Table of Contents

Dedication. Contents. List of Figures and Tables. Preface. About the Author. Chapter 1: Today’s Software Development Practices Shatter Old Security Practices. Chapter 2: Deconstructing Agile and Scrum. Chapter 3: Learning Is FUNdamental! Chapter 4: Product Backlog Development—Building Security In. Chapter 5: Secure Design Considerations. Chapter 6: Security in the Design Sprint. Chapter 7: Defensive Programming. Chapter 8: Testing Part 1: Static Code Analysis. Chapter 9: Testing Part 2: Penetration Testing/Dynamic Analysis/IAST/RASP. Chapter 10: Securing DevOps. Chapter 11: Metrics and Models for AppSec Maturity. Chapter 12: Frontiers for AppSec. Chapter 13: AppSec Is a Marathon—Not a Sprint! Appendix A: Security Acceptance Criteria. Appendix B: Resources for AppSec. Appendix C: Answers to Chapter Quick Check Questions. Glossary. Index.

About the Author

Mark S. Merkow, CISSP, CISM, CSSLP, works at HealthEquity, Inc., in Tempe, Arizona, helping to lead application and IT security architecture and engineering efforts in the office of the CISO. In addition to his day job, Mark is a faculty member at the University of Denver, where he works on developing and instructing online courses in topics across the Information Security spectrum, with a focus on secure software development. He also works as an advisor to the University of Denver’s Information and Computing Technology Curriculum Team for new course development and changes to the curriculum.


Mark has over 40 years of experience in IT in a variety of roles, including application development, systems analysis and design, security engineering, and security management. Mark holds a Master of Science in Decision and Information Systems from Arizona State University (ASU), a Master of Education in Distance Education from ASU, and a Bachelor of Science in Computer Information Systems from ASU.