State of Application Security

An comprehensive Journey trough the modern technique for implementing DevSecOps, Application Security & Cloud Security

A Modern Approach to Application & Cloud Security

This document is a collaborative document that aims to include the thoughts of modern appsec leaders

We wrote this document with industry leaders to focus on how to implement application & Cloud security in the modern organization

The book is a collection of methodologies from the practitioners

Who helped us creating this report

The current state of application security is that we do not have enough qualified individuals, with relevant training and experience, to do all of the work that we need doing.

Tanya Janka


Because most breaches can be traced back to code and we have the data to show this, it’s clear that security is a non-functional requirement for good code and a question of code quality. The only way to improve the quality of that code is to ensure that developers know what good looks like (through awareness and education) and that they are empowered (through tooling and processes) to produce code that meets the mark.

Grant Ogners

Secure Delivery

Francesco is an Executive, Public Speaker, out of the box thinker. Francesco is the CEO of Phoenix Security a cybersecurity unicorn startup revolutionizing the way organizations do vulnerability management and Managing director NSC42 Ltd a UK based cybersecurity consultancy. As an executive, he loves to stay close to the technology but to keep it simple.

Francesco Cipollone

Phoenix Security Founder

It would not be hard to argue that AppSec is the most difficult part of infosec today. Security needs to get out of our organizational silos and be proactive, helpful partners to the Application development teams who are in the midst of navigating a generational change in SDLC process and architecture. Ensuring that we have an awareness of how, where, and what attackers are doing to apps in production as well as having a clear bug identification and remediation strategy are both fundamental to building an effective defensive strategy that both development and security teams can carry out

Andrew Peterson

Signal Science, Fastly

“The key to building secure software is knowledge” Even the most automated security pipelines rely on someone to interpret the results and take proper action, which boils down to security knowledge.

Dr. Philippe De Ryck

Pragmatic Web Security

Nicole Becher is currently the Director of Information Security & Risk Management for S&P Global Platts, a leading provider of energy and commodities information and benchmark price assessments in the physical commodity markets. In this role, she works with both technology and business leadership to ensure security is built into the strategic plans of the organization, especially as new technology is deployed.

Nicole Becher


Vandana is a seasoned security professional with experience ranging from application security to infrastructure and now dealing with Product Security. She has been Keynote speaker / Speaker / Trainer at various public events ranging from Global OWASP AppSec events to BlackHat events to regional events like BSides events in India. She is part of the OWASP Global board of directors. She also works in various communities towards diversity initiatives InfosecGirls, WoSec

Vandana Verma


Chris Sellards has a Doctor of Science in Cybersecurity from Capitol Technology University. His dissertation was a quantitative study focused on DevSecOps. He has 24 years of experience in IT, over 20 years in information security, and 15 years working with application security. He has built AppSec programs in the medical, financial services, and insurance industries. He has developed the strategy driving AppSec programs aligned with business security requirements (both for in-house dev teams and outsourced) and has done the hands-on work implementing automated SAST into multiple DevOps pipelines and analyzed findings with developers to identify false positives, tuning queries, setting up incremental scans, and integrating output with tracking tools. He currently serves as Director of Security Architecture & Engineering at The Argo Group and as an Adjunct Professor at the University of Texas at San Antonio.

Chris Sell


Why we came together to write this report

Application security is a growing concern for boards and organisations. We’ve seen a rise in focus on

Application security as more and more elements in the organisation is becoming code-driven

According to a recent survey carried out on C-suite users, a total of 53% of respondents indicated

“Cybercrime and data breaches” are the number one concern for cybersecurity. [IBM Study]

So why criminals (not a hacker) attack an organisation? Well mostly for financial reason, even though there are exceptions, (see later in the report).

Verizon’s Data Breach Investigations Report (DBIR) finds that 86% of data breaches are financially
motivated—up 15% over the previous year. In contrast, espionage—the second-highest motive—declined

from 2018 to 2020.

What was 
our mission?

With more code, and more vulnerabilities being disclosed we decided 
to put the energy together to create a modern book for DevSecop Practitioners and Security Specialist

The book focus on data breaches statistics and how they are linked to application security and further dive into the potential methodologies (the HOW) and solution (the WHAT).

DOWNLOAD the FREE book on Application & Cloud Security

Fill out the form to register and receive an e-mail when the white paper will become available straight in your inbox

White Papers

SLA are dead long live SLA – Data driven approach on Vulnerabilities

Vulnerability Management at scale & the power of context based prioritiz…

Application & Cloud security program

Content Risk and prioritization.
Do’s and don’ts

Jeevan Singh

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James Berthoty

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

Christophe Parisel

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris Romeo

Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

Jim Manico

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.