Great talks tonight @dallas_hackers.
Two things as takeaways tonight:

1. I actually worked to operationalize LINDDUN for Privacy by Design. Its actually working out cheaper to do at design time than tack it on later. Hard with legacy apps, but still better to model it first and prioritize. AND, ITS A COMPLIANCE REQUIREMENT.

2. AppSec requires you to meet the devs where they are at. Part of the failure here though is a credibility issue. SAST or DAST tools are rife with false positives and require a ton of tuning. Without a triage process thats a failing strategy because developers don’t trust you, and triage takes a long time which slows deployment. IAST, interactive application security testing, is much higher fidelity, use that instead.

@shortidge I’m now rethinking all of my life decisions, so thanks for that….

https://kellyshortridge.com/blog/posts/what-does-the-word-security-mean/