Although it is not particular to application security, developers often feel that security is in the business of saying no. Or, in other words, making development and acquisition projects late and over budget. It should be no surprise that selling security to architects and developers is therefore on average a challenging task. But it does not have to be this way. Hidden inside the many application security requirements and activities are things that could make development easier and faster. Although adding additional security effort does take time, doing it the right way spends much of this effort on creating foundations instead of project-by-project fixes. Knowing how to articulate these potential advantages, and combining the domain-specific knowledge of the security, architecture, and development teams to design and maintain these foundational elements makes security much easier in the long run. And the business will be grateful for it.