Beyond the Bug Hunt: Unlocking Your AppSec Superpowers
StevenCarlson22
1 views
33 slides
Sep 28, 2025
Slide 1 of 33
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
About This Presentation
Beyond just finding flaws, bug bounty programs are a gateway to stronger AppSec by utilizing global collaboration and community. Successful programs require organizations to define a clear scope, offer appropriate incentives to researchers, and prioritize responsible disclosure over legal threats. T...
Slide Content
Beyond the Bug Hunt: Unlocking
Your AppSec Superpowers
Steven Carlson
Senior Product Security Engineer
Your AppSec Superpowers
Steven Carlson
Senior Product Security Engineer
About me
Software Engineer who is passionate
about clean secure code.
Helpdesk -> Software Engineer ->
Security -> DevSecOps -> Senior
Product Security Engineer
https://about.me/rockrunner
Software Engineer who is passionate
about clean secure code.
Helpdesk -> Software Engineer ->
Security -> DevSecOps -> Senior
Product Security Engineer
https://about.me/rockrunner
Agenda
Vulnerability Management
Lessons Learned
Leveling Up
Q&A
Vulnerability Management
Lessons Learned
Leveling Up
Q&A
Keep Security Top of Mind
Forethought vs Afterthought
Forethought vs Afterthought
Vulnerability Management
CIA
Confidentiality, Integrity, and Availability
•Confidentiality: This involves
ensuring that data remains secret
and private.
•Integrity: Integrity ensures that data
remains accurate and unaltered.
•Availability: Availability ensures that
information and systems
are accessible when needed.
Confidentiality, Integrity, and Availability
•Confidentiality: This involves
ensuring that data remains secret
and private.
•Integrity: Integrity ensures that data
remains accurate and unaltered.
•Availability: Availability ensures that
information and systems
are accessible when needed.
Vulnerability
Security Finding?
•A vulnerability is essentially a
weakness in a system, application,
or network that can be exploited by
malicious actors to gain
unauthorized access, steal sensitive
data, disrupt operations, or cause
other harm. It can exist in various
forms.
Security Finding?
•A vulnerability is essentially a
weakness in a system, application,
or network that can be exploited by
malicious actors to gain
unauthorized access, steal sensitive
data, disrupt operations, or cause
other harm. It can exist in various
forms.
Triage Process
Security Review
•Identify the finding: This involves
understanding the nature of the security
finding.
•Assess the severity: Evaluate the potential
impact of the finding on the organization's
assets, data, and reputation.
•Determine the likelihood: Analyze the
likelihood of an attacker successfully
exploiting the vulnerability.
•Make a decision: Based on the severity and
likelihood of exploitation, security engineers
decide on the appropriate course of action.
Security Review
•Identify the finding: This involves
understanding the nature of the security
finding.
•Assess the severity: Evaluate the potential
impact of the finding on the organization's
assets, data, and reputation.
•Determine the likelihood: Analyze the
likelihood of an attacker successfully
exploiting the vulnerability.
•Make a decision: Based on the severity and
likelihood of exploitation, security engineers
decide on the appropriate course of action.
Risk Matrix
Likelihood x Impact
•Impact is typically measured on a
scale of High, Moderate, and
Low, considering factors like
financial loss, reputational
damage, safety hazards, etc.
•Likelihood can be based on
historical data, industry trends,
expert opinions, or a combination
of these.
Likelihood x Impact
•Impact is typically measured on a
scale of High, Moderate, and
Low, considering factors like
financial loss, reputational
damage, safety hazards, etc.
•Likelihood can be based on
historical data, industry trends,
expert opinions, or a combination
of these.
Mitigating Risk
Preventing risk from becoming a vulnerability
•Identification - what/where/when/
why/how ??
•Disclosure - informing the correct
person(s)
•Patch Management - mitigating
the risk that was found
•Verification - validating the “fix”
was completed successfully
Preventing risk from becoming a vulnerability
•Identification - what/where/when/
why/how ??
•Disclosure - informing the correct
person(s)
•Patch Management - mitigating
the risk that was found
•Verification - validating the “fix”
was completed successfully
OWASP Top 10
2025: late summer/early fall 2025
•Standard Awareness Document
•Focus on Critical Risks
•Actionable Guidance
•Data-Driven and Community-
Supported
2025: late summer/early fall 2025
•Standard Awareness Document
•Focus on Critical Risks
•Actionable Guidance
•Data-Driven and Community-
Supported
Code Scanning
Snyk
•Open Source known issues
•Coding practices with security risk
•Passwords/Keys/tokens
•Known framework issues
Snyk
•Open Source known issues
•Coding practices with security risk
•Passwords/Keys/tokens
•Known framework issues
Server-side request forgery (SSRF)
https://learn.snyk.io/lesson/ssrf-server-side-request-forgery/
https://learn.snyk.io/lesson/ssrf-server-side-request-forgery/
Automation
https://docs.snyk.io/integrate-with-snyk/snyk-ci-cd-integrations/github-actions-for-snyk-setup-and-checking-for-
vulnerabilities/snyk-maven-action
https://docs.snyk.io/integrate-with-snyk/snyk-ci-cd-integrations/github-actions-for-snyk-setup-and-checking-for-
vulnerabilities/snyk-maven-action
Lessons Learned
K.I.S.S.
Keep It Simple, Stupid
•People
•Process
•Technology
•Governance
Keep It Simple, Stupid
•People
•Process
•Technology
•Governance
Shared Partnership
Not just knighting someone
•Create a clear picture
•Share ownership of the product’s
security score
•Establish a threat intel feed
•Recommend policy and standard
modification
Not just knighting someone
•Create a clear picture
•Share ownership of the product’s
security score
•Establish a threat intel feed
•Recommend policy and standard
modification
Context is Key
Build the case with Product team(s)
•Training and Education
•Build Relationships
•Regular Feedback Loops
Build the case with Product team(s)
•Training and Education
•Build Relationships
•Regular Feedback Loops
Shift Left and Extend Right
Oldie but a goodie
•Embedding a security engineer within a
product team
•Accept work that is achievable and
generally understood
•Establish a position within leadership and
engineering
Oldie but a goodie
•Embedding a security engineer within a
product team
•Accept work that is achievable and
generally understood
•Establish a position within leadership and
engineering
Proof is in the Pudding
Find out the truth before spending money
•Should we partner with this vendor?
•Should we use this vendor’s software?
•How often should we require 3rd party
PEN tests?
•How will this software effect our
network?
Find out the truth before spending money
•Should we partner with this vendor?
•Should we use this vendor’s software?
•How often should we require 3rd party
PEN tests?
•How will this software effect our
network?
Leveling Up
Implementation Framework
Monitor progress
Phase 5
Prioritize based on
risk
Phase 4
Manage coverage
Phase 3
Add business
context
Phase 2
Discover your
software assets,
from code to cloud
Phase 1
Monitor progress
Phase 5
Prioritize based on
risk
Phase 4
Manage coverage
Phase 3
Add business
context
Phase 2
Discover your
software assets,
from code to cloud
Phase 1
Application Asset Discovery
Implementation Framework
•Asset discovery across development
pipeline, from build time to runtime
•Integration with developer portals
and service catalogs (e.g.
Backstage)
•Map relationships between
application components
•Establish continuous updates for
asset inventory
Implementation Framework
•Asset discovery across development
pipeline, from build time to runtime
•Integration with developer portals
and service catalogs (e.g.
