Preview Mode Links will not work in preview mode

Apr 15, 2024

Youtube VOD:


#appsec, #owasp, #ASVS, #joshGrossman, #informationsecurity, #SBOM, #supplychain, #podcast, #twitch, #brakesec, #securecoding, #Codeanalysis

Questions and topics:

1. The background to the topic, why is it something that interests you?
How do you convince developers to take your course?

2. What do you think the root cause of the gap is?

3. Who is causing the gaps? (‘go fast’ culture, overzealous security, GRC requirements, basically everyone?)

4. Where do gaps begin? Is it the ‘need’ to ‘move fast’?

5. What can devs do to involve security in their process? Sprint planning? SCA tools?

6. How have you seen this go wrong at organizations?

7. How important is it to have security early in the product development process?

8. What sort of challenges do you think mainstream security people face in AppSec scenarios?

9. How does Product Security differ from Application Security? (what if the product is an application?)

10. What are the key development concepts that security people need to be familiar with to effectively get involved in AppSec/ProdSec?

11.. How do you suggest a security team approach AppSec/ProdSec?
               Leadership buy-in
               Effective/valuable processes
               Tools should achieve a goal

12. SBOM - NTIA is asking for it, How to get dev teams to care.

13. Key takeaways?

Additional information / pertinent LInks (Would you like to know more?):
BlackHat Training:

SCA Tools

PyCon talk about custom security testing: 

Michal's Black Hat course - Accurate and Scalable: Web Application Bug Hunting: 

ASVS website: 

Lightning talk I did recently about OWASP: 

Show points of Contact:
Amanda Berlin: @infosystir @hackershealth 
Brian Boettcher: @boettcherpwned
Bryan Brake: 
Brakesec Website:
Youtube channel:
Twitch Channel: