DeepSec 2021 Talk: Running an AppSec Program in an Agile Environment – Mert Coskuner

Sanna/ October 29, 2021/ Conference

Application security in an enterprise is a challenge. We can see this when we look at the statistics: There have been 16648 security vulnerabilities (CVEs) published so far in 2020 and the average severity is 7.1 out of 10.

In this talk, you will find various solutions such as
– Development team risk scoring based on maturity and business aspect,
– SAST/DAST at CI/CD pipeline without blocking the pipeline itself,
– How to leverage bug bounty program,
– When to employ penetration testing,
– When to employ code review,
– Platform developments to remove dependency for developers to implement features, i.e. internal authorization.

Most important of all, you will see these solutions lead to minimal friction within the team, which creates a fine-tuned security program.

We asked Mert a few more questions about his talk.


Please tell us the top 5 facts about your talk.

  • AppSec is hard. If you think it’s not, think again.
  • Traditional security doesn’t work in an agile environment.
  • Scaling eventually becomes a problem for AppSec practices.
  • Smooth development needs smooth security practices.
  • Security controls, when built into development, increase security maturity and knowledge in the long run.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

While dealing with AppSec challenges day to day, I realised that there’s a need to refine knowledge in the wild to reflect how scaling program works in an agile environment.

Why do you think this is an important topic?

Every application security engineer will eventually need an agile and scaling application security program and means to implement it. This will also include teaching your developers and having a continuous communication channel with them.

Is there something you want everybody to know – some good advice for our readers, maybe?

Adopt everything-as-code and have practices to scan them in your integration pipeline.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

Scaling and highly customisable tools are the future for a healthy, minimum risk application security program with a note that automation cannot solve all of your problems. As automation grows, a need for security engineers who will interact with the developers day to day to increase overall security maturity will rise.


 Mert Coskuner, MSc is a Security Engineer at Amazon. He is maintaining a Penetration Testing and Malware Analysis blog at In his free time Mert Can is performing mobile malware research and threat intelligence.

Share this Post