How Strong Is My AppSec Program?
David KosorokMeasuring Team Effectiveness and Industry Benchmarks
If you’ve ever wondered, “Is my AppSec program robust enough, and is my team adequately staffed?” you’re not alone. Understanding the health of your AppSec program and assessing team effectiveness is crucial to building a resilient security foundation. Knowing where to start, however, can be challenging. Here are strategic ways to evaluate your team’s impact and ensure you're on the path to a mature, effective security program.
At Toast, we take security as seriously as our customers take their food service—it has to be baked into every process, not sprinkled on top as an afterthought (remember the Blueberry Principle?) . We know that embedding security in every stage of development not only improves protection but also creates a culture where developers feel empowered, not burdened, by security measures. Below, we’ll walk through key ways to evaluate your AppSec team’s impact, with insights drawn from our experiences before and now here at Toast.
Measuring AppSec Program Effectiveness: Start with Real Outcomes
The most practical way to measure an AppSec program’s effectiveness isn’t just by looking at team size or budget—it’s about real-world security outcomes. The number of security incidents caused by vulnerabilities in code, infrastructure, or API composition is the most direct measurement of whether security efforts are truly preventing issues.
Tracking how many security incidents occur over time—and working to reduce them—is a clear indicator of security maturity and effectiveness. If security is embedded correctly into the development lifecycle, incidents caused by security flaws should trend downward.
At Toast, we focus on security incidents as a primary metric because it ensures our security efforts aren’t just well-staffed but actually delivering measurable risk reduction. Focusing on the primary mission is important, we also need to ensure that we’re scaled to succeed long term.
Ways to Measure AppSec Program Success
To gauge an AppSec program's maturity, organizations often look to frameworks like the Building Security In Maturity Model (BSIMM), which benchmarks maturity across industries. BSIMM provides a comprehensive view but requires significant time and budget commitments. For a quicker, internal insight, conducting a self-assessment can be effective if performed with a structured approach.
In addition to the primary goal of reducing security incidents, another valuable metric to help properly scale the team is the AppSec-to-developer team ratio, which provides a snapshot of team resources relative to development demands.
The AppSec-to-Developer Ratio: A Practical Baseline
While security incidents provide the clearest measure of program effectiveness, another key factor in scaling security is ensuring that AppSec teams are resourced properly to support developers. The AppSec-to-developer ratio is a useful secondary metric that helps determine whether the team has the right capacity to embed security across the organization.
Here’s a useful framework for evaluating team coverage:
Green (1:75 or below): Optimal, where each AppSec member can actively support developers as a security advisor.
Yellow (1:76 to 1:100): Manageable, but indicates a need for scaling to prevent resource strain.
Red (1:101 or above): Critical, where the AppSec team is likely reactive due to resource limitations.
While ratios commonly range from 1:100 to 1:159, such high numbers often stress AppSec teams. However, team size alone is not the only factor—the experience and expertise of the AppSec team also matter. A highly skilled team may successfully support a larger number of developers, whereas a larger but less experienced team may struggle even at a lower ratio.
By balancing incident reduction with team resourcing, organizations can ensure they have both the right people and the right processes in place to embed security into the development lifecycle. At Toast, we use both security incident tracking and team capacity metrics to measure our AppSec program’s success. By tracking real-world security incidents, we ensure our efforts are actually reducing risk, while the AppSec-to-developer ratio helps us maintain a sustainable security presence across all teams.
We believe that empowering developers, embedding security into early development, and leveraging automation allows us to maintain both security and developer velocity. Security should never be a bottleneck—it should be a catalyst for building resilient, scalable applications.
Budget Considerations: AppSec vs. IT Budget
Budgeting is an efficiency and maturity indicator of AppSec program health. Benchmarks suggest allocating 5% to 12% of the total IT budget to Security, covering essential areas like tools, staffing, training, and strategic initiatives. This range supports proactive security, ensuring resources for continuous vulnerability scanning and developer training.
At Toast, we see security as a force multiplier—investments in security automation, developer training, and many other AppSec initiatives don’t just reduce risk, they accelerate secure development. By embedding security automation into CI/CD pipelines, we ensure that security happens without slowing down innovation.
Learning and Development as a Core Metric
L&D investments are critical to fostering a security-aware development culture. Tracking metrics related to developer training shows commitment to building security skills across the organization:
% of Budget for L&D: Allocate a portion of the AppSec budget specifically for developer security training and hands-on labs.
% of Developers Participating in Training: Monitor developer engagement in security training to gauge how broadly security practices are embraced.
