As security practitioners we need to ensure that we can talk to developers in terms that make us partners and not adversaries. We need to facilitate education and training that makes security not an afterthought or a burden but something that just becomes part of what they do day to day....kind of like how they follow Java Coding Standards. This situation reminds me a lot about what I saw when I first started working with Rational 14 years ago and we worked with customers implementing our Java IDE (Rational Application Developer/Rational Software Architect/ or even just base Eclipse).  I worked with a lot of new Java programmers and we would talk to them about the important of using standard Java coding standards like file organization, comments, naming conventions, etc.   Did they like having us impose these standards?  Not really...they just wanted to write code.  But their management saw the importance for such reasons as ensuring readability and improving the ease of maintenance and over time code reviews and the adherence to these standards just became part of the process.  Also over time developers realized the importance of these standards.  Readability and maintenance (two benefits of coding standards) are great but  is nothing compared with the negative impact that management should be worried about with security flaws - financial, loss of reputation, loss of intellectual capital.    So why isn't development management more open to the importance of security.   well IMHO

 who can blame the development teams for being resistant when many appsec folks show up with a list of everything that's wrong with their code when they've been working long hours and weekends to meet tight deadlines imposed on them by the business 

• If you're a developer do you agree with the above list?  Have you had "run-ins" with the appsec folks?
  
• If you're an appsec person what do you think can be done to improve the relationship and help move security up that priority list?