<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0"><channel><title><![CDATA[AppSec Adventure: Blog]]></title><description><![CDATA[Weekly practical thoughts on building resilient AppSec systems.]]></description><link>https://blog.appsec-adventure.com/s/blog</link><image><url>https://substackcdn.com/image/fetch/$s_!vjEu!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd0539c4d-cf0c-4ddd-9697-103967740b84_1280x1280.png</url><title>AppSec Adventure: Blog</title><link>https://blog.appsec-adventure.com/s/blog</link></image><generator>Substack</generator><lastBuildDate>Tue, 14 Jul 2026 06:06:34 GMT</lastBuildDate><atom:link href="https://blog.appsec-adventure.com/feed" rel="self" type="application/rss+xml"/><copyright><![CDATA[AppSec Adventure LLC]]></copyright><language><![CDATA[en]]></language><webMaster><![CDATA[appsecadventure@substack.com]]></webMaster><itunes:owner><itunes:email><![CDATA[appsecadventure@substack.com]]></itunes:email><itunes:name><![CDATA[Anne Bendix]]></itunes:name></itunes:owner><itunes:author><![CDATA[Anne Bendix]]></itunes:author><googleplay:owner><![CDATA[appsecadventure@substack.com]]></googleplay:owner><googleplay:email><![CDATA[appsecadventure@substack.com]]></googleplay:email><googleplay:author><![CDATA[Anne Bendix]]></googleplay:author><itunes:block><![CDATA[Yes]]></itunes:block><item><title><![CDATA[The Pushing Fallacy: Why pushing harder makes your system more fragile]]></title><description><![CDATA[You do everything to keep your AppSec system running. That's exactly the problem.]]></description><link>https://blog.appsec-adventure.com/p/the-pushing-fallacy-why-pushing-harder</link><guid isPermaLink="false">https://blog.appsec-adventure.com/p/the-pushing-fallacy-why-pushing-harder</guid><dc:creator><![CDATA[Anne Bendix]]></dc:creator><pubDate>Tue, 07 Jul 2026 13:04:11 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/19c7b9d1-e675-4dea-adf6-5e4bb609bc9d_2339x1316.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>In 2022, I took a sabbatical to travel Scandinavia for three months. Back then, I was 18 months into developing my first AppSec system from scratch. </p><p>What do you think happened while I was hiking? </p><p>Exactly. </p><p>Nothing. </p><p>Of course I didn&#8217;t expect anyone to develop the system further. I just asked them to prepare some small tasks in the meantime. Things I would usually have to wait for, as my progress depended on them. </p><p>But without my constant reminder, the 3 months just passed by unused.</p><p>I had fallen for the <strong>Pushing Fallacy</strong>. </p><div><hr></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://blog.appsec-adventure.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Subscribe for weekly practical thoughts on making your AppSec system more resilient.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><div><hr></div><h2>Why did I get trapped?</h2><p>When I got handed responsibility for AppSec, I took it very seriously. I wanted to build something that really helped my fellow developers to build secure software. I had no idea what I was doing, but I was determined. </p><p>The problem was, nobody would argue that security was important. But was it urgent enough to prioritize it over the feature the customer wanted to have yesterday? </p><p>Probably not. </p><blockquote><p>This behavior is not a character flaw. It is a documented cognitive bias. Researchers call it the mere urgency effect. In a 2018 study, <a href="https://hub.jhu.edu/2018/05/31/meeting-deadlines-time-management-behaviors">Meng Zhu at Johns Hopkins</a> found that people consistently choose urgent tasks over important ones &#8212; even when the urgent task promises a smaller reward. They pick the deadline over the payoff. Every time. </p></blockquote><p>A bug is urgent. A feature becomes urgent, because the customer is pushing for it. </p><p><strong>Security is important, but not urgent until it&#8217;s too late.</strong> </p><p>I adapted fast. I knew instinctively, I had to create urgency. I became the two feet in their door, pushing security forward.</p><p>And of course it worked. </p><h2><strong>It worked. So why is it a fallacy?</strong></h2><p>Pushing creates urgency, urgency creates action, action creates results. The dependency gets updated. The vulnerability gets fixed. The ticket moves forward. Every push delivers a small, immediate win.