The Gambler's Playbook: Seven rules to win in AppSec
Advice for AppSec Leads from Kenny Rogers' country song
You’re two years into implementing your six months AppSec roadmap and still, nothing works without your constant reminder. That sucks. I guess the gambler would say, you’re out of aces.
He said, "Son, I've made a life out of readin' people's faces.
Knowin' what the cards were by the way they held their eyes.
So if you don't mind my sayin' I can see you're out of aces. If you're gonna play the game, boy, you gotta learn to play it right.
I may not know much about poker, but this definitely counts for AppSec. We may not read faces, but we must talk to people and ask them what they actually need from us. Why don’t they onboard to that new security tool? Why is their vulnerability count still not going down and why do they still push new secrets into the code base?
But let’s see how to win the AppSec game.
You’ve got to know when to hold’em. Know when to fold‘em. Know when to walk away and know when to run.
1st Rule: Avoid the Pushing Fallacy
I wrote a separate article about the Pushing Fallacy, so I will keep it short. When you introduce new AppSec measures, you will need to push in the beginning, but that’s not sustainable. At some point, you must delegate recurring tasks or you become the bottleneck of your AppSec system.
2nd Rule: Know when to walk away
I bet there are discussions you can have over and over again without changing people’s behavior. Let’s say they argue why they, again, had no time to fix that critical pentesting finding. Do you think another discussion will make them finally fix it?
Instead, ask yourself: What else can you do? Can you get support? Can you escalate the situation?
Leaving one table doesn’t mean you stopped playing.
3rd Rule: Know when to run
This is a painful one: the weak mandate and missing management support.
If it’s just a weak mandate, but your management generally has your back, you have one more card to play. Explain exactly what you need from them to do your job. Don’t expect them to recognize it themselves. They are busy, too.
When you lack management support, it’s different. You are already set up for failure. It doesn’t matter how hard you try to convince them. Do yourself a favour and run.
You never count your money when you’re sittin’ at the table.
There’ll be time enough for countin’ when the dealin’s done.
4th Rule: Make it work independently
How often do you count your money while you’re still sitting at the table? I mean it literally. When something just works because you were constantly pushing, it’s just a single game you’ve won. You will lose it as soon as you’re on your next vacation or simply sick.
Celebrate your wins when things worked independently. An incident that was handled properly while you were on vacation? That’s when you know the process works.
And it’s prove you escaped the Pushing Fallacy.
Every gambler knows that the secret to survivin’ is knowin’ what to throw away and knowin’ what to keep.
5th Rule: Keep it simple
In general, most people try to solve problems by adding more. Buy another tool. Write another policy. But this is not a one-time cost. The tool will constantly cost money and another policy adds maintenance effort to keep it up-to-date and complexity for everyone to make sense of the rules.
Take stock of your AppSec measures occasionally. Why did you introduce them in the first place? Do they actually serve this purpose? Can you measure it?
If not, simplify. Adjust them if possible or throw them away.
‘Cause every hand’s a winner and every hand’s a loser and the best that you can hope for is to die in your sleep.”
6th Rule: Work with what you’ve got
What are the cards you are playing with at the moment? It’s your team, your culture, your budget. Don’t waste your energy complaining about your hand. Work with what you’ve got.
This doesn’t mean you can’t aim to hire new team members or request a higher budget. And maybe your perfect next security champion is just about to start their developer role tomorrow. It just means to accept that some cards are just not available at the moment and build the most resilient AppSec system within your constraints.
7th Rule: Peace is the reward
What does it mean for the gambler to ‘die in his sleep’? I guess he has played the game well. For us AppSec Leads, playing the game well means having a boring life. No fire fighting, just calmly working on improving the system without any risk for burnout.
But there is a second part: This is ‘the best that you can hope for’. A boring life is not something that will be rewarded externally very often. When that’s what you’re looking for, I would suggest reconsidering the 3rd rule.
If you found something valuable to take from the gambler’s playbook, I would love to read about it in the comments. Which rule did hit the most?
Does your AppSec program depend on you constantly pushing it forward?
The AppSec Terrain Check is a short-term diagnostic based on my AppSec Ownership Model. It helps you uncover the underlying problems you need to solve to build resilience into your program.