Frequency of Training and Labs: Regular, hands-on labs and simulations help reinforce security skills, making developers more confident in secure coding and threat detection.
A Toasty Security Best Practice: Security Champions
At Toast, we’ve built a Security Champions program to embed security in every engineering team. Instead of forcing security from the outside, we enable developers to act as security advocates within their teams. Champions receive targeted training, participate in security discussions, and take ownership of security practices where they matter most—inside the development process.
But training alone isn’t enough—engagement and motivation play a huge role in the success of the program. That’s why we’ve introduced a gamified approach, where Security Champions earn Chef Badges for completing security-related challenges, participating in CTFs, or mentoring peers. These badges recognize contributions and foster a culture of continuous learning. Additionally, high-performing champions have opportunities to present at internal security forums, collaborate on security initiatives, and even influence security tooling decisions.
By measuring not just the number of Security Champions per development team, but also engagement levels, badge achievements, and ongoing contributions, we ensure that security is truly embedded in our engineering culture—not just a checkbox exercise.
Broader Industry Benchmarks: A Potential Survey
Beyond ratios and budgets, industry-wide data can deepen our understanding of AppSec needs. Imagine a survey where organizations share their AppSec-to-developer ratios along with security maturity indicators. This data could help benchmark metrics such as:
SLA (Service Level Agreement) Adherence for Vulnerability Remediation: Are critical vulnerabilities resolved within the required timelines?
Security Integration in the SDLC: Are security practices embedded in development, or is the approach more reactive?
Incident Response Trends: How quickly can security incidents be detected, triaged, and resolved?
Such data could create a comprehensive AppSec benchmarking resource, helping organizations set realistic goals based on industry maturity.
Other Key Metrics for a Healthy AppSec Program
Tracking a range of operational metrics gives a holistic view of AppSec program health. Key metrics include:
Collaboration and Influence: Is the AppSec team influencing development workflows effectively, and are developers receptive to security guidance?
Automation and Tooling: How well are security tools (SCA, SAST, DAST, and so forth) implemented? Effective automation helps scale security coverage without sacrificing quality.
Vulnerability Remediation: Consistent SLA adherence in vulnerability remediation indicates a security-minded development culture.
Mean Time to Discover (MTTD): How long it takes to identify vulnerabilities once they emerge.
Mean Time to Remediate (MTTR): How quickly vulnerabilities are fixed after discovery.
Code & Asset Vulnerability Management Coverage: A key measure of security health is understanding what percentage of codebases, APIs, and infrastructure assets are covered by security scanning and vulnerability management programs. Are we scanning all production environments? Are there gaps in security coverage for newly deployed microservices? Tracking this coverage helps ensure no critical system is left unprotected.
Conclusion: Setting Realistic Goals for Your AppSec Program
Measuring the strength of your AppSec program goes beyond team size or ratios. It’s about embedding security into engineering culture, optimizing resource allocation, and driving proactive security measures.
At Toast, we’ve learned that scaling security isn’t just about adding more AppSec engineers—it’s about empowering developers and making security seamless. Whether through team ratios, security champions, or training investments, these strategies collectively ensure security is part of how we build, not just an afterthought.
By setting realistic goals, tracking the right metrics, and embedding security into company culture, you can develop an AppSec program that scales efficiently, supports innovation, and protects both your customers and your business.
—--------------
1 CyberRes, “Developer-Driven AppSec: Security at the Speed of DevOps”, https://www.cybersec2022.it/wp-content/uploads/2022/01/211001-developer-driven-appsec-security-at-the-speed-of-devops-wp.pdf
2 Stupp, Catherine, “Cyber Spending Rises Modestly While Hacking Threats Evolve”, https://www.wsj.com/articles/cyber-spending-rises-modestly-while-hacking-threats-evolve-8c0e0c3c
____________________________
This content is for informational purposes only and not as a binding commitment. Please do not rely on this information in making any purchasing or investment decisions. The development, release and timing of any products, features or functionality remain at the sole discretion of Toast, and are subject to change. Toast assumes no obligation to update any forward-looking statements contained in this document as a result of new information, future events or otherwise. Because roadmap items can change at any time, make your purchasing decisions based on currently available goods, services, and technology. Toast does not warrant the accuracy or completeness of any information, text, graphics, links, or other items contained within this content. Toast does not guarantee you will achieve any specific results if you follow any advice herein. It may be advisable for you to consult with a professional such as a lawyer, accountant, or business advisor for advice specific to your situation.