Why All AppSec Experts Suck! - Part 3: Michael Farnum on Tools, Truths & Trade-Offs
In the third and final episode of this eye-opening series, I’m joined by longtime friend and AppSec veteran **Michael Farnum**, formerly of Fortify and now Advisory CISO at Trace3. Together, we pull back the curtain on what *really* happens behind the scenes of security product development, sales-driven roadmaps, and the illusion of tool “coverage.”
If you’ve ever wondered why AppSec tools fail to live up to their hype—or why “solving” AppSec always feels just out of reach—this episode is a candid, nuanced exploration of why that is.
🔍 **What you'll learn in this episode:**
- How product teams dilute quality trying to “support everything”
- Why breadth vs. depth is the unsolvable riddle in tool design
- How sales and marketing hijack product roadmaps
- The rise of new point solutions and why they often make things harder
- The future: blended tools, better developer alignment, and appsec maturity
---
⏱️ **Chapters:**
1. 00:00 – Intro & series wrap-up
2. 02:06 – Farnum’s journey: Fortify, podcasting & industry legacy
3. 04:53 – SAST, DAST, RASP: the legacy alphabet soup
4. 06:55 – Modernization & the illusion of full coverage
5. 10:30 – Marketing pressure vs. actual tool capabilities
6. 13:28 – Why multi-language support weakens detection depth
7. 15:45 – Shift-left gone wrong: added complexity for ops
8. 19:00 – Point solutions & DevOps fatigue
9. 22:10 – GraphQL, Swagger, and the doc disaster
10. 26:00 – Building truly dev-friendly tools
11. 29:15 – Shadow Security & orgs taking security into their own hands
12. 32:15 – Real-world example: security champion vs. friction
13. 35:20 – AppSec vs. devs: the culture gap is shrinking
14. 36:39 – Closing: Hope, humor & what's next in AppSec
---
📚 **This episode is part of a comprehensive series**, where we cover each category of App Sec products:
* SAST: Static Application Security Testing
* DAST: Dynamic Application Security Testing
* IAST: Interactive Application Security Testing
* SCA: Software Composition Analysis
* WAF: Web Application Firewall
* RASP: Runtime Application Self-Protection (Next-Gen WAF)
* Manual Pen-Testing of Applications
(SAST vs DAST vs IAST vs SCA vs WAF vs RASP vs Pen-Testing)
🎞️ **Watch the full playlist**:
[AppSec Product Comparison Series](https://www.youtube.com/playlist?list=PLr15vRqvmtdW-LxrY_fFGNV8ub4_d_Qoc)
---
🌐 **Check out more at:**
- https://danondev.com
- Twitter: @Dan_On_Dev
- Instagram: @dan_on_dev
- Facebook: @danondev
-
LIVE
Badlands Media
8 hours agoBadlands Daily: November 26, 2025
2,737 watching -
1:13:11
Chad Prather
17 hours agoGratitude That Grows in Hard Ground: A Thanksgiving Message for the Soul
68.4K39 -
LIVE
LFA TV
13 hours agoLIVE & BREAKING NEWS! | WEDNESDAY 11/26/25
3,938 watching -
1:59:03
The Chris Salcedo Show
14 hours ago $10.16 earnedRemembering Rush On A Truly American Holiday
30.9K2 -
36:24
Julie Green Ministries
4 hours agoLIVE WITH JULIE
102K211 -
1:05:27
Crypto Power Hour
13 hours ago $9.26 earnedWhat You Need To Know About Gold Tokenization
58.2K7 -
1:46:14
LIVE WITH CHRIS'WORLD
13 hours agoTHE WAKE UP CALL - 11/26/2025 - Episode 14
30.8K2 -
2:16:19
The Bold Lib
16 hours agoBOLDCHAT: Trump Pardons | DOGE | Patel w/ANGELA BELCAMINO
36.3K6 -
47:14
Brad Owen Poker
1 day ago $2.71 earnedI Have STRAIGHT FLUSH vs Flopped NUTS!! ALL IN w GOLD BRACELET LEGEND!! $15,000+! Poker Vlog EP 358
24.9K -
36:11
Uncommon Sense In Current Times
20 hours ago $6.75 earnedThe Truth About the Abortion Pill | Sue Liebel Exposes FDA Failures & Hidden Dangers
38.3K2