Play all

Intro

What security team do you want to work with?

Application Security and the Bravery of Tactical Execution • Application security programs do much better tactically

Lightweight and iterative

Focus on operational excellence, less on authority Example: Measure every meaningful aspect of your assessment and incident response programs. Share those results far and wide.

A Digression on Authority & Buy-In

Assessments have a Flow

Tactical Assessment Principles

Assessment Tactics

Navigating the wilderness of existential assessment questions

Pitfalls

Critical Security Bugs 77 Critical bugs handled in the past year

Handling Outside Reports . On call pentester to handle incoming reports

Determining Scope of Impact

Bug Classifications and Why We Built It

Sample Bug Classification Table

Importance of Communication During an Incident Incident success or failure is judged by others in your company • Coordination and communication are key

Communication Email Template

Reducing the Threat Surface

Public Bug Bounties Today • Main motivations for companies to build programs

What Do These Ratios Really Mean to Me?!

Wrapping Up • Tactical approaches to application security should be • Treat your assessment program like a consultancy • Application incident response may be the most important thing to get right the…

Description:

Explore a tactical approach to application security that challenges conventional wisdom and focuses on getting things done. Learn how to establish a lightweight, high-impact team capable of performing hundreds of assessments, handling numerous bugs, and setting up a private bug bounty program in just one year. Discover actionable advice for program managers and strategies for workers to drive change from within. Gain insights into measuring and sharing assessment and incident response results, navigating assessment principles and tactics, handling critical security bugs, and managing outside reports. Understand the importance of communication during incidents, learn how to reduce the threat surface, and critically examine public bug bounty programs. Walk away with practical strategies for implementing a tactical security program that prioritizes operational excellence and delivers tangible results.

The Tactical Application Security Program - Getting Stuff Done

Black Hat

Add to list

#Conference Talks #Black Hat #Information Security (InfoSec) #Cybersecurity #Incident Response #Programming #Software Development #Application Security (AppSec) #Application Security #Business #Business Management #Operational Excellence

0:00 / 0:00