Why All AppSec Experts Suck! - Part 3: Michael Farnum on Tools, Truths & Trade-Offs
In the third and final episode of this eye-opening series, I’m joined by longtime friend and AppSec veteran **Michael Farnum**, formerly of Fortify and now Advisory CISO at Trace3. Together, we pull back the curtain on what *really* happens behind the scenes of security product development, sales-driven roadmaps, and the illusion of tool “coverage.”
If you’ve ever wondered why AppSec tools fail to live up to their hype—or why “solving” AppSec always feels just out of reach—this episode is a candid, nuanced exploration of why that is.
🔍 **What you'll learn in this episode:**
- How product teams dilute quality trying to “support everything”
- Why breadth vs. depth is the unsolvable riddle in tool design
- How sales and marketing hijack product roadmaps
- The rise of new point solutions and why they often make things harder
- The future: blended tools, better developer alignment, and appsec maturity
---
⏱️ **Chapters:**
1. 00:00 – Intro & series wrap-up
2. 02:06 – Farnum’s journey: Fortify, podcasting & industry legacy
3. 04:53 – SAST, DAST, RASP: the legacy alphabet soup
4. 06:55 – Modernization & the illusion of full coverage
5. 10:30 – Marketing pressure vs. actual tool capabilities
6. 13:28 – Why multi-language support weakens detection depth
7. 15:45 – Shift-left gone wrong: added complexity for ops
8. 19:00 – Point solutions & DevOps fatigue
9. 22:10 – GraphQL, Swagger, and the doc disaster
10. 26:00 – Building truly dev-friendly tools
11. 29:15 – Shadow Security & orgs taking security into their own hands
12. 32:15 – Real-world example: security champion vs. friction
13. 35:20 – AppSec vs. devs: the culture gap is shrinking
14. 36:39 – Closing: Hope, humor & what's next in AppSec
---
📚 **This episode is part of a comprehensive series**, where we cover each category of App Sec products:
* SAST: Static Application Security Testing
* DAST: Dynamic Application Security Testing
* IAST: Interactive Application Security Testing
* SCA: Software Composition Analysis
* WAF: Web Application Firewall
* RASP: Runtime Application Self-Protection (Next-Gen WAF)
* Manual Pen-Testing of Applications
(SAST vs DAST vs IAST vs SCA vs WAF vs RASP vs Pen-Testing)
🎞️ **Watch the full playlist**:
[AppSec Product Comparison Series](https://www.youtube.com/playlist?list=PLr15vRqvmtdW-LxrY_fFGNV8ub4_d_Qoc)
---
🌐 **Check out more at:**
- https://danondev.com
- Twitter: @Dan_On_Dev
- Instagram: @dan_on_dev
- Facebook: @danondev
-
LIVE
Drew Hernandez
9 hours agoDISNEY CUCKS FOR KIMMEL & ADDRESSING THE CHARLIE KIRK MEMORIAL AFTERMATH
1,103 watching -
1:02:28
Flyover Conservatives
8 hours agoThe Most Overlooked Way to Fight Abortion (It’s Not Protests) - Robert Netzly; Why Triple-Digit Silver is Coming - Dr. Kirk Elliott | FOC Show
18.4K3 -
1:55:33
Glenn Greenwald
7 hours agoDeceitful Hysteria over Tucker's Speech on Kirk; IDF Funder Larry Ellison to Take Over CBS, Paramount, and now TikTok; U.S. Embraces Leading Al-Qaeda Terrorist | SYSTEM UPDATE #519
167K70 -
34:40
Donald Trump Jr.
9 hours agoWe Will Make Charlie Proud | TRIGGERED Ep.276
189K87 -
1:01:49
BonginoReport
7 hours agoErika Kirk Forgives Charlie’s Assassin - Nightly Scroll w/ Hayley Caronia (Ep.139)
95.7K92 -
1:54:19
megimu32
4 hours agoOn The Subject: Rush Hour | Would It Be Cancelled Today?
31.7K6 -
1:24:12
Katie Miller Pod
7 hours ago $0.21 earnedEpisode 7 - Jillian Michaels | The Katie Miller Podcast
74.3K5 -
13:09:57
LFA TV
1 day agoLFA TV ALL DAY STREAM ! | MONDAY 9/22/25
236K46 -
1:02:10
LIVE WITH CHRIS'WORLD
6 hours agoLIVE WITH CHRIS'WORLD - Key Takeaways From Charlie Kirks Memorial
28.3K -
1:37:17
Liberty Sentinel
6 days agoURGENT: Dr. Malone Warns of "Vaccine Cult" & Effort to "Fix God Gene" With Shots
22.1K15