</p><p>That&#8217;s exactly why the cycle is so hard to break.</p><blockquote><p><a href="https://www.simplypsychology.org/operant-conditioning.html">B.F. Skinner</a> demonstrated this in the 1930s: behavior that is immediately rewarded gets reinforced faster and stronger than behavior with delayed consequences. Push. Ticket closed. Relief. Push again. Our brain learns that pushing works, and it learns it fast.</p><p>The mechanism has a name: <a href="https://trucentive.com/wp-content/uploads/2025/05/Points-vs-Instant-Rewards.pdf">temporal discounting</a>. We devalue rewards that lie in the future. A resolved ticket now feels more real than a fragile system in two years. The dopamine hit arrives before the damage is even visible.</p></blockquote><p>But the reinforcement does not stop with you. Your colleagues are learning too.</p><p>Every time you push, you send the same signal: when security is urgent, someone will stands in the door. They learn that the reminder will come. They learn that delaying security has no consequences. </p><blockquote><p>Psychologists call it the <a href="https://www.simplypsychology.org/operant-conditioning.html">overjustification effect</a>: when an action is always triggered by an external push, the internal drive never develops. Your colleagues never develop a reason to prioritize security on their own. You are the reason. And when you disappear, the reason disappears with you.</p></blockquote><p>Two cycles. One spiral.</p><p>This is how AppSec heroes are born. </p><h2>Why does this make my system fragile?</h2><p>Imagine the knight fighting the dragon. That&#8217;s you. But you can&#8217;t fight all dragons everywhere at the same time. And what happens, when the dragon wins? </p><p><strong>Yes. A hero is per definition a single point of failure.</strong> </p><p>In AppSec, you are fighting. You are pushing. This may work for some time. But eventually, you may get wounded. </p><blockquote><p>The statistics are brutal. A <a href="https://www.sophos.com/en-us/blog/report-addressing-cybersecurity-burnout-in-2025">2025 Sophos survey</a> of 5,000 cybersecurity professionals across 17 countries found that 76% experienced burnout in the past year. At the leadership level, it is worse: <a href="https://www.bitsight.com/blog/5-shocking-it-cybersecurity-burnout-statistics">91% of CISOs report moderate or high stress</a>, and more than a quarter admit that stress directly affects their ability to do their jobs.</p></blockquote><p>When your system depends on one person, and that person burns out, the system does not slow down. It stops.</p><p>Obviously, hero-dependence makes your systems fragile. </p><p><strong>But even if you do not burn out, pushing has already stolen something from you: the time to build.</strong></p><p>Every hour you spend reminding someone to close a ticket is an hour you didn&#8217;t spend designing a process that closes tickets without you. Every meeting where you&#8217;re the only one pushing security is a meeting you could have spent building ownership into the development team. Every firefight you solve alone is a firefight you didn&#8217;t use to train someone else.</p><p>You are trading progress for motion. You stay busy. You stay indispensable. You waste energy without building resilience.</p><h2><strong>Now, how can you escape the fallacy?</strong></h2><p>The first step is not to stop pushing. That&#8217;s unrealistic. Just recognize the trap.</p><div class="callout-block" data-callout="true"><p><strong>1. Name the dependency.</strong></p><p>Run the thought experiment. What breaks if you&#8217;re gone for two weeks tomorrow? Not &#8220;who would miss you.&#8221; What concrete process stops? Which ticket stays open? Which decision doesn&#8217;t get made? Which escalation has no path?</p><p>Write it down. That is your dependency chain.</p></div><div class="callout-block" data-callout="true"><p><strong>2. Test the system.</strong></p><p>On your next vacation, be gone. Really. No &#8220;I&#8217;m reachable in emergencies&#8221; exception.</p><p>Watch what happens. What stopped without you? That is proof the system depends on you. What lies untouched after two weeks? That is proof nobody took ownership.