SecAppDev 2026 lecture details
Achieving Risk-based and Effective Security Testing
This talk discusses how to achieve a risk-based and effective security testing strategy by taking ownership of what and how to test instead of relying on limited built-in checkers of off-the-shelf security scanning tools.
Schedule TBD
Abstract
Many software organizations, when faced with the need to detect security vulnerabilities earlier in the software development life cycle, quickly reach for off-the-shelf security scanners as an automated "oracle".
This talk discusses the weaknesses of this tool-centric strategy, and instead proposes a two-pronged approach: validating known product-specific security risks, and creatively discovering previously unknown risks. We also cover feedback loops from security testing activities to the rest of the SDLC to bootstrap immature teams and continuously improve more experienced teams.
Key takeaway
Take ownership of your security testing strategy to improve coverage and efficiency, do not let tool vendors create a sub-optimal strategy for you.
Content level
Deep-dive
Target audience
Participants in software development governance, design, implementation, testing or operations.
Prerequisites
Basic familiarity with the different activities in the secure software development life cycle, see OWASP SAMM.
Join us for SecAppDev. You will not regret it!
Grab your seat now
Ruben De Visscher
Principal Product Security Consultant, Toreon
Expertise: Application security, secure SDLC, secure design, secure coding, security testing
Join us for SecAppDev. You will not regret it!
Grab your seat nowRelated lectures
What's New in ASVS v5
Advanced lecture by Eden Sofia Yardeni
A practical session for security practitioners already familiar with ASVS, covering what changed in v5, how to apply it in code review, how it can be used alongside other AppSec tools, and common pitfalls / best practices.
Key takeaway: Coding standards are even more relevant in an age where LLMs are writing most code, making ASVS an increasingly useful resource.
Security by default - A European perspective on cyber resilience
Deep-dive lecture by Freddy Dezeure in room Lemaire
A technical deep dive into how Microsoft implements security, resilience, and regulatory compliance at scale—mapping NIS2, DORA, and Secure‑by‑Default principles to concrete controls, engineering processes, and tenant‑level protections
Key takeaway: Learn how regulatory requirements become enforceable controls, measurable metrics, and practical Secure‑by‑Default engineering across cloud systems
Building secure applications in the age of AI agents
Introductory lecture by Pieter Philippaerts
This session explores real-world security risks in AI-assisted coding and presents best practices to mitigate them and securely integrate AI into the development lifecycle.
Key takeaway: AI is a powerful force multiplier, but only when paired with strong security practices, verification, and human oversight.