While application security cascades into just about every facet of IT security today, many enterprises have a difficult time implementing sustainable application security programs that offer measurable benefits to the business. A general disconnect between security goals and the profit motives of development teams can cause insurmountable conflict between infosec teams and developers, with line-of-business leaders all too ready to side with money-making dev teams nine times out of 10.

Which is why so much of application security comes down to not just bolting on security technology and checking off OWASP Top 10 items. Many of the secrets to success involve smart politics, education and delegation among developer ranks, and championing improved business processes without causing a disruption to the everyday workflow.

There's nothing worse for application security than the hubris shown when an expert tells developers or line-of-business leaders to completely re-engineer their processes for the sake of security, said Bill Pennington, chief strategy officer of WhiteHat Security.