Premium Only Content
 
			Why All AppSec Experts Suck – Part 1: SAST, DAST, Toolchains & Training with Michael Burch
In this first episode of the expert mini-series following “Why All AppSec Products Suck,” I’m joined by **Michael Burch**, Director of Application Security at **Security Journey**, to explore the harsh realities and nuanced truths about AppSec tooling.
We dig deep into how developers really use (and misuse) tools like **SAST**, how to layer solutions across tech stacks, the pros and cons of **bug bounties**, and how **secure coding education** is the fix we keep forgetting.
🔍 **What you'll learn in this episode:**
- Why SAST tools should be treated like linters, not audits
- The tension between coverage (breadth) vs. accuracy (depth)
- Why open source tools might outperform “catch-all” vendors
- How to balance toolchains in a polyglot organization
- Bug bounties as a proving ground for future security talent
- Why security tooling is just a **safety net**, not the solution
---
⏱️ **Chapters:**
1. 00:00 – Intro & shift to expert interviews
2. 01:02 – Meet Michael Burch: Secure coding advocate
3. 02:06 – Why secure coding needs to be the foundation
4. 04:15 – Cyber Patriots & ChatGPT as insecure interns
5. 06:20 – How devs unknowingly build vulnerable apps
6. 08:30 – AppSec series feedback + tool category wrap-up
7. 10:20 – SAST tools: glorified linters or security engines?
8. 12:15 – IDE-integrated scanning vs. pipeline-only
9. 14:00 – Swiss army tools vs. language-specific tools
10. 16:50 – Scaling toolchains in multi-language orgs
11. 18:45 – The value of layering SAST, DAST, and IAST
12. 21:00 – Pen testing: language-agnostic by design
13. 23:00 – Bug bounties: chaos vs. coverage
14. 24:45 – Safety nets, not silver bullets
15. 26:45 – Outro & shared agreement: no one tool wins
---
📚 **This episode is part of a comprehensive series**, where we cover each category of App Sec products:
* SAST: Static Application Security Testing
* DAST: Dynamic Application Security Testing
* IAST: Interactive Application Security Testing
* SCA: Software Composition Analysis
* WAF: Web Application Firewall
* RASP: Runtime Application Self-Protection (Next-Gen WAF)
* Manual Pen-Testing of Applications
(SAST vs DAST vs IAST vs SCA vs WAF vs RASP vs Pen-Testing)
🎞️ **Watch the full playlist**:
[AppSec Product Comparison Series](https://www.youtube.com/playlist?list=PLr15vRqvmtdW-LxrY_fFGNV8ub4_d_Qoc)
---
🌐 **Explore More**
- Website: https://danondev.com
- Twitter: @Dan_On_Dev
- Instagram: @dan_on_dev
- Facebook: @danondev
To learn more from Micheal Burch
- https://youtu.be/Ua_9tvGEkMA
- https://twitter.com/TacticalAppSec
- 	
				 LIVE LIVESpartakusLIVE3 hours agoSpart Flintstone brings PREHISTORIC DOMINION to REDSEC286 watching
- 	
				 1:05:02 1:05:02BonginoReport6 hours agoKamala CALLED OUT for “World Class” Deflection - Nightly Scroll w/ Hayley Caronia (Ep.167)106K65
- 	
				 54:36 54:36MattMorseTV4 hours ago $24.06 earned🔴The Democrats just SEALED their FATE.🔴41.3K67
- 	
				 8:07:01 8:07:01Dr Disrespect12 hours ago🔴LIVE - DR DISRESPECT - ARC RAIDERS - SOLO RAIDING THE GALAXY119K12
- 	
				 1:32:00 1:32:00Kim Iversen7 hours agoThe World’s Most “Moral” Army — Kills 40 Kids During "Ceasefire" | Socialism's Coming: The Zohran Mamdani Agenda96.8K170
- 	
				 1:04:50 1:04:50TheCrucible6 hours agoThe Extravaganza! EP: 63 with Guest Co-Host: Rob Noerr (10/30/25)82.8K7
- 	
				 LIVE LIVEGritsGG5 hours agoQuads! #1 Most Wins 3880+!99 watching
- 	
				 2:51:31 2:51:31Spartan6 hours agoFirst playthrough of First Berserker Khazan24.5K1
- 	
				 5:48:29 5:48:29The Rabble Wrangler20 hours agoBattlefield 6 - RedSec with The Best in the West26.4K1
- 	
				 37:53 37:53Donald Trump Jr.7 hours agoAmerican Dominance vs Dems' Delusion | TRIGGERED Ep.28744.6K65