Why All AppSec Experts Suck – Part 1: SAST, DAST, Toolchains & Training with Michael Burch

In this first episode of the expert mini-series following “Why All AppSec Products Suck,” I’m joined by **Michael Burch**, Director of Application Security at **Security Journey**, to explore the harsh realities and nuanced truths about AppSec tooling.

We dig deep into how developers really use (and misuse) tools like **SAST**, how to layer solutions across tech stacks, the pros and cons of **bug bounties**, and how **secure coding education** is the fix we keep forgetting.

🔍 **What you'll learn in this episode:**
- Why SAST tools should be treated like linters, not audits
- The tension between coverage (breadth) vs. accuracy (depth)
- Why open source tools might outperform “catch-all” vendors
- How to balance toolchains in a polyglot organization
- Bug bounties as a proving ground for future security talent
- Why security tooling is just a **safety net**, not the solution

---

⏱️ **Chapters:**
1. 00:00 – Intro & shift to expert interviews
2. 01:02 – Meet Michael Burch: Secure coding advocate
3. 02:06 – Why secure coding needs to be the foundation
4. 04:15 – Cyber Patriots & ChatGPT as insecure interns
5. 06:20 – How devs unknowingly build vulnerable apps
6. 08:30 – AppSec series feedback + tool category wrap-up
7. 10:20 – SAST tools: glorified linters or security engines?
8. 12:15 – IDE-integrated scanning vs. pipeline-only
9. 14:00 – Swiss army tools vs. language-specific tools
10. 16:50 – Scaling toolchains in multi-language orgs
11. 18:45 – The value of layering SAST, DAST, and IAST
12. 21:00 – Pen testing: language-agnostic by design
13. 23:00 – Bug bounties: chaos vs. coverage
14. 24:45 – Safety nets, not silver bullets
15. 26:45 – Outro & shared agreement: no one tool wins

---

📚 **This episode is part of a comprehensive series**, where we cover each category of App Sec products:
* SAST: Static Application Security Testing
* DAST: Dynamic Application Security Testing
* IAST: Interactive Application Security Testing
* SCA: Software Composition Analysis
* WAF: Web Application Firewall
* RASP: Runtime Application Self-Protection (Next-Gen WAF)
* Manual Pen-Testing of Applications
(SAST vs DAST vs IAST vs SCA vs WAF vs RASP vs Pen-Testing)

🎞️ **Watch the full playlist**:
[AppSec Product Comparison Series](https://www.youtube.com/playlist?list=PLr15vRqvmtdW-LxrY_fFGNV8ub4_d_Qoc)

---

🌐 **Explore More**
- Website: https://danondev.com
- Twitter: @Dan_On_Dev
- Instagram: @dan_on_dev
- Facebook: @danondev

To learn more from Micheal Burch
- https://youtu.be/Ua_9tvGEkMA
- https://twitter.com/TacticalAppSec