{"id":48229,"date":"2022-08-30T20:51:39","date_gmt":"2022-08-30T20:51:39","guid":{"rendered":"https:\/\/www.darkreading.com\/edge-articles\/don-t-let-perfect-be-the-enemy-of-a-good-appsec-program"},"modified":"2022-08-30T20:51:39","modified_gmt":"2022-08-30T20:51:39","slug":"dont-let-perfect-be-the-enemy-of-a-good-appsec-program","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\/","title":{"rendered":"Don&#8217;t Let &#8216;Perfect&#8217; Be the Enemy of a Good AppSec Program"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt9d5b1d4864d2b6eb\/630e77c60b97756cbea26a5d\/goodenough-Marek_Uliasz-alamy.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>Some security programs need to have the absolute highest possible level of security assurance for the systems and the data they protect. They need to be as close to perfect as they can be. Examples of this would be managing evidence for top secret counterterrorism activities, invaluable intellectual property such as the first COVID-19 vaccine, or systems that require uptimes of five 9s (99.999%) or higher, for which downtime of a single minute can cost millions of dollars.<\/p>\n<p>That said, for most companies, a &#8220;good&#8221; application security (AppSec) program will suffice. A good program is one where your applications are safe against the most common types of attacks but could still fall to a determined, well-funded, and advanced attacker. Let&#8217;s discuss the differences, and how to create something that meets your company&#8217;s needs.<\/p>\n<h2 class=\"regular-text\">Elections Require Perfection<\/h2>\n<p>For a &#8220;perfect&#8221; AppSec program, every single potential vulnerability reported by any test must be investigated by a security expert. This means running static application security testing (SAST), dynamic application security testing (DAST), and other automated tools with the confidence level for findings set to report &#8220;any and all&#8221; possibilities. That requires hiring one or more security experts who are trained to run down each item and given weeks to check each application. It also means hiring several security professionals to do manual security testing and code review, for multiple viewpoints, and to re-test that the bugs are truly fixed and have not created new bugs in the process. It is both time-consuming and quite expensive.<\/p>\n<p>A few years ago, I worked on an application that had to run on a 32-kilobit modem in the Arctic. It makes our elections in Canada happen, which meant it had to be absolutely perfect. We hired several different security professionals, who used a multitude of tools and manual techniques to find both security and non-security issues within our application. We did stress testing, performance testing, integration testing, and so much more. We set up a functional returning office (the place that you vote), with every system fully functional, and ran an entire 36-day mock election, with fake security incidents thrown into the mix, 6 months before the big day. We spent the following 6 months finalizing every detail. It&#8217;s unlikely you would have noticed, as when the 52nd General Election happened on Oct. 19, 2015, it went off without a hitch.<\/p>\n<p>They don&#8217;t write news articles when everything goes right. We also put in quite a bit more work than what I shared above, which I am not at liberty to share. The point is that being perfect is not cheap, and it is not quick.<\/p>\n<h2 class=\"regular-text\">5 Ways to Make Good &#8216;Good Enough&#8217;<\/h2>\n<p>With that story in mind, does your organization need to be truly <em>perfect<\/em>? Or is &#8220;good&#8221; <em>good enough<\/em>? Let&#8217;s look at some ways your organization could create a scalable and affordable application security program that is <em>good<\/em>.<\/p>\n<p><strong>1. Automate.<\/strong> First off, leverage automation whenever possible. There are many free and paid security tools that can provide good results. When I say good, I mean most of the results they report are true positives, and the false negatives (missed bugs) are at a level your organization can be comfortable with. Some automated tools will allow you to set a confidence level for your results; starting with a confidence level of &#8220;high&#8221; in the first year of your program, and then shifting to &#8220;medium&#8221; in the second year, is a good way to get software developers to have faith in what you are reporting while not overwhelming them.<\/p>\n<p><strong>2. Use anti-pattern matching SAST.<\/strong> For SAST tools, when you&#8217;re aiming for &#8220;good&#8221; results, select a next-generation SAST that performs anti-pattern matching (regex looking for known-bad patterns) rather than an original SAST type that performs symbolic execution (running down every possible code outcome, searching for potential flaws and bugs). While the original types of SAST are ideal for creating a perfect application, next-generation SASTs are faster, provide more true positives, and are sometimes quite a bit cheaper as well.<\/p>\n<p><strong>3. Spell out technical requirements.<\/strong> When starting new projects, give your project team a list of expectations, both for technical security requirements and for activities you expect them to participate in as part of the project life cycle. You could create a list once for each type of technology (Web apps, APIs, serverless, infrastructure as code, containers, etc.), then reuse that list for every new project it applies to. This also allows a project manager to schedule time for the security activities to happen so that project teams don&#8217;t face unexpected overtime.<\/p>\n<p><strong>4. Run a threat model.