SAINTCON 2023 - Michael Fischer - You are the reason your AppSec Program is failing

Security Automation

Discover the common pitfalls that hinder your AppSec program's success and learn how to overcome them by prioritizing people, process, and technology in this engaging talk.

Key takeaways
  • Your company’s AppSec program is likely failing due to poor communication with engineering teams.
  • The security team should engage with leadership and work with engineering teams to make progress.
  • The team needs realistic SLAs and a process for rolling out the program sustainably.
  • The problem lies not with technology, but with people and process.
  • To succeed, the team needs to automate testing, metrics, and incident response.
  • The “battleship” of application security is a large, complex problem that requires cooperation and prioritization.
  • Your team must be able to hold SLAs, and partners and counterparts need to agree to them.
  • You need to prioritize people, process, and technology in that order.
  • Application security is not just about software, but about hardware, change management, and embracing new technologies.
  • Generative AI is helpful, but its limitations must be understood.
  • The security team needs to work closely with engineering teams and prioritize communication.
  • Roles, expectations, and responsibilities must be clear to ensure success.
  • The team must adopt a win-win mindset and focus on long-term security.
  • Application security is not a one-time fix, but an ongoing process.
  • Leadership needs to buy into the program and senior executive champions must be identified.
  • The team needs to start with small, winnable battles to build momentum and credibility.
  • war stories from the past (Bismarck sinking) can be used to illustrate the importance of AppSec.
  • The “Domino effect” of security vulnerabilities must be understood and addressed.
  • “SLAs” are crucial in a security program, and the team must be able to negotiate and agree on them.
  • It is not the technical security aspects, but the people and the process that will hold the application security program back.
  • Change is not easy, and cultural shifts are required to make application security successful.
  • Application security is a process, not a one-time event.
  • Security teams should be more concerned with creating a sustainable process rather than trying to fix problems.
  • The security program must be designed to be long-lasting and self-sustaining.

More talks

Journey to EDA: Patterns, Best Practices & Practical Tips • David Boyne • GOTO 2023

Testing Web Applications with Playwright - Debbie O'Brien, TestJS Summit 2022

From AI Demos to Delivering AI Products | Moveworks & Kleiner Perkins | Slush 2023

Keynote: Black Hat at 25: Where Do We Go from Here?

Building Global Teams & Getting the Culture Right. Panel moderated by Līva Pērkone / Helve

Scaling Without Hiring: The Power of Generative AI for Bootstrappers

The Troubles of Automating “all the Things” | J. Paul Reed

Exploring a Modern Enterprise Stack with Jamstack