Why All AppSec Experts Suck! - Part 3: Michael Farnum on Tools, Truths & Trade-Offs

In the third and final episode of this eye-opening series, I’m joined by longtime friend and AppSec veteran **Michael Farnum**, formerly of Fortify and now Advisory CISO at Trace3. Together, we pull back the curtain on what *really* happens behind the scenes of security product development, sales-driven roadmaps, and the illusion of tool “coverage.”

If you’ve ever wondered why AppSec tools fail to live up to their hype—or why “solving” AppSec always feels just out of reach—this episode is a candid, nuanced exploration of why that is.

🔍 **What you'll learn in this episode:**
- How product teams dilute quality trying to “support everything”
- Why breadth vs. depth is the unsolvable riddle in tool design
- How sales and marketing hijack product roadmaps
- The rise of new point solutions and why they often make things harder
- The future: blended tools, better developer alignment, and appsec maturity

---

⏱️ **Chapters:**
1. 00:00 – Intro & series wrap-up
2. 02:06 – Farnum’s journey: Fortify, podcasting & industry legacy
3. 04:53 – SAST, DAST, RASP: the legacy alphabet soup
4. 06:55 – Modernization & the illusion of full coverage
5. 10:30 – Marketing pressure vs. actual tool capabilities
6. 13:28 – Why multi-language support weakens detection depth
7. 15:45 – Shift-left gone wrong: added complexity for ops
8. 19:00 – Point solutions & DevOps fatigue
9. 22:10 – GraphQL, Swagger, and the doc disaster
10. 26:00 – Building truly dev-friendly tools
11. 29:15 – Shadow Security & orgs taking security into their own hands
12. 32:15 – Real-world example: security champion vs. friction
13. 35:20 – AppSec vs. devs: the culture gap is shrinking
14. 36:39 – Closing: Hope, humor & what's next in AppSec

---

📚 **This episode is part of a comprehensive series**, where we cover each category of App Sec products:
* SAST: Static Application Security Testing
* DAST: Dynamic Application Security Testing
* IAST: Interactive Application Security Testing
* SCA: Software Composition Analysis
* WAF: Web Application Firewall
* RASP: Runtime Application Self-Protection (Next-Gen WAF)
* Manual Pen-Testing of Applications
(SAST vs DAST vs IAST vs SCA vs WAF vs RASP vs Pen-Testing)

🎞️ **Watch the full playlist**:
[AppSec Product Comparison Series](https://www.youtube.com/playlist?list=PLr15vRqvmtdW-LxrY_fFGNV8ub4_d_Qoc)

---

🌐 **Check out more at:**
- https://danondev.com
- Twitter: @Dan_On_Dev
- Instagram: @dan_on_dev
- Facebook: @danondev