Scaling AppSec Through Runtime Threat Modeling

NOTE1: NEW LOCATION. TAKE NOTE!!!!!

NOTE2: The following will be in effect and mandatory for this meeting venue. Same procedure from our other location.

• RSVPs will close at 11:59 PM PT on Monday, May 19th, so kindly submit your RSVP by then. Walk-ins will not be permitted.
• Microsoft Security mandates that RSVPs include your full name (in Meetup settings) and that you bring your ID, which will be checked at the entrance to match your RSVP.
• If your first and last name do not appear in our admin view, we will contact you.
• Alternatively, feel free to reach out directly or email us at orange-county-leaders@owasp.org to provide that information or any questions you may have regarding the event.

Abstract
Application security teams are drowning in findings from a sprawl of disconnected tools. As development accelerates—with AI-driven tooling, microservices, and cloud-native architectures—the ratio of code to developer is exploding. But the ratio of AppSec engineers to developers isn’t keeping pace, leaving security teams overwhelmed and reactive.

It’s time to flip the model: instead of starting with findings, we must start with the application. Vulnerabilities are just one signal—without deep application context, they're noise. Real-time application modeling enables teams to understand how applications actually behave in production: what code is reachable, which services talk to each other, what data is exposed, and where trust boundaries are violated.

In this talk, we’ll demonstrate how runtime-aware application modeling can surface critical risks that traditional approaches miss, eliminate false positives, and bridge the gap between AppSec and engineering. We'll walk through real-world examples of how modeling helps prioritize what truly matters—and why this shift is essential for scaling security in modern software development.