The Nooks and Crannies of AppSec Programs

Have you ever wondered what the often-overlooked parts of a mature AppSec Program are?

Let’s face it, application security programs can be as simple or complex as you want them to be. But when we look at a mature program, one that's designed as a function of risk management and factors risk mitigation into its operational principles, there are a lot of nooks and crannies for mitigating techniques to exist. While many companies only consider AppSec programs in terms of tools and pipelines, there are quite a few opportunities to elevate your security posture using the standard transfer, avoid, reduce, and accept responses.

In this talk we're going to explore some of those nooks and crannies of an AppSec program that may be overlooked when doing high level strategic planning. Some of what we're going to look at during this presentation includes secure supply chain management in depth, layered KPIs, application risk profile-based training policies, and others.