The Tactical Application Security Program - Getting Stuff Done

Explore a tactical approach to application security that challenges conventional wisdom and focuses on getting things done. Learn how to establish a lightweight, high-impact team capable of performing hundreds of assessments, handling numerous bugs, and setting up a private bug bounty program in just one year. Discover actionable advice for program managers and strategies for workers to drive change from within. Gain insights into measuring and sharing assessment and incident response results, navigating assessment principles and tactics, handling critical security bugs, and managing outside reports. Understand the importance of communication during incidents, learn how to reduce the threat surface, and critically examine public bug bounty programs. Walk away with practical strategies for implementing a tactical security program that prioritizes operational excellence and delivers tangible results.

Intro
What security team do you want to work with?
Application Security and the Bravery of Tactical Execution • Application security programs do much better tactically
Lightweight and iterative
Focus on operational excellence, less on authority Example: Measure every meaningful aspect of your assessment and incident response programs. Share those results far and wide.
A Digression on Authority & Buy-In
Assessments have a Flow
Tactical Assessment Principles
Assessment Tactics
Navigating the wilderness of existential assessment questions
Pitfalls
Critical Security Bugs 77 Critical bugs handled in the past year
Handling Outside Reports . On call pentester to handle incoming reports
Determining Scope of Impact
Bug Classifications and Why We Built It
Sample Bug Classification Table
Importance of Communication During an Incident Incident success or failure is judged by others in your company • Coordination and communication are key
Communication Email Template
Reducing the Threat Surface
Public Bug Bounties Today • Main motivations for companies to build programs
What Do These Ratios Really Mean to Me?!
Wrapping Up • Tactical approaches to application security should be • Treat your assessment program like a consultancy • Application incident response may be the most important thing to get right then consider bounty programs