</p><p>If you come back and everything ran smoothly, congratulations. You may not have a hero problem. </p><p>Two weeks is a short test. </p><p>Now ask the harder question: Would the system still work if you were gone for three months? Or six months? If you quit tomorrow?</p></div><div class="callout-block" data-callout="true"><p><strong>3. Break one cycle.</strong></p><p>Take the most obvious or most fragile dependency. Eliminate it. </p><p>Not delegate it. Eliminate the dependency.</p><p>Hand the tool to the operations team. Train someone else to handle the incident. Build a process that works without your signature. </p><p>Just one. </p><p>Then the next.</p><p>That creates resilience over time.</p></div><p>These three steps get you started. But they don&#8217;t replace a focused diagnostic.</p><p>For that, you need to understand your AppSec program as a system. Not as a collection of tools and processes, but as a system with interdependencies, responsibilities, and pressure points.</p><p>On <a href="https://www.appsec-adventure.com/resources/ownership-model">my website</a> I explained the full process. Map out your system. Understand how it works and where it&#8217;s most fragile. Then optimize for resilience step by step.</p><p>I built the <a href="https://blog.appsec-adventure.com/s/appsec-ownership-model">AppSec Ownership Model</a> as a reference for how responsibility can be distributed in a resilient AppSec system. You can use it to decide which responsibilities are misplaced and how to rearrange them. </p><p>If you want my support with that diagnostic, that&#8217;s exactly what the <a href="https://www.appsec-adventure.com/services/terrain-check">AppSec Terrain Check</a> does. </p><p>Whatever route you choose, don&#8217;t wait. Start today. Break the first cycle.</p><div><hr></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://blog.appsec-adventure.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Subscribe for weekly practical thoughts on making your AppSec system more resilient.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div>]]></content:encoded></item><item><title><![CDATA[Control is killing your AppSec program (and eventually your company)]]></title><description><![CDATA[Trust is not the enemy. It's the answer.]]></description><link>https://blog.appsec-adventure.com/p/control-is-killing-your-appsec-program</link><guid isPermaLink="false">https://blog.appsec-adventure.com/p/control-is-killing-your-appsec-program</guid><dc:creator><![CDATA[Anne Bendix]]></dc:creator><pubDate>Tue, 30 Jun 2026 13:01:09 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/947d49f3-d968-4427-a1f8-66866b6103e1_5472x3078.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>For some security professionals, people are still the biggest threat and I understand that perspective. </p><p>I have been asking myself the same question over and over again: why do people do what they do? Often, it makes no sense. </p><p><strong>Some behavior seems totally irrational.</strong> <strong>Like self-sabotage.</strong></p><p>In security, you find many examples:</p><ul><li><p>You keep hammering it into developers' heads: no hard-coding! Still, secrets get pushed to the repo. </p></li><li><p>You blacklist an old vulnerable JS library, but somehow people copy it into the repo and keep using it. </p></li><li><p>Or, you help your CISO run another pretty obvious phishing simulation and people keep clicking AND entering their data. </p></li></ul><p>It is obvious to me that control-based security just doesn&#8217;t work. </p><blockquote><p><em>According to Sauce Labs&#8217; <a href="https://saucelabs.com/resources/report/developers-behaving-badly">Developers Behaving Badly</a> report, 75% of developers admit to circumventing security protocols to get their work done. 70% have used a coworker&#8217;s credentials.</em></p></blockquote><p>I can&#8217;t spot bad intentions. They just try to do do their job. </p><p>But that&#8217;s not all. </p><p>Control-based security is in fact <strong>harmful</strong> for your organization.</p><div><hr></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://blog.appsec-adventure.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Subscribe for weekly practical thoughts on making your AppSec system more resilient.