Build crucial cyber security skills through interactive training during SANS Cyber Security Mountain 2021. Save $150 thru 6/30.


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Choosing the Right Path to Application Security

  • Wednesday, May 24, 2017 at 1:00 PM EDT (2017-05-24 17:00:00 UTC)
  • Adam Shostack, Chris Wysopal


  • Veracode

You can now attend the webcast using your mobile device!



The cloud has changed corporate application development so much we are only now realizing the extent of the changes. Running on different servers, in someone else's datacenter is a big difference compared to running inside a protected perimeter, on a carefully monitored datacenter server attached to dedicated network connections that provide access to only a few. Most corporate application development is already aimed primarily at the Web. Application developers have raised their cadence so releases come very few days, not once or twice a year. AppSec now has to squeeze into tiny windows of time, fit into endlessly repeated rounds of action, result and re-evaluation, which has changed the jobs of nearly everyone involved in application security, from developers to SysAdmins. The speed, repetitiveness and changes in responsibility make it hard for traditional approaches to app sec to work, but most organizations find it disruptive to make a wholesale leap to DevOps or other agile development methods that are, by comparison, just as radical.

AppSec and threat-management guru Adam Shostack will examine the choices and lay out not only best practices in how to use both methods of app sec in one larger organization, but also provide criteria for deciding which should take precedence, when and for what, and how to structure an organization to adapt to an environment changing as quickly and drastically as the web apps themselves.

Click Here to be among the first to receive access to the associated whitepaper developed by Adam Shostack.

Speaker Bios

Adam Shostack

Adam Shostack is an entrepreneur, technologist, author and game designer. He's a member of the Black Hat Review Board and helped found the CVE, among other things. Adam is currently helping a variety of organizations improve their security, as well as advising and mentoring startups as a MACH37™ Star Mentor. At Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is author of "Threat Modeling: Designing for Security," and co-author of "The New School of Information Security."

Chris Wysopal

Chris Wysopal is Co-Founder, Chief Technology Officer at Veracode, which he co-founded in 2006. He oversees technology strategy and information security. Prior to Veracode, Chris was vice president of research and development at security consultancy @stake, which was acquired by Symantec.

In the 1990's, Chris was one of the original vulnerability researchers at The L0pht, a hacker think tank, where he was one of the first to publicize the risks of insecure software. He has testified to the US Congress on the subjects of government security and how vulnerabilities are discovered in software.

Chris received a BS in computer and systems engineering from Rensselaer Polytechnic Institute. He is the author of The Art of Software Security Testing.

Chris is often called upon to download the latest Minecraft mods for his 6-year-old son. An avid photographer and nature-lover, Chris spends his free time hiking the many conservation trails near his home outside Boston.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.