The Dev vs. Security Conflict Root Cause Isn’t Culture. It’s Unmanaged Open Source.
Leslie Pascual
June 18, 2026
.webp)
Frequently Asked Questions
Why does the question of who owns security risk keep going unanswered in large organizations?
The root cause is a structural mismatch between authority and accountability. Security teams own the policy, they can define what must be remediated and by when. But engineering teams own the codebase, the pipeline, and the developers who do the actual remediation work. When those two forms of authority live in separate hands and are measured against different outcomes, compliance versus velocity, the same vulnerability gets triaged very differently depending on who is in the room. Policy without resource authority is a list of requirements someone else has to execute. Until the authority to define the requirement and the authority to act on it are connected by a shared operating model, ownership confusion is the default state.
Why don't common workarounds such as embedded security engineers, package allowlists, executive mandates solve the problem?
Each workaround addresses one dimension of the problem while leaving the others intact. Embedding security engineers inside engineering sprints works for teams that have the dedicated resource, but a single security engineer cannot scale governance across a 500-developer organization, they become a bottleneck with a different job title. Homegrown package lists give security teams an approved inventory to point developers toward, but the moment the list falls a version behind, developers find a way around it and shadow dependencies enter the environment anyway. Executive mandates create accountability after an incident but tend to fade as urgency decreases and shipping commitments increase. What all three share is that they depend on humans doing consistently, at scale, what infrastructure could be doing instead.
How have AI coding assistants made the ownership problem worse?
Before AI tools, the accountability chain was at least traceable: a human developer made a decision to pull in a library, and that decision was logged, reviewable, and assigned to someone. AI coding assistants broke that chain. When an AI agent autonomously selects and incorporates open source packages as it generates code, the answer to "who chose this dependency?" is sometimes "the AI did, and nobody reviewed it before it hit the pipeline." The result is that modern applications are accumulating open source dependencies, each with their own transitive dependencies, license conditions, and vulnerability histories, faster than any governance model built around human-speed, human-driven decisions can keep pace with.
What does it mean to make the secure choice the path of least resistance?
It means moving enforcement upstream of the decision point, so the right choice is the default rather than the result of a review process. In practice this looks like approved open source components being enforced at the point of ingestion before anything reaches the build pipeline, remediation happening automatically on a contractual timeline rather than entering a backlog that security and engineering have to negotiate through, and governance running in the background, invisible to developers, so the secure path and the fast path are the same path. When security is built into the defaults rather than layered on top of existing workflows as a checkpoint, ownership stops being a cultural negotiation and becomes a structural outcome.
How should security leaders and engineering leaders reframe the questions they're asking?
Security leaders tend to ask how to get engineering to take security more seriously. The more useful question is: how do we minimize the number of decisions that require human follow-up at all? Every manual escalation, exception review, and ownership negotiation is a signal that the governance model depends on humans doing what infrastructure could be doing instead. Engineering leaders tend to ask how to keep security from slowing the team down. The better question is: how do we make sure the team never has to stop for a security fire drill? Sprint interruptions, late-breaking CVE blocks, and release delays are the cost of open source governance that isn't embedded in workflows before code ships. Both questions have the same answer: a shared operating model where security gets the enforcement it needs and engineering gets the autonomy it wants, without requiring either team to win an argument every time something needs to be fixed.
.png)
.png)
.png)