SecAppDev 2026 lecture details
Achieving Risk-based and Effective Security Testing
This talk discusses how to achieve a risk-based and effective security testing strategy by taking ownership of what and how to test instead of relying on limited built-in checkers of off-the-shelf security scanning tools.
Monday June 1st, 14:00 - 15:30
Room West Wing
Add to calendar (ICS) Add to Google calendarAbstract
Many software organizations, when faced with the need to detect security vulnerabilities earlier in the software development life cycle, quickly reach for off-the-shelf security scanners as an automated "oracle".
This talk discusses the weaknesses of this tool-centric strategy, and instead proposes a two-pronged approach: validating known product-specific security risks, and creatively discovering previously unknown risks. We also cover feedback loops from security testing activities to the rest of the SDLC to bootstrap immature teams and continuously improve more experienced teams.
Key takeaway
Take ownership of your security testing strategy to improve coverage and efficiency, do not let tool vendors create a sub-optimal strategy for you.
Content level
Deep-dive
Target audience
Participants in software development governance, design, implementation, testing or operations.
Prerequisites
Basic familiarity with the different activities in the secure software development life cycle, see OWASP SAMM.
Join us for SecAppDev. You will not regret it!
Grab your seat now
Ruben De Visscher
Principal Product Security Consultant, Toreon
Expertise: Application security, secure SDLC, secure design, secure coding, security testing
Join us for SecAppDev. You will not regret it!
Grab your seat nowRelated lectures
Secure by Design — Ideas and Techniques
Introductory lecture by Dan Bergh Johnsson and Daniel Deogun in room West Wing
Monday June 1st, 11:00 - 12:30
Security is a design concern, not just an implementation concern. This session shows how domain modelling, type design, and boundary thinking can structurally eliminate entire classes of vulnerability - before attackers ever get a chance.
Key takeaway: Security is a quality aspect of software - like maintainability or correctness. Teams that design for quality get security as an emergent benefit
What's New in ASVS v5
Advanced lecture by Eden Sofia Yardeni in room West Wing
Tuesday June 2nd, 14:00 - 15:30
A practical session for security practitioners already familiar with ASVS, covering what changed in v5, how to apply it in code review, how it can be used alongside other AppSec tools, and common pitfalls / best practices.
Key takeaway: Coding standards are even more relevant in an age where LLMs are writing most code, making ASVS an increasingly useful resource.
Secure by Design — A Design Lens on Real Breaches
Deep-dive lecture by Daniel Deogun and Dan Bergh Johnsson in room Lemaire
Wednesday June 3rd, 09:00 - 10:30
Real breaches, analysed not for how they were exploited but for why they were exploitable. Each reveals a design omission that Secure by Design thinking could have caught — and a lesson you can apply to your own systems.
Key takeaway: Breaches have root causes deeper than the exploit. Learn to trace them back to design omissions