A developer-focused application security program is a journey, not a destination, requiring guiding principles to navigate stages, milestones, and challenges. To build an effective AppSec program from scratch, start small, focusing on individuals and shared secure coding practices, while releasing control and embracing transparency and cross-collaboration. As the program matures, refine it through continuous improvement, defining success metrics that serve the program's message, such as tracking design requirements, operational metrics, and security maturity assessments. Ultimately, AppSec should support developers, empowering them to take ownership of their secure coding practices with integrated and automated security tools like Snyk.