Premium Only Content

Why All AppSec Experts Suck – Part 1: SAST, DAST, Toolchains & Training with Michael Burch
In this first episode of the expert mini-series following “Why All AppSec Products Suck,” I’m joined by **Michael Burch**, Director of Application Security at **Security Journey**, to explore the harsh realities and nuanced truths about AppSec tooling.
We dig deep into how developers really use (and misuse) tools like **SAST**, how to layer solutions across tech stacks, the pros and cons of **bug bounties**, and how **secure coding education** is the fix we keep forgetting.
🔍 **What you'll learn in this episode:**
- Why SAST tools should be treated like linters, not audits
- The tension between coverage (breadth) vs. accuracy (depth)
- Why open source tools might outperform “catch-all” vendors
- How to balance toolchains in a polyglot organization
- Bug bounties as a proving ground for future security talent
- Why security tooling is just a **safety net**, not the solution
---
⏱️ **Chapters:**
1. 00:00 – Intro & shift to expert interviews
2. 01:02 – Meet Michael Burch: Secure coding advocate
3. 02:06 – Why secure coding needs to be the foundation
4. 04:15 – Cyber Patriots & ChatGPT as insecure interns
5. 06:20 – How devs unknowingly build vulnerable apps
6. 08:30 – AppSec series feedback + tool category wrap-up
7. 10:20 – SAST tools: glorified linters or security engines?
8. 12:15 – IDE-integrated scanning vs. pipeline-only
9. 14:00 – Swiss army tools vs. language-specific tools
10. 16:50 – Scaling toolchains in multi-language orgs
11. 18:45 – The value of layering SAST, DAST, and IAST
12. 21:00 – Pen testing: language-agnostic by design
13. 23:00 – Bug bounties: chaos vs. coverage
14. 24:45 – Safety nets, not silver bullets
15. 26:45 – Outro & shared agreement: no one tool wins
---
📚 **This episode is part of a comprehensive series**, where we cover each category of App Sec products:
* SAST: Static Application Security Testing
* DAST: Dynamic Application Security Testing
* IAST: Interactive Application Security Testing
* SCA: Software Composition Analysis
* WAF: Web Application Firewall
* RASP: Runtime Application Self-Protection (Next-Gen WAF)
* Manual Pen-Testing of Applications
(SAST vs DAST vs IAST vs SCA vs WAF vs RASP vs Pen-Testing)
🎞️ **Watch the full playlist**:
[AppSec Product Comparison Series](https://www.youtube.com/playlist?list=PLr15vRqvmtdW-LxrY_fFGNV8ub4_d_Qoc)
---
🌐 **Explore More**
- Website: https://danondev.com
- Twitter: @Dan_On_Dev
- Instagram: @dan_on_dev
- Facebook: @danondev
To learn more from Micheal Burch
- https://youtu.be/Ua_9tvGEkMA
- https://twitter.com/TacticalAppSec
-
LIVE
The Charlie Kirk Show
1 hour agoTurning Point Halftime + Antifa Panel Aftermath + Right-Wing Taylor Swift? |Patrick, Cuomo|10.9.2025
6,418 watching -
4:27:44
Right Side Broadcasting Network
5 hours agoLIVE REPLAY: President Trump Hosts a Cabinet Meeting - 10/9/25
87.2K37 -
LIVE
Mark Kaye
1 hour ago🔴 Schumer BUSTED Celebrating Democrat Shutdown!
955 watching -
1:00:33
Timcast
2 hours agoTrump To Declare Antifa FOREIGN Terrorist Org, Antifa Leaders FLEE Country
120K46 -
2:41:53
MattMorseTV
3 hours ago $4.58 earned🔴Trump's Cabinet Meeting BOMBSHELL.🔴
40.7K27 -
DVR
Neil McCoy-Ward
1 hour ago🔥 SHOCK! What She Just DECLARED Over The 🇺🇸 USA & Trump!
5.17K2 -
LIVE
Rebel News
56 minutes agoLive from ostrich farm, Trump lists Antifa as terrorists, Poilievre calls out Carney | Rebel Roundup
338 watching -
1:23:28
The White House
3 hours agoPresident Trump Hosts a Cabinet Meeting, Oct. 9, 2025
3.71K8 -
LIVE
TheAlecLaceShow
1 hour agoTrump Makes Peace With Israel & Hamas | RIP Antifa | Guest: Shane Winnings | The Alec Lace Show
29 watching -
1:00:36
The Rubin Report
3 hours agoWatch the Exact Moment Donald Trump Knew He Pulled Off Impossible Israel-Hamas Peace Deal
36K22