Last updated: April 29, 2026
A Bengaluru SaaS scale-up grew from 30 engineers to 220 in two years. The original “security review on every PR” stopped being feasible at engineer #80. By #150, security findings backed up. By #200, the team was the bottleneck on every release. The fix wasn’t more security people — it was an application-security programme that scaled with engineering rather than against it. Within 18 months: same 4-person AppSec team, 5x the engineering throughput, fewer findings reaching production. This module covers AppSec as a programme: shifting left, scaling sideways, and measuring outcomes.
What an AppSec programme covers
- Threat modelling — design-phase security evaluation
- Secure coding standards — language-specific rules and review patterns
- SAST (Static Application Security Testing) — code-level vulnerability scanning
- SCA (Software Composition Analysis) — dependency vulnerability and licence
- DAST (Dynamic Application Security Testing) — running-app vulnerability scanning
- IaC scanning — Terraform / Kubernetes / Helm config security
- Container scanning — image vulnerabilities and config
- Secrets scanning — credentials in code, history, builds
- Penetration testing — manual external assessment
- Bug bounty / VDP — crowdsourced vulnerability discovery
- Security training — language-specific, role-relevant
- Incident response for application-level security events
- Metrics and reporting — what’s getting better, what isn’t
Get a VAPT scoping call
Senior practitioner-led VAPT — not a checklist run by juniors. CVSS-scored findings, free retest, attestation letter. India's SMBs and SaaS teams.