Developers tend to be hesitant of any program that could slow down the production process or cause additional work. So, to get them on board with AppSec, you need to prove that it will not cause a hold up. This means that if security cries wolf, there better be a real flaw or vulnerability. Too many false positives cause developers to lose trust in the program. Another way to get developer buy-in is to implement security champions.