Today’s fast-paced software development landscape can often create friction between development teams and their application security (AppSec) counterparts. While everyone wants to create a safe and successful product, their approaches differ, and developers are pressured to deliver features quickly, while security teams are measured on their ability to minimize risk.  

No company can afford development speed and security as an either/or scenario. Both factors are essential for a reliable, safe end product. However, differences in background, mindset and objectives mean it can be challenging to get the two teams on the same page. 

Establishing AppSec champions is a path to having it both ways. These are developers who also have training and experience in security practices. They work as advocates for secure coding within their teams, grounded in a deep understanding of development practices, priorities and culture.  

Here, we outline five actionable steps to recruit, empower and support AppSec champions. 

Step 1: Recruitment — Finding the Right Champions  

The success of an AppSec champion program starts with selecting the right individuals. These candidates should be genuine volunteers with enthusiasm for the project, not people who have been ‘volun-told’ they have a new set of additional duties. If developers feel coerced, there is a high risk of weak engagement and poor outcomes.  

Instead, focus on attracting those who naturally show a security interest. Highlight the benefits of the role, such as personal growth, exposure to cutting-edge security practices and recognition within the organization. Getting managers from both development and AppSec teams on board is also important as it ensures that your champions have time to do this work alongside their other duties.  

There are a few ways of spreading awareness of the program and spotting your potential champions. Making an effort to actively engage with events, such as lunch-and-learn or interactive training sessions will drive more interest than something more passive like an email or chat room note. 

Use creative titles for sessions and encourage managers to promote these opportunities while granting their teams the bandwidth to engage. Developers who ask insightful questions, participate actively or consistently attend security-related activities often make strong candidates.  

Step 2: Engagement — Building a Security Culture  

Recruiting AppSec champions is only the beginning; sustained engagement is essential for success. Keeping your champions committed to the role requires ongoing support, meaningful opportunities for progress and a collaborative environment.  

One of the best ways to achieve this is to create a structured community (or ‘guild’, as we call it) where champions can regularly exchange ideas and learn from one another. 

Guilds meet regularly to discuss recent security incidents, emerging vulnerabilities and relevant tools or techniques. These meetings serve as a forum for collaboration and continuous improvement while fostering a sense of belonging among participants. The schedule varies depending on the company’s size, structure and needs — but anything from weekly to monthly works. 

Champions should feel genuinely embedded in the AppSec process. For example, they could receive early access to new security tools and developments, positioning them as key insiders who disseminate this knowledge within their teams. Additionally, encouraging participation in incident debriefs and internal security communities deepens their understanding and helps bridge the gap between security and development. 

Step 3: Teaching — Empowering Champions With Knowledge  

AppSec champions need a solid foundation of knowledge and skills to be effective advocates for security. Structured training programs will enable them to lead by example and mentor their peers. This training should go beyond theory, incorporating hands-on elements such as labs, whiteboarding sessions and real-world threat modeling. 

Secure coding and architecture practices, such as code review and bug fixing, are an obvious focus, along with learning to use AppSec tools effectively. However, development also needs to extend to other areas, such as understanding compliance with organizational and regulatory security policies and standards.  

Providing just-in-time (JIT) training ensures champions can address issues immediately within their development workflows. This approach minimizes disruption while reinforcing their skills. 

Finally, champions should be equipped to teach others, fostering a culture of shared learning within the development team. Regular refresher training ensures their knowledge remains current, sustaining their impact over the long term. 

Step 4: Tooling — Enabling Champions With the Right Resources  

Knowledge building is only half the picture; AppSec champions must also be equipped with the best tools for the job. The best solutions require minimal disruption, such as those embedded within integrated development environments (IDEs) or continuous integration (CI) pipelines. 

For instance, tools that perform automatic scans during pull requests or flag vulnerabilities directly within the code editor allow issues to be addressed early in the development lifecycle. This saves time and helps establish secure coding as an intrinsic part of the development process. 

Customized training will also help champions integrate AppSec processes into their usual development workflows. This includes understanding scan results, validating findings and configuring tools to meet project-specific requirements. By making these resources user-friendly and closely aligned with developers’ workflows, organizations empower champions to become proactive problem solvers, bridging the gap between security and development. 

Step 5: Recognizing and Rewarding — Sustaining Motivation  

Keeping up the enthusiasm levels of AppSec champions requires consistent recognition and meaningful rewards. Without acknowledgment, champions may feel burdened by the dual demands of their role, leading to disengagement or even resentment. Organizations can address this by publicly celebrating their contributions, such as during team meetings. Virtual badges and certificates can also be a nice touch, although they are best combined with more substantial rewards. 

Integrating their achievements into performance reviews or providing tangible incentives like security-related books, training or access to advanced tools can further reinforce their value. Importantly, time and attention from leadership — whether through direct feedback or involvement in decision-making — demonstrate appreciation and trust.  

Moving Toward Better AppSec Together  

AppSec champions are vital for bridging the gap between development speed and security. With passionate and proactive volunteers ready to experience and understand security, organizations can embed AppSec fully into their development processes. As long as your champions are supported and recognized for going above and beyond, the program will have a noticeable impact on the ability to produce safe, secure code without impacting the SDLC or risking missed deadlines.