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><div><hr></div><h2>Why control harms your company</h2><p>Let&#8217;s step back for a moment. How could security harm your company? </p><p>&#8220;It&#8217;s the very thing that protects my company from major incidents!&#8221;<strong> </strong>you might think. </p><p>You&#8217;re right. </p><p>Or, that&#8217;s at least the goal. But security that fails to achieve that goal still produces costs that someone needs to pay for. </p><div class="pullquote"><p>Control-based security doesn&#8217;t just fail to protect. It actively damages the systems it claims to secure. </p></div><p><strong>Here&#8217;s how the chain works:</strong></p><p>Security controls become roadblocks. Developers see them as obstacles, not support. </p><blockquote><p><a href="https://www.securecodewarrior.com/press-releases/secure-code-warrior-survey-finds-86-of-developers-do-not-view-application-security-as-a-top-priority">Secure Code Warrior&#8217;s 2022 survey</a> found that <strong>86% of developers do not view application security as a top priority when writing code.</strong> Only 29% believe the active practice of writing code free of vulnerabilities should be prioritized at all.</p></blockquote><p>Why? Because your AppSec program taught them that security is someone else&#8217;s job. A gate to pass. A checklist to satisfy. Not something they own. </p><div class="pullquote"><p>There is no meaning in passing an arbitrary gate.</p></div><p>Roadblocks breed frustration. Frustration creates a toxic environment. And toxic environments drive people out. </p><blockquote><p>According to <a href="https://www.paycor.com/resource-center/articles/employee-retention-statistics">iHire&#8217;s 2024 Talent Retention Report</a>, <strong>the leading reason employees quit is a toxic or negative work environment (32.4%)</strong>, ahead of poor leadership (30.3%) and unsatisfactory pay (20.5%).</p></blockquote><p>When your best developers leave, delivery grinds to a halt. </p><blockquote><p><a href="https://devsu.com/resources-center/navigating-software-developer-turnover-challenges">Gartner&#8217;s 2024 Workforce Productivity Report</a> found that <strong>each developer turnover sets a team back by 4 to 8 weeks in delivery time.</strong> And teams with high turnover accumulate 37% more technical debt and spend 22% more time debugging than stable teams.</p></blockquote><p><strong>That&#8217;s the cost of control:</strong> </p><ul><li><p>slower delivery, </p></li><li><p>accumulating debt, </p></li><li><p>and a revolving door of talent. </p></li></ul><p>As AppSec Leads, we must be constantly aware, that security is a mean to a greater end. </p><h2>Security exists to protect freedom</h2><p>Let&#8217;s zoom out. </p><p>When someone starts a company, they usually have a great vision. Something they want to bring into the world. Something that serves their clients in a meaningful way. It&#8217;s all about freedom, creativity, big dreams and purpose. </p><p>Along the way their vision becomes their employees daily work. Some might share the vision and find joy in pursuing it. For others, it&#8217;s just a good way to pursue their own goal of stability and their purpose in providing for their family. </p><p>In the end, everyone wants something different out of life. Your company has its vision and needs. But it's a complex system resting on many shoulders, each carrying their own vision and needs. One can&#8217;t function without the other. </p><p><strong>And everyone, at the end of the day, is looking out for their own survival. </strong></p><p>That&#8217;s not selfish. It&#8217;s human. The developer wants to write great code and ship a product they&#8217;re proud of. The product manager wants to hit deadlines and deliver value. You, the AppSec Lead, want to prevent breaches and protect the company.</p><p>All of these are legitimate needs. The problem is how we try to meet them.</p><p>Control-based security enforces <em>our</em> needs at the expense of everyone else&#8217;s. It says: &#8220;My need for security outweighs your need to build, to ship, to create.&#8221; The developer who loves writing code and believes in the product is told to stop, fill out a form, wait for a review, and justify why they need to do what they were hired to do.