Pushing Left, Like a Boss — Part 9: An AppSec Program
This series, and my blog, has moved! Check it out!
Published in
1 min readSep 25, 2019
This article is part of a series, and the previous article was Pushing Left, Like a Boss — Part 8: Testing.
In my talk that this blog series is based on, “Pushing Left, Like a Boss”, I detailed what I felt an AppSec program should and could be. Since then, I’ve learned a lot and now see that there are quite a few activities that you can do, but it’s the goals and the outcomes that actually matter. Our industry has also changed quite a bit since I wrote that talk (written in 2016, first seen in public 2017).
My previous thoughts on what a basic AppSec Program should be:
- Vulnerability/Security Assessments and VA scans
- Threat modelling
- Secure Code Review
- Penetration Testing
- And that these activities should cover both COTS (configurable off the shelf products, like SharePoint or SAP) and custom apps (homemade software)