Recently, I had the pleasure of sitting down with David Kosorok for an episode of the Security Champions podcast. David is a seasoned AppSec leader with experience across a range of industries, and our conversation was one of the most enriching and thought-provoking I’ve had in a while.
At the heart of our discussion was David's new book, Mastering Application Security: Building Elite Teams for Tomorrow's Threats. It's more than a guide; it’s a blueprint for building, scaling, and leading AppSec programs that don’t just function; they thrive. As someone who has long focused on the intersection of security and culture, I found myself nodding along with so much of what David shared.
One of the themes we explored in depth was talent. Not just hiring, but building “sticky teams” where people feel valued, aligned with the mission, and truly invested. David shared compelling perspectives on mentorship, onboarding, and creating space for autonomy within clear strategic guardrails. His approach goes beyond technical acumen—it’s rooted in people, purpose, and partnership.
We also dove into the importance of stakeholder engagement. David emphasized that stakeholder interviews aren’t just a formality; they’re foundational for understanding the organization, surfacing concerns, and earning trust. It reminded me of two of my favorite principles: “Weigh-in leads to buy-in” and “Don’t let the first time you meet someone be when you need something.” Relationships matter. Build them early and build them well.
From there, we unpacked how to define and prioritize security initiatives. I appreciated David’s practical approach: start with broad brainstorming, assess honestly using red-yellow-green scoring, and prioritize based on business alignment. He also offered valuable insights on launching and evolving formal Security Champion programs—something close to my heart—alongside metrics, threat modeling, and continuous training.
And of course, we couldn’t end without touching on AI. David’s perspective? AI won’t replace AppSec engineers, but it can make us faster, more efficient, and better informed—if we use it thoughtfully.
If there’s one core takeaway from this conversation, it’s this: great AppSec programs are built by great teams—and great teams are built through listening, collaboration, and a commitment to continuous learning.
If you’re building an AppSec program or growing a team, I highly recommend checking out David’s book. And if you're looking for practical inspiration around culture, talent, or champion programs, this episode is a great place to start.
I’d love to hear what about our conversation resonated most with you.