AppSec is a great example of something that is simple to understand but hard to do. Kind of like quitting smoking.
Here is Dan Ariely on the latter:
What's the best way to get people to stop smoking?
The problem with smoking is that its effects are cumulative and delayed, so we don't feel the danger. Imagine what would happen if we forced cigarette companies to install a small explosive device in one out of every million cigarettes—not big enough to kill anyone but powerful enough to injure. My guess is that this would stop people from smoking. If this is too extreme, maybe we can just get people to start thinking about smoking this way.
Is there an AppSec equivalent here? Exploding things in production is probably career limiting, but what about in QA or further upstream, such as how Gauntlt is integrated with Jenkins? That seems like a rough equivalent and maybe a good way to set the acceptable bar.
Is there a governance equivalent? The nearest I have seen is when the CIO gives the CSO some limited number of silver bullets per year, say three. The CSO then can kill any three projects per year without further approval. This can be a game changer in app approval because App Dev teams know that they are sitting across from a team that can kill their chances to ship. At the same time, its not carte blanche, the limited number forces the security team to be selective. Either way, smoking and insecure code are bad things in the long run.