The document summarizes how application security programs often work in reality compared to the ideal. It notes that training is often not fully effective due to costs and scheduling issues. Threat modeling and security requirements are rarely fully implemented due to lack of prioritization and changing project scopes. Security testing tools have limitations and face resistance from developers and testers concerned with deadlines. Legacy application remediation is difficult due to lack of ongoing budgets and prioritization of security compared to new features. Effectively running an application security program requires balancing technical and social aspects to overcome cultural and process barriers.