</p><p><strong>That&#8217;s not protection. That&#8217;s restriction.</strong></p><p>You&#8217;re not creating a safe space for their freedom to exist. You&#8217;re taking their freedom away and calling it security.</p><p>So how can we do better?</p><h2>The invisible fence</h2><p>Picture a free-running dog next to a main street. Claws aligned with the curb. Calmly waiting. No human. No leash. For most dog-loving drivers, this may cause heart attacks. What a dangerous situation for the dog!</p><p>For me, that&#8217;s just a daily walk in the city with my dog, Suschka.</p><p><strong>I knew running across streets could kill her, so we trained the safe behavior from day one.</strong> </p><p>At every street, you would hear me say: &#8220;Czekaj!&#8221;. That&#8217;s polish for "Wait!&#8221;. My colleagues back then even started imitating us for fun when we headed for lunch. <em>&#8220;Czekaj!&#8221;</em> Everyone would stand still until I had properly checked the situation and said &#8220;Ok, go&#8221;. </p><p>That&#8217;s how we created that invisible fence that protects my dog&#8217;s life without the need to restrict her freedom to explore at her own pace. </p><blockquote><p>Is the invisible fence 100% secure? No. </p><p>Is the leash 100% secure? No.</p><p>Does the leash restrict freedom?<strong> Definitely.</strong></p></blockquote><p>But what about me, the owner? When she stops just millimeters before her paw would touch the street. Yes, I still sometimes experience some light heart attacks. But I had time to build trust and she proves me right every day. </p><p>And whenever I feel she might not recognise a street as such in a new environment, I will just remind her. Czekaj! Communication. </p><p>And of cause there are situations, where I still use a leash. </p><ul><li><p><strong>Social reasons:</strong> When people are scared of the little wolf, the leash makes them feel safe even if it&#8217;s not necessary for us. </p></li><li><p><strong>Safety reasons:</strong> Sometimes trust is not enough. I know I can&#8217;t trust her when it comes to her passion for hunting deer, so I have to use a leash in the forest where her freedom would harm others. </p></li><li><p><strong>Legal reasons:</strong> When law requires us to use a leash, we might use it to avoid unnecessary costs. Or maybe we just take the risk of getting caught. #YOLO</p></li></ul><p>Like a leash, security-controls are a useful tool when used carefully. But they should not be your only tool and not your first thought.</p><h2>Why should I trust the invisible fence in AppSec?</h2><p>It doesn&#8217;t matter if you train a dog or work with people. You can influence behavior in to ways: through force and control, or through relationship and autonomy.</p><p><a href="https://selfdeterminationtheory.org/SDT/documents/2000_RyanDeci_SDT.pdf">Self-Determination Theory</a><span>, one of the most validated frameworks in organizational psychology, proves that people are intrinsically motivated when three needs are met:</span></p><ol><li><p><strong>autonomy</strong> (the feeling you&#8217;re choosing your actions), </p></li><li><p><strong>competence</strong> (the feeling you can succeed), and </p></li><li><p><strong>relatedness</strong> (connection to others). </p></li></ol><p>When those needs are met, performance goes up, turnover goes down, and people take ownership. </p><p><strong>External control destroys all three.</strong></p><p>Fear-based training leads to disengagement. Empowerment-based training creates a culture where everyone sees themselves as part of the defense.</p><p>In security, the data backs this up. </p><blockquote><p><span>Organizations with a </span><a href="https://www.knowbe4.com/security-culture">strong security culture</a><span> show </span><strong>52&#215; less risky behavior</strong><span> like credential sharing. The </span><a href="https://www.knowbe4.com/hubfs/Security%20Culture%20and%20Credential%20Sharing.pdf">KnowBe4 Security Culture Research</a><span> dataset examined tens of thousands of employees across thousands of organizations and found that organizations in the "Good" security culture class had 52 times less data entry in phishing simulations than those in the "Poor" class (0.1% vs 5.2%).