<\/strong> During the design phase, reserve one hour with the product owner, the technical leader of the project, and a member of the AppSec team. Perform a <a href=\"https:\/\/shostack.org\/blog\/fast-cheap-good\/\" target=\"_blank\" rel=\"noopener\">simple threat model<\/a> on your application and implement some of the recommendations from that session.<\/p>\n<p><strong>5. Train people on secure coding.<\/strong> Give your software developers <a href=\"https:\/\/www.darkreading.com\/application-security\/developers-increasingly-prioritize-secure-coding\" target=\"_blank\" rel=\"noopener\">secure coding<\/a> training. There&#8217;s several <a href=\"https:\/\/community.wehackpurple.com\/\" target=\"_blank\" rel=\"noopener\">free or almost-free courses<\/a> on the Internet for this now, and every bug they help your people avoid creating saves you more time and money than you may realize.<\/p>\n<p>Although this is just a short list of ways to build a scalable and affordable program for creating secure apps, these five suggestions provide a great place to start from or to add to an already existing program to make &#8220;good&#8221; software.<\/p>\n<p>Read More <a href=\"https:\/\/www.darkreading.com\/edge-articles\/don-t-let-perfect-be-the-enemy-of-a-good-appsec-program\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>These five suggestions provide a great place to start building a scalable and affordable program for creating secure apps.Read More <a href=\"https:\/\/www.darkreading.com\/edge-articles\/don-t-let-perfect-be-the-enemy-of-a-good-appsec-program\">HERE<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[151],"tags":[],"class_list":["post-48229","post","type-post","status-publish","format-standard","hentry","category-darkreading-ti"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Don&#039;t Let &#039;Perfect&#039; Be the Enemy of a Good AppSec Program 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Don&#039;t Let &#039;Perfect&#039; Be the Enemy of a Good AppSec Program 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-08-30T20:51:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt9d5b1d4864d2b6eb\/630e77c60b97756cbea26a5d\/goodenough-Marek_Uliasz-alamy.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Don&#8217;t Let &#8216;Perfect&#8217; Be the Enemy of a Good AppSec Program\",\"datePublished\":\"2022-08-30T20:51:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\\\/\"},\"wordCount\":907,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt9d5b1d4864d2b6eb\\\/630e77c60b97756cbea26a5d\\\/goodenough-Marek_Uliasz-alamy.jpg\",\"articleSection\":[\"DarkReading |TI\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\\\/\",\"name\":\"Don't Let 'Perfect' Be the Enemy of a Good AppSec Program 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt9d5b1d4864d2b6eb\\\/630e77c60b97756cbea26a5d\\\/goodenough-Marek_Uliasz-alamy.jpg\",\"datePublished\":\"2022-08-30T20:51:39+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\\\/#primaryimage\",\"url\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt9d5b1d4864d2b6eb\\\/630e77c60b97756cbea26a5d\\\/goodenough-Marek_Uliasz-alamy.jpg\",\"contentUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt9d5b1d4864d2b6eb\\\/630e77c60b97756cbea26a5d\\\/goodenough-Marek_Uliasz-alamy.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Don&#8217;t Let &#8216;Perfect&#8217; Be the Enemy of a Good AppSec Program\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Don't Let 'Perfect' Be the Enemy of a Good AppSec Program 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\/","og_locale":"en_US","og_type":"article","og_title":"Don't Let 'Perfect' Be the Enemy of a Good AppSec Program 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-08-30T20:51:39+00:00","og_image":[{"url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt9d5b1d4864d2b6eb\/630e77c60b97756cbea26a5d\/goodenough-Marek_Uliasz-alamy.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Don&#8217;t Let &#8216;Perfect&#8217; Be the Enemy of a Good AppSec Program","datePublished":"2022-08-30T20:51:39+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\/"},"wordCount":907,"commentCount":0,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt9d5b1d4864d2b6eb\/630e77c60b97756cbea26a5d\/goodenough-Marek_Uliasz-alamy.jpg","articleSection":["DarkReading |TI"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.threatshub.org\/blog\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\/","url":"https:\/\/www.threatshub.org\/blog\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\/","name":"Don't Let 'Perfect' Be the Enemy of a Good AppSec Program 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt9d5b1d4864d2b6eb\/630e77c60b97756cbea26a5d\/goodenough-Marek_Uliasz-alamy.jpg","datePublished":"2022-08-30T20:51:39+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\/#primaryimage","url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt9d5b1d4864d2b6eb\/630e77c60b97756cbea26a5d\/goodenough-Marek_Uliasz-alamy.jpg","contentUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt9d5b1d4864d2b6eb\/630e77c60b97756cbea26a5d\/goodenough-Marek_Uliasz-alamy.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/dont-let-perfect-be-the-enemy-of-a-good-appsec-program\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Don&#8217;t Let &#8216;Perfect&#8217; Be the Enemy of a Good AppSec Program"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/48229","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=48229"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/48229\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=48229"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=48229"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=48229"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}