Why All AppSec Experts Suck – Part 1: SAST, DAST, Toolchains & Training with Michael Burch
In this first episode of the expert mini-series following “Why All AppSec Products Suck,” I’m joined by **Michael Burch**, Director of Application Security at **Security Journey**, to explore the harsh realities and nuanced truths about AppSec tooling.
We dig deep into how developers really use (and misuse) tools like **SAST**, how to layer solutions across tech stacks, the pros and cons of **bug bounties**, and how **secure coding education** is the fix we keep forgetting.
🔍 **What you'll learn in this episode:**
- Why SAST tools should be treated like linters, not audits
- The tension between coverage (breadth) vs. accuracy (depth)
- Why open source tools might outperform “catch-all” vendors
- How to balance toolchains in a polyglot organization
- Bug bounties as a proving ground for future security talent
- Why security tooling is just a **safety net**, not the solution
---
⏱️ **Chapters:**
1. 00:00 – Intro & shift to expert interviews
2. 01:02 – Meet Michael Burch: Secure coding advocate
3. 02:06 – Why secure coding needs to be the foundation
4. 04:15 – Cyber Patriots & ChatGPT as insecure interns
5. 06:20 – How devs unknowingly build vulnerable apps
6. 08:30 – AppSec series feedback + tool category wrap-up
7. 10:20 – SAST tools: glorified linters or security engines?
8. 12:15 – IDE-integrated scanning vs. pipeline-only
9. 14:00 – Swiss army tools vs. language-specific tools
10. 16:50 – Scaling toolchains in multi-language orgs
11. 18:45 – The value of layering SAST, DAST, and IAST
12. 21:00 – Pen testing: language-agnostic by design
13. 23:00 – Bug bounties: chaos vs. coverage
14. 24:45 – Safety nets, not silver bullets
15. 26:45 – Outro & shared agreement: no one tool wins
---
📚 **This episode is part of a comprehensive series**, where we cover each category of App Sec products:
* SAST: Static Application Security Testing
* DAST: Dynamic Application Security Testing
* IAST: Interactive Application Security Testing
* SCA: Software Composition Analysis
* WAF: Web Application Firewall
* RASP: Runtime Application Self-Protection (Next-Gen WAF)
* Manual Pen-Testing of Applications
(SAST vs DAST vs IAST vs SCA vs WAF vs RASP vs Pen-Testing)
🎞️ **Watch the full playlist**:
[AppSec Product Comparison Series](https://www.youtube.com/playlist?list=PLr15vRqvmtdW-LxrY_fFGNV8ub4_d_Qoc)
---
🌐 **Explore More**
- Website: https://danondev.com
- Twitter: @Dan_On_Dev
- Instagram: @dan_on_dev
- Facebook: @danondev
To learn more from Micheal Burch
- https://youtu.be/Ua_9tvGEkMA
- https://twitter.com/TacticalAppSec
-
58:02
ChopstickTravel
1 month ago $2.68 earnedBillionaire Food in Dubai 🇦🇪 Super Luxury MICHELIN +WAGYU + CAVIAR in UAE!
43.2K3 -
DVR
DLDAfterDark
5 hours ago $1.67 earnedWhat Are The Best Tools For Personal, Home, and Vehicle Defense? After Hours Armory
21.4K3 -
2:58
From Zero → Viral with AI
22 hours ago $0.75 earnedAI Isn’t Ruining Politics — It’s Revealing the Truth.
14.5K3 -
5:21:08
MattMorseTV
6 hours ago $54.39 earned🔴Portland Antifa's LASER ATTACK.🔴
109K66 -
2:57:37
megimu32
5 hours agoOFF THE SUBJECT: SAVAGE SATURDAY | Bodycam Chaos & Fortnite Madness!
30K6 -
3:37:17
Mally_Mouse
1 day ago🌶️ 🥵Spicy BITE Saturday!! 🥵🌶️- Let's Play: Content Warning
37.1K2 -
18:17
JohnXSantos
1 day ago $0.23 earned$1 vs $1,000,000,000 Business!
8.83K -
3:11
Memology 101
21 hours ago $3.44 earnedDon Lemon DESTROYED by LEGAL immigrants after claiming crossing the border illegally ISN'T a crime
19.2K37 -
1:32:31
BooniesHQ
10 hours ago $14.93 earnedGame Of SKATE Jereme Rogers Vs. Jordan Maxham: Boonies Skate Night 3
126K15 -
15:23
Exploring With Nug
17 hours ago $5.52 earnedWe Went Scuba Diving in the River and Found Incredible Lost Relics!
31.3K2