Or is it just developer education at your leisure. I would love to hear anyone’s thoughts?
In my experience this depends hugely on the org. Things like size, funding, and vertical have a huge impact.
Most medium or larger, security focused or enterprise shops I’ve worked with or at have started or been down the road of putting together an appsec stance, and some amount of team to support that, even if it’s just one person.
That’s just my experience though, would be interested in hearing from others.