</span></p></blockquote><p>The invisible fence is still a fence, but it&#8217;s one people <strong>can choose to accept</strong> (autonomy) because they <strong>understand</strong> (competence) why it is necessary <strong>to protect themselves and others</strong> (relatedness).</p><h2>How do you build an invisible fence?</h2><p>Let&#8217;s see how I built our invisible fence at the streets and see how you can get started building your own invisible fences in AppSec. </p><div class="callout-block" data-callout="true"><ol><li><p><strong>Choose the risk you want to address.</strong> </p></li></ol><p>Looking back at my dog training example: I knew dogs can cause accidents and get killed when they run across streets. I knew a leash could secure them, but you may not have a leash on the dog in that particular moment or it may snap. </p><p>In AppSec, let&#8217;s say you choose to address this hard-coding secrets topic and build an invisible fence for that.</p></div><div class="callout-block" data-callout="true"><ol start="2"><li><p><strong>Design the safe behavior you want to see.</strong></p></li></ol><p>I defined the behavior I wanted my dog to show: stop at the street and only cross it, when I confirmed it&#8217;s safe. </p><p>In AppSec, define how people should handle secrets. What is your alternative to hard-coding? What do you want them to do instead? Be precise. </p></div><div class="callout-block" data-callout="true"><ol start="3"><li><p><strong>Build competence and relatedness.</strong></p></li></ol><p>My dog had to learn to stop and wait when ever I say <em>Czekaj</em> and move, when I say <em>Ok</em>. For her, that was fun and lots of cheese. </p><p>In AppSec, now it&#8217;s time to train your developers on <strong>how and why</strong> to securely handle secrets. Make it fun. Gamification is your friend. </p></div><div class="callout-block" data-callout="true"><ol start="4"><li><p><strong>Set up the fence.</strong></p></li></ol><p>Now we need to connect that new behavior with the situation we want to apply it to.</p><p>For Suschka, that meant connecting streets with the safe behavior. Every single day. Every single street. On Leash or free. Czekaj! Ok. That&#8217;s why my colleges started to make fun of us.</p><p>When I eventually forgot to say Czekaj, I wanted her to stop and ask &#8220;hey, where is my cheese?!&#8221;. Until this happened, I used the leash to secure the situation. </p><p>In AppSec, your developers now learned to use your secure alternative and understood why it&#8217;s important. That&#8217;s when you can introduce your control, your fence, to help them. </p><p>When they try to push a new secret? Don&#8217;t punish. Let your system refuse it and simultaneously suggest the easy and secure solution. Celebrate them, when they did it right. </p><p><em>Be patient. Don&#8217;t take away the cheese to early!</em></p></div><div class="callout-block" data-callout="true"><ol start="5"><li><p><strong>Trust them, but watch gently.</strong></p></li></ol><p>I can now trust Suschka to run off leash next to streets, because stopping at the street is her default. In doubt, a short <em>Czekaj</em> will save the situation.</p><p>In AppSec, maybe your control can now become just a warning, because you know people won&#8217;t violate it without good reason. You can let go of the leash, return autonomy, but carefully watch, if they need a reminder from time to time. </p></div><p>By applying the Self-Determination Theory, you created intrinsic motivation to behave securely. That&#8217;s when the fence turns invisible, because there is no motivation to run into that fence any more. Over time, these invisible fences are what create your strong security culture. </p><p>Control is killing your AppSec program. Trust, earned through training and autonomy, is what makes it work. Security and freedom are not opposites &#8212; they are interdependent. Build the fence people choose, not the one they're forced to work around.</p><div><hr></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://blog.appsec-adventure.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Subscribe for weekly practical thoughts on making your AppSec system more resilient.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div>]]></content:encoded></item></channel></rss>