Developers need to build security into code from the very beginning. But over-reliance on application testing can result in fruitless races to find all vulnerabilities, including many distracting false positives. Instead, developers must be trained to espouse a consistent security mindset and to designate "security champions" on their own teams who can help them better build secure code.