AppSec Review and Pentest Playbook


All companies perform pentests of their most critical applications. Most of the time, this is performed in ‘black box’ mode, where the security professionals who perform the test have no access to the source code of the application, to its developers, to its current attacker’s profile, or to existing threat models.

This limits the effectiveness of those pentests; there is very little assurance of quality, and the customer gets very little value for money.

What we need to do are ‘AppSec Reviews’ which are more thorough engagements where the security professional has access to ‘everything’.

This Working Session will draft an AppSec Review and Pentest Playbook.


  • Create AppSec Review and Pentest Playbook


  • Created outline for a AppSec Pen Test Playbook
    • Initial draft of outline sent to participants for consensus

Synopsis & Takeaways

  • Eleven participants collaborated on what defines an Application Security Pen Test
    • Driven by specific concerns
    • Driven by humans
    • Driven by depth
    • Driven by functionality


The target audience for this Working Session is:

  • AppSec teams
  • Security professionals
  • Pentest teams

Working materials

  • AppSec Review and Pentest Playbook

(please add as much information as possible before the sessions)


…add content…

Back to list of all Working Sessions and Tracks

Edit this page here