AppSec: from Outsiders to Allies


Authors:   Chris Wysopal


The presentation discusses the importance of team collaboration and continuous improvement in achieving secure code and reducing remediation time. It also highlights the impact of using multiple testing techniques and APIs in reducing remediation time. The future of application security is also discussed, with a focus on managing supply chain risk.
  • Team collaboration and continuous improvement are crucial in achieving secure code and reducing remediation time
  • Using multiple testing techniques and APIs can significantly reduce remediation time
  • Managing supply chain risk is the future of application security
The speaker shared that building relationships and understanding each other's goals and struggles at the peer level, such as between security practitioners and developers, is essential in becoming one team with shared accountability. This can lead to less work to achieve the same secure outcome and enable the development team to not slow down. The speaker also presented data showing that using multiple testing techniques and APIs can cut remediation time in half, while doing scans in a steady way instead of bursting can reduce remediation time by 15.5 days on average.


AppSec roots began with late 90’s vulnerability research and the ultimate technology outsiders, hackers. Microsoft didn’t even want to touch application security until customers threatened to stop buying over the monthly worms of the early 2000’s. Then the threat space changed and attacks weren’t for just done for fun, but done by criminal gangs and nation states. Critical bugs were monetized in the millions of dollars and led to national level security events. In 2021 there is a realization that the security of the software the government purchases has a lot to do with how secure the government is. Now almost every development team needs some AppSec and they want it tightly embedded in their development process. This talk will discuss how we got here and how we need to work as allies with the software development team.