It used to be security tooling was sold to security folks (compliance, audit, CISO offices, etc.); actually it still is largely. But more and more we see developers driving security tooling conversations. These days we even see development orgs actively pursuing security tooling ahead of their security counterparts.
Before appsec, my background was infrastructure security (15 years), and I still follow a lot of that technology. I’m not sure I see the same paradigm shift for network security, infrastructure security, database security, etc., and security functions around those technologies still seem largely reactive (i.e., primarily used after production deployments in the form of audits/pen tests).
Are developers just trying to ease their own pain by helping drive the appsec tooling conversations and pushing for tooling they like or has something else changed?