Why All AppSec Experts Suck – Part 1: SAST, DAST, Toolchains & Training with Michael Burch
In this first episode of the expert mini-series following “Why All AppSec Products Suck,” I’m joined by **Michael Burch**, Director of Application Security at **Security Journey**, to explore the harsh realities and nuanced truths about AppSec tooling.
We dig deep into how developers really use (and misuse) tools like **SAST**, how to layer solutions across tech stacks, the pros and cons of **bug bounties**, and how **secure coding education** is the fix we keep forgetting.
🔍 **What you'll learn in this episode:**
- Why SAST tools should be treated like linters, not audits
- The tension between coverage (breadth) vs. accuracy (depth)
- Why open source tools might outperform “catch-all” vendors
- How to balance toolchains in a polyglot organization
- Bug bounties as a proving ground for future security talent
- Why security tooling is just a **safety net**, not the solution
---
⏱️ **Chapters:**
1. 00:00 – Intro & shift to expert interviews
2. 01:02 – Meet Michael Burch: Secure coding advocate
3. 02:06 – Why secure coding needs to be the foundation
4. 04:15 – Cyber Patriots & ChatGPT as insecure interns
5. 06:20 – How devs unknowingly build vulnerable apps
6. 08:30 – AppSec series feedback + tool category wrap-up
7. 10:20 – SAST tools: glorified linters or security engines?
8. 12:15 – IDE-integrated scanning vs. pipeline-only
9. 14:00 – Swiss army tools vs. language-specific tools
10. 16:50 – Scaling toolchains in multi-language orgs
11. 18:45 – The value of layering SAST, DAST, and IAST
12. 21:00 – Pen testing: language-agnostic by design
13. 23:00 – Bug bounties: chaos vs. coverage
14. 24:45 – Safety nets, not silver bullets
15. 26:45 – Outro & shared agreement: no one tool wins
---
📚 **This episode is part of a comprehensive series**, where we cover each category of App Sec products:
* SAST: Static Application Security Testing
* DAST: Dynamic Application Security Testing
* IAST: Interactive Application Security Testing
* SCA: Software Composition Analysis
* WAF: Web Application Firewall
* RASP: Runtime Application Self-Protection (Next-Gen WAF)
* Manual Pen-Testing of Applications
(SAST vs DAST vs IAST vs SCA vs WAF vs RASP vs Pen-Testing)
🎞️ **Watch the full playlist**:
[AppSec Product Comparison Series](https://www.youtube.com/playlist?list=PLr15vRqvmtdW-LxrY_fFGNV8ub4_d_Qoc)
---
🌐 **Explore More**
- Website: https://danondev.com
- Twitter: @Dan_On_Dev
- Instagram: @dan_on_dev
- Facebook: @danondev
To learn more from Micheal Burch
- https://youtu.be/Ua_9tvGEkMA
- https://twitter.com/TacticalAppSec
-
13:45
The Charlie Kirk Show
6 hours agoTPUSA AT ASU CANDLELIGHT VIGIL
221K66 -
55:10
Katie Miller Pod
6 hours ago $12.67 earnedEpisode 6 - Attorney General Pam Bondi | The Katie Miller Podcast
92.4K24 -
1:46:41
Man in America
11 hours agoLIVE: Assassin Story DOESN'T ADD UP! What Are They HIDING From Us?? | LET'S TALK
73.2K98 -
2:24:17
Barry Cunningham
7 hours agoFOR PRESIDENT TRUMP WILL TAKE NO PRISONERS AND THE LIBS SHOULD EXPECT NO MERCY!
109K65 -
1:08:41
Savanah Hernandez
7 hours agoCharlie Kirk Was Our Bridge And The Left Burned It
59.2K53 -
1:59:01
Flyover Conservatives
10 hours agoFinancial Web Behind Charlie Kirk's Murder with Mel K | Silver On It's Way to $50 | FOC Show
68.9K5 -
2:36:19
We Like Shooting
18 hours ago $1.56 earnedWe Like Shooting 628 (Gun Podcast)
45.2K1 -
1:09:26
Glenn Greenwald
9 hours agoTrump's Shifting Immigration and H-1B Policies: With Journalist Lee Fang and Political Science Professor Ron Hira | SYSTEM UPDATE #515
178K41 -
13:09:23
LFA TV
1 day agoLFA TV ALL DAY STREAM - MONDAY 9/15/25
263K66 -
54:12
Donald Trump Jr.
8 hours agoCharlie's Vision. Our Future. | TRIGGERED Ep274
208K126