At BSides San Francisco 2025, I delivered a session titled “Trace to Triage: Learn How to Connect Product Vulnerabilities to Security Paths.” I talked about the day-to-day challenge of modern Application Security (AppSec), offered a framework for building an AppSec program and specifically how modern observability practices help alleviate some of the pain.
Understanding the Challenge
The talk started out with the hard truth that needs to be said: AppSec is hard y’all. The realities of fragmented tooling, poor visibility, and inconsistent security practices make managing application security a complex task, both when building an AppSec program from scratch and modernizing an existing program with legacy applications and tooling.
Building from the Ground Up
The first critical step is building a complete inventory, not just of services, but also of dependencies, infrastructure, and security-relevant artifacts across the software development lifecycle. And it’s not just a few sprinkles of service names and repositories - it’s the surrounding context that’s so important as well. Let’s not forget the human element as well - one person or one team can’t do it by themselves, repeatedly, over time. There’s a growing need for automation, system visibility, and strategic integration of tools.
Applying Observability to Security
After explaining the general framework and how to apply it, we move on to a methodology that adapts concepts from modern observability—namely profiling and tracing—to enhance the effectiveness of AppSec operations.
- Profiling helps teams understand what happened, allowing them to dig deep into system behavior at a granular level.
- Tracing reveals inter-service communication patterns, illustrating who is talking to whom.
Together, these techniques bring both depth and breadth to incident analysis, transforming scattered telemetry data into actionable security context. This is automatically bringing in the context that’s so important to understanding what’s actually going on.
Demonstrating the Approach
While it’s nice to throw words at the wall, who doesn’t love live demoing in conferences, so we walked through a Remote Code Execution (RCE) scenario. The live demo illustrated how modern observability practices, shown in Miggo’s platform, enables security teams to move from the point of vulnerability to full triage in a streamlined, evidence-based process.
Using real telemetry and automated risk mapping, we see the affected services, risk scores, and sensitive data exposure, equipping teams to make informed remediation decisions quickly.
Key Takeaways
If I could condense the talk into one sentence, it would be this: AppSec is inventorying, and context is critical for effective inventorying. Without the right contextual data security teams are left guessing what happened, where, and what they should be doing.
By combining automation, observability practices, and a clear understanding of service interdependencies, organizations can dramatically improve their ability to detect, analyze, and respond to security incidents.
For those who missed the session:
