Preview Mode Links will not work in preview mode

Nov 15, 2017

Direct Link:


Michael De Libero spends his work hours running an application security team at a gaming development company. I (Bryan) was really impressed at the last NCC Group Quarterly meetup when he gave a talk (not recorded) about how to properly build out your Application Security Team.

So I asked him on, and we went over the highlights of his talk. Some of the topics included:

Discussing with management your manpower issues

Who to include in your team

Communication between teams



Youtube Channel:

#iTunes Store Link:

#Google Play Store:

Our main site:


Join our #Slack Channel! Sign up at

or DM us on Twitter, or email us.

#iHeartRadio App:


Comments, Questions, Feedback:

Support Brakeing Down Security Podcast on #Patreon:

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM :

#Stitcher Network:

#TuneIn Radio App:







Amanda’s appearance on PSW


Building an AppSec Team - Michael de Libero (@noskillz)\


Need link to Michael’s slides --


Random Notes from Mike:

  • Hiring
  • WebApps vs More traditional apps
    • Release cycles differ
    • Tech stacks can often differ
    • Orgs are different
    • Etc…
  • Testing-focus vs. “security health”
  • Role of management
    • Managing a “remote” team
  • Handling incoming requests from other teams


How do you sell a company on having an appsec team if they don’t have one?


If you have an existing ‘security team’, how easily is it to augment that into an appsec team?

Can you do job rotation with some devs?

Do devs care enough to want to do code audits

“That’s not in my job description”


Skills needed in an appsec team

Does it depend on the tech used, or the tech you might use?


Internal security vs. consultants


Intro to RE course with Tyler Hudak


Bsides Wellington speaker Amanda Berlin