The Tactical Application Security Program - Getting Stuff Done

Explore a provocative approach to application security in this Black Hat conference talk. Challenge conventional wisdom as the speakers advocate for a tactical, results-driven security program. Learn how to establish a lightweight yet effective team capable of conducting numerous assessments, handling bugs efficiently, and implementing a private bug bounty program within a year. Gain actionable advice for program managers and discover strategies for workers to drive change from within organizations. Examine the pros and cons of public bug bounty programs and understand why the speakers advise against them. Delve into topics such as operational excellence, application assessments, incident response, and effective communication strategies. Discover real-world case studies, practical examples, and key takeaways to improve your organization's security posture through a tactical, agile approach.

Introduction
Tactical Approach
Lightweight
Agile
Operational Excellence
Code Yellow
Authority Buyin
Application Assessments
Office Hours
Service Catalog
Product Review
Internal Assessments
Assessment Pitfalls
Missing the Big Picture
Application Incident Response
Critical Bugs
Handling Incoming Reports
Case Study Changing Faces
Bug Reporting
Push Code Fast
Cleanup
Taste Study
What We Found
Bug Severity Table
Communication
Example Email
Setting Expectations
Collaboration
Bug Bounty Programs
Case Study
How did we get to our program
Our private bug bounty program
Signaltonoise ratio
Impact on business
Signal to noise ratio
Key takeaways
Technology