AppSec Ownership Model
What happens when expectations stay implicit?
Everyone defines security for themselves.
If there is no explicit standard, security ends up being implemented according to personal judgment. What gets done, what gets skipped, and what is considered “good enough” depends on the individual, not on a shared expectation.
Implicit expectations do not create shared security standards.
Controls replace ownership.
When teams do not act on security expectations, the typical response is to add more controls. But controls that are not backed by ownership often just slow down delivery, create friction, and make software development less effective without meaningfully improving security.
More control does not fix missing ownership.
Everything depends on one person pushing.
If one person carries the whole security effort, the program only moves as long as that person keeps pushing. Without distributed ownership, AppSec becomes fragile, unsustainable, and hard to scale.
AppSec does not scale when ownership stays with one person.
Step 1: Define your vision for AppSec ownership
You can't force ownership to emerge, but you can build the conditions necessary.
The AppSec Ownership Model gives you a structured reference for how responsibilities could be distributed between the six roles involved in developing secure software so each role can take ownership of their part.
It is not meant to be copied blindly. Use it to define your own vision for AppSec ownership and adapt it to your organization, your terrain.
It helps you clarify:
- Domain ownership: Which AppSec domains each role owns and where it supports.
- Accountability: What each role is accountable for, and what it explicitly is not.
- Interfaces: How roles interact with each other, including escalation paths.
Defining your vision is only the first step.
Next, let's look at how to understand your current system and move it toward that vision. You'll find an overview of the model and access to the full reference further below.
Step 1: Define your vision for AppSec ownership
You can't force ownership to emerge, but you can build the conditions necessary.
The AppSec Ownership Model gives you a structured reference for how responsibilities could be distributed between the six roles involved in developing secure software so each role can take ownership of their part.
It is not meant to be copied blindly. Use it to define your own vision for AppSec ownership and adapt it to your organization, your terrain.
It helps you clarify:
- Domain ownership: Which AppSec domains each role owns and where it supports.
- Accountability: What each role is accountable for, and what it explicitly is not.
- Interfaces: How roles interact with each other, including escalation paths.
Defining your vision is only the first step.
Next, let's look at how to understand your current system and move it toward that vision. You'll find an overview of the model and access to the full reference further below.
Step 2: Understand your system
To calculate a route to your vision, your target destination, you need your current location.
In AppSec, this means understanding how your system currently works.
To understand your system, compare three different realities:
- What your policy says: How is responsibility officially distributed?
- What your team says: How is responsibility actually distributed?
- What your vision says: How is responsibility meant to be distributed?
In addition, analyze how your AppSec measures like security tools, training, or a security champions program impact your system. Do they create the expected impact, and if not, what keeps them from doing so?
You can do that analysis yourself or use the AppSec Terrain Check.
The Terrain Check provides you with your AppSec Owner's Manual: your practical reference to understand your system and steer your AppSec program toward your vision.
Step 2: Understand your system
To calculate a route to your vision, your target destination, you need your current location.
In AppSec, this means understanding how your system currently works.
To understand your system, compare three different realities:
- What your policy says: How is responsibility officially distributed?
- What your team says: How is responsibility actually distributed?
- What your vision says: How is responsibility meant to be distributed?
In addition, analyze how your AppSec measures like security tools, training, or a security champions program impact your system. Do they create the expected impact, and if not, what keeps them from doing so?
You can do that analysis yourself or use the AppSec Terrain Check.
The Terrain Check provides you with your AppSec Owner's Manual: your practical reference to understand your system and steer your AppSec program toward your vision.
Step 3: Improve your system
Once you know where you are and where you want to go, it's time to choose your next step.
Start where your system is most fragile.
Ask yourself:
- Is there a single point of failure in your system?
- Where does it depend on a single person?
- Where is responsibility currently not defined properly?
- What measures don't improve your product security as expected?
Before taking that next step, ask:
- Does it move misplaced responsibility into the right place?
- Does it make my system more resilient?
If you want support with choosing and implementing that next step, the Trail Guide is availabe as short-term support one step at a time.
Step 3: Improve your system
Once you know where you are and where you want to go, it's time to choose your next step.
Start where your system is most fragile.
Ask yourself:
- Is there a single point of failure in your system?
- Where does it depend on a single person?
- Where is responsibility currently not defined properly?
- What measures don't improve your product security as expected?
Before taking that next step, ask:
- Does it move misplaced responsibility into the right place?
- Does it make my system more resilient?
If you want support with choosing and implementing that next step, the Trail Guide is availabe as short-term support one step at a time.
AppSec Ownership Model at a glance
The AppSec Ownership Model shows how a resilient AppSec program could distribute responsibility across all roles involved in secure software development.
The roles are functional roles, not job titles. For example, Executor covers developers and architects, regardless of their individual focus. One person can also hold more than one role.
The six roles with one typical job title each:
- The Executor builds the product, e.g. a Software Developer.
- The Owner steers the AppSec program, e.g. an AppSec Lead.
- The Gatekeeper protects the team’s ability to deliver, e.g. a Product Manager.
- The Backbone provides the mandate and sets direction, e.g. a CEO.
- The Advocate drives security from within, e.g. a Security Champion.
- The Catalyst adds optional external expertise, e.g. your AppSec Guide.
The matrix below shows for each AppSec domain which role should own it and which roles contribute.
AppSec Ownership Model at a glance
The AppSec Ownership Model shows how a resilient AppSec program could distribute responsibility across all roles involved in secure software development.
The roles are functional roles, not job titles. For example, Executor covers developers and architects, regardless of their individual focus. One person can also hold more than one role.
The six roles with one typical job title each:
- The Executor builds the product, e.g. a Software Developer.
- The Owner steers the AppSec program, e.g. an AppSec Lead.
- The Gatekeeper protects the team’s ability to deliver, e.g. a Product Manager.
- The Backbone provides the mandate and sets direction, e.g. a CEO.
- The Advocate drives security from within, e.g. a Security Champion.
- The Catalyst adds optional external expertise, e.g. your AppSec Guide.
The matrix below shows for each AppSec domain which role should own it and which roles contribute.
AppSec Ownership Matrix
