a program by coverage, open findings, mean time to remediate. Those matter. They're also all downstream of one thing no dashboard will ever show you: whether engineering trusts you enough to bring problems toward you instead of routing around you.
That trust is the asset. Everything else is instrumentation.
When it's there, developers tell you about the dangerous thing before they build it, and you get to fix it at design time instead of in an incident review. When it's gone, you get a green pipeline and a shadow one running right beside it — and you find out in the incident review.
The vulnerabilities were rarely the hard part. Getting the people who write the code to hand you the map — that's the job. Do it, and security stops being the gate everyone learns to climb over. It becomes the thing engineering builds with, because someone finally built it with them.