Backstage)
•Map relationships between
application components
•Establish continuous updates for
asset inventory
Asset Classification
Implementation Framework
•Document business criticality of
applications
•Sensitive data types
•Ownership & responsibility
•Lifecycle stage
•Regulatory compliance requirements
•Classify your assets, automate as
much as possible
Implementation Framework
•Document business criticality of
applications
•Sensitive data types
•Ownership & responsibility
•Lifecycle stage
•Regulatory compliance requirements
•Classify your assets, automate as
much as possible
Risk-based Coverage
Implementation Framework
•Define risk tiers & security
requirements:
•Security tools
•Scan frequency
•Create automated policies
•Implement coverage validation
•Monitor coverage effectiveness
Implementation Framework
•Define risk tiers & security
requirements:
•Security tools
•Scan frequency
•Create automated policies
•Implement coverage validation
•Monitor coverage effectiveness
Risk-based Governance
Implementation Framework
•Implement contextual security
guardrails
•Establish remediation SLAs by risk
level
•Leverage visibility to drive risk-
based prioritization
Implementation Framework
•Implement contextual security
guardrails
•Establish remediation SLAs by risk
level
•Leverage visibility to drive risk-
based prioritization
Monitor Progress & Posture
Implementation Framework
•Risk-reduction effectiveness
•Dev-Sec collaboration
•Operational efficiency
•Business alignment
Implementation Framework
•Risk-reduction effectiveness
•Dev-Sec collaboration
•Operational efficiency
•Business alignment
Security is a Journey
Not a destination
Not a destination
Q&A
Resources
Manual
Linux Command: man man
•Build security, as more than bolt it on.
•Rely on empowered product teams, more than security specialists.
•Implement features securely, more than security features.
•Rely on continuously learning, more than end-of-phase gates.
•Adopt a few key practices deeply and universally, more than a comprehensive
set poorly and sporadically.
•Build on culture change, more than policy enforcement.
Linux Command: man man
•Build security, as more than bolt it on.
•Rely on empowered product teams, more than security specialists.
•Implement features securely, more than security features.
•Rely on continuously learning, more than end-of-phase gates.
•Adopt a few key practices deeply and universally, more than a comprehensive
set poorly and sporadically.
•Build on culture change, more than policy enforcement.
Resources
Books, Website, and more
Books & Publications
•Application Security Program Handbook
by Derek Fisher
•Designing Secure Software by Loren
Kohnfelder
•Clean Code by Robert Martin
•Software Transparency by Chris Hugh
and Tony Turner
•Threats by Adam Shostack
Online
•SecurityChampionSuccessGuide.org
•attack.mitre.org
•nist.gov/itl/csd/secure-systems-and-
applications
•hockeyinjune.medium.com/product-
security-14127b5838ba
•santikris2003.medium.com/product-
security-dev-sec-tips-2fdb1698a3b3
•https://media.defense.gov/2023/Jun/
28/2003249466/-1/-1/0/
CSI_DEFENDING_CI_CD_ENVIRONMENTS.
PDF
•https://cheatsheetseries.owasp.org/
Books, Website, and more
Books & Publications
•Application Security Program Handbook
by Derek Fisher
•Designing Secure Software by Loren
Kohnfelder
•Clean Code by Robert Martin
•Software Transparency by Chris Hugh
and Tony Turner
•Threats by Adam Shostack
Online
•SecurityChampionSuccessGuide.org
•attack.mitre.org
•nist.gov/itl/csd/secure-systems-and-
applications
•hockeyinjune.medium.com/product-
security-14127b5838ba
•santikris2003.medium.com/product-
security-dev-sec-tips-2fdb1698a3b3
•https://media.defense.gov/2023/Jun/
28/2003249466/-1/-1/0/
CSI_DEFENDING_CI_CD_ENVIRONMENTS.
•https://cheatsheetseries.owasp.org/
About me
Software Engineer who is passionate
about clean secure code.
Helpdesk -> Software Engineer ->
Security -> DevSecOps -> Senior
Product Security Engineer
https://about.me/rockrunner
Software Engineer who is passionate
about clean secure code.
Helpdesk -> Software Engineer ->
Security -> DevSecOps -> Senior
Product Security Engineer
https://about.me/rockrunner
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 1
- Slides 33
- Age 65 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
31 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views