Interactive Courses + DFIR NetWars Available During SANS Cyber Security Central in June. Save $300 thru 5/12.


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Asking the Right Questions about Dynamic Scanning to Secure Web Applications: A Buyer's Guide to App Sec Scanning Tools

  • Tuesday, September 12, 2017 at 1:00 PM EDT (2017-09-12 17:00:00 UTC)
  • Joe Pelletier, Barbara Filkins


  • Veracode

You can now attend the webcast using your mobile device!



Cloud computing has shifted the focus of application security away from security specialists in IT operations, who used to scan for flaws after an application was finished, and into the hands of developers. DevOps and other continuous development methods are moving responsibility for quality and security to developers rather than operations people who scan for flaws after an application is finished, according to the 2015 and 2016 SANS Application Security Surveys. Those surveys showed only 22% of development organizations did their own security assurance in 2015; a year later, their ranks had grown to 30%.

Securing a web apps across its life cycle is fundamentally different than securing an app born inside a secure perimeter. Sophisticated tools designed to scan running applications in their native environments are more complex and challenging to choose from among than old-fashioned vulnerability scanners. The threat they're designed to counter is also more intensive and more pervasive, making the choice of tools more important than when application security could afford to be treated as an afterthought.

The tools and requirements have changed so quickly that even the process used for selecting the correct tool is no longer adequate.

SANS expert Barbara Filkins will help walk you through the decision process, laying out the major market segments, identifying the must-have tool functions for specific roles in development, testing and maintenance of software throughout its lifetime. She'll also help identify the types of tools that are most cost efficient based on impact, functionality, the need for additional training, applicability to given computing platforms and other factors.

We can't offer a generic RFP template that you can copy/paste and email to suppliers, but we'll get as close as we can.

Sign up for this webcast and learn how to do due diligence on procuring app sec scanning and analysis tools.

We'll cover:

  • How to identify the best sets of requirements for specific job roles;
  • Levels of automation and required expertise needed with certain tools -- and when each might be a benefit;
  • Guidelines on how to develop proofs of concept, best-practice guides and how to identify frequent pitfalls

SANS won't tell you what tool to buy, but can show you what questions to ask, including:

  • How to weight responses based on your organization's priorities;
  • How to build a use case relevant to current development and testing -- with a mix of waterfall and agile processes; and
  • How to put together a detailed set of criteria you can use to help make the right decision and ensure you took the best route to get there.

Click here and you'll be among the first to receive an associated whitepaper with full analysis and explanation of these and other AppSec/vulnerability scanning issues by report author and SANS expert Barbara Filkins.

View the associated whitepaper here.

Speaker Bios

Barbara Filkins

Barbara Filkins, SANS Analyst Program Research Director, holds several SANS certifications, including the GSEC, GCIH, GCPM, GLEG and GICSP, the CISSP, and an MS in information security management from the SANS Technology Institute. She has done extensive work in system procurement, vendor selection and vendor negotiations as a systems engineering and infrastructure design consultant. Barbara focuses on issues related to automation—privacy, identity theft and exposure to fraud, plus the legal aspects of enforcing information security in today’s mobile and cloud environments, particularly in the health and human services industry, with clients ranging from federal agencies to municipalities and commercial businesses.

Joe Pelletier

Joe Pelletier is the Director of Product Management for Veracode's Web Application Security and Runtime Protection product lines. He has worked in application security for more than six years, originally helping large enterprise clients implement secure development practices and programs. Joe is a hands-on learner and is passionate about building great products and teams. Prior to Veracode, Joe worked in the financial services industry and helped develop portfolio management and investment research platforms. He received his degree in Finance from Bryant University.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.