Codename Singapore -- Adopting the Three Ways of Effective AppSec

Four teammates walked into a bar—a developer, an AppSec engineer, a SecOps lead, and a compliance officer. It sounds like the start of a terrible joke, but no one was laughing. They were too busy drowning in alerts, blaming each other, and wondering if their security program had secretly been designed by their worst enemies. Sound painfully familiar?

In this talk, I'll share the surprisingly entertaining story of how these burned-out heroes discovered The Three Ways of Effective AppSec. Using the metaphor of a modern city (complete with bank robberies, construction projects, and government bureaucracy), they unlocked the power of context, collaboration, and culture—transforming a chaotic security circus into a highly cost-effective (and even enjoyable) program that keeps their software safe from vulnerabilities and attacks.

If you’ve ever felt trapped in AppSec Groundhog Day, facing endless firefighting, alert fatigue, and compliance busywork, come laugh (and maybe cry) your way toward a practical blueprint for building an AppSec program that actually works.