SecAppDev 2025 lecture details
The Bug Bounty Effect: From DevSecOops to Success!
Discover how bug bounty programs outperforms traditional AppSec tools by uncovering more vulnerabilities at lower cost. We share real-world examples, strategies, and challenging takes on conventional security practices.
Tuesday June 3th, 09:00 - 10:30
Room Lemaire
Abstract
Since 2019, our organization has explored AppSec practices – from code scanning to dynamic testing – across the DevSecOps lifecycle. These methods often yield false positives or struggle to scale, resulting in more "DevSecOops" than actionable results. In contrast, our private bug bounty program consistently delivers. In this session, you discover how bug bounties uncover more vulnerabilities at a fraction of the cost, learn from real-world examples, and hear spicy takes that challenge traditional AppSec advice. We will also tackle a few vulnerability challenges from past reports.
Key takeaway
Bug bounty programs are essential and should be the key ingredient in modern AppSec programs.
Content level
Deep-dive
Target audience
Developers, Security Engineers/Champions, Architects
Prerequisites
Bring a laptop if you want to solve vulnerability challenges!
Join us for SecAppDev. You will not regret it!
Grab your seat now
Emil Vaagland
Head of Product Security, Schibsted Marketplaces (soon to be Vend)
Expertise: Bug Bounty programs & Product Security
Join us for SecAppDev. You will not regret it!
Grab your seat nowRelated lectures
My Name Is Not Cassandra: AppSec and "I Told You So"
Advanced lecture by Izar Tarandach in room Lemaire
Wednesday June 4th, 16:00 - 17:15
Lack of authority, an outsider's view of the development process and a faulty language of risk..Are security practitioners fated to point at risk and not be heard?
Key takeaway: "Raw" security can be fun, but does not lead to change. We must adapt our ways in order to impact the environment we want to protect.
Reviewing 3rd party libraries security using Scorecards
Introductory lecture by Niels Tanis in room West Wing
Tuesday June 3th, 14:00 - 15:30
We rely on 3rd party libraries which results in security risks. OpenSSF’s Scorecard helps assess package security. This session explores its checks and additional insights to strengthen supply-chain security.
Key takeaway: Understanding how to leverage the OpenSSF Scorecard to review used 3rd party libraries more easily.
Value Driven Security - A Roadmap to Business Alignment
Introductory lecture by Avi Douglen in room West Wing
Wednesday June 4th, 14:00 - 15:30
Much of security today is generic best practices and checkbox olympics. Shame to waste resources on stuff noone really cares about! Better to map out the business' value streams, and invest efforts in protecting what is actually important.
Key takeaway: Strategic planning requires understanding your environment, your goals, and your challenges. Value-driven mapping techniques help you get there.