SecAppDev 2025 lecture details
My Name Is Not Cassandra: AppSec and "I Told You So"
Lack of authority, an outsider's view of the development process and a faulty language of risk..Are security practitioners fated to point at risk and not be heard?
Wednesday June 4th, 16:00 - 17:15
Room Lemaire
Abstract
In Greek mythology, Cassandra was a priestess of Apollo, cursed to predict the future but not be believed about it. And that, in a pinch, is the description of many an AppSec practitioner. We point at risk but are ignored; we identify issues but they are de-prioritized. Security people are expected to lead, but without authority, and talk a language of risk that is foreign to developers - does this make the work impossible? In this talk we will look at why this happens, what we can do about it, and how we can finally change it.
Key takeaway
"Raw" security can be fun, but does not lead to change. We must adapt our ways in order to impact the environment we want to protect.
Content level
Advanced
Target audience
Security Practitioners, Security Champions, Managers of Security and Development
Prerequisites
A basic understanding of the Secure Development Lifecycle
Join us for SecAppDev. You will not regret it!
Grab your seat now
Izar Tarandach
Sr. Principal Security Architect
Expertise: Threat Modeling, Application Security and Barstool Philosophy
Join us for SecAppDev. You will not regret it!
Grab your seat nowRelated lectures
The Bug Bounty Effect: From DevSecOops to Success!
Deep-dive lecture by Emil Vaagland in room Lemaire
Tuesday June 3th, 09:00 - 10:30
Discover how bug bounty programs outperforms traditional AppSec tools by uncovering more vulnerabilities at lower cost. We share real-world examples, strategies, and challenging takes on conventional security practices.
Key takeaway: Bug bounty programs are essential and should be the key ingredient in modern AppSec programs.
Reviewing 3rd party libraries security using Scorecards
Introductory lecture by Niels Tanis in room West Wing
Tuesday June 3th, 14:00 - 15:30
We rely on 3rd party libraries which results in security risks. OpenSSF’s Scorecard helps assess package security. This session explores its checks and additional insights to strengthen supply-chain security.
Key takeaway: Understanding how to leverage the OpenSSF Scorecard to review used 3rd party libraries more easily.
Value Driven Security - A Roadmap to Business Alignment
Introductory lecture by Avi Douglen in room West Wing
Wednesday June 4th, 14:00 - 15:30
Much of security today is generic best practices and checkbox olympics. Shame to waste resources on stuff noone really cares about! Better to map out the business' value streams, and invest efforts in protecting what is actually important.
Key takeaway: Strategic planning requires understanding your environment, your goals, and your challenges. Value-driven mapping techniques help you get there.