Most companies start their application security program with a manual penetration test of their most business-critical applications. While this type of assessment covers a lot of ground, it’s not as scalable and repeatable as automated scanning technologies. As your program matures, you’ll have to branch out into more automated technologies.
This talk will review the merits of static analysis, dynamic analysis, software composition analysis, and penetration testing, indicating which technologies make sense in your specific situation as you mature your application security program.