In this special episode of the Future of Application Security, recorded at the Developers & Security are Friends Day, Eric speaks with Johnathan Kuskos, Founder of Chaotic Good Information Security, a boutique professional services company. They discuss what it's like to be a pen tester, some of the unusual things found during testing, and how the 15 Minutes Rule helps you not waste time during your testing. They also talk about the tradeoffs of security when it comes to “good, fast, or cheap,” simple ways to determine priorities, and how to strengthen relationships between security and developers.

Topics discussed:

• How security and developers can close divides through better communication and more forward thinking.
• Why security can't necessarily have an approach that's good, fast, and cheap, but how they make compromises to have a bit of all three.
• How to determine your security priorities, and how to perform a smoke test to see where security overlaps with other departments to identify those priorities.
• Some of the stranger things found during pen testing, including a git folder on a website. 
• Why vulnerability and exploitability are two different things, and how to assess both.
• How the 15 Minutes Rules can help you assess as much functionality as possible, and why it sometimes exposes more gaps in playbooks and incident response than intended.