Episode #291 w/ Sean Varga - Top 10 for AppSec Sales

This week we feature Absolute AppSec’s 291st episode, when Seth (@sethlaw) and Ken (@cktricky) welcomed Sean Varga to talk about his background and all things sales as organizations start to realize they need AppSec and technology help to accompany their booming numbers of developers. During the episode, Sean debuts his quasi OWASP Top 10 for AppSec Sales to the community. To watch this episode, head over to https://www.youtube.com/watch?v=gUoIJcOmzrg, or wherever you get your podcasts. If you’re looking for more from Sean, you can find him active on his LinkedIn here.

In this discussion, Sean Varga shares his unique philosophy on AppSec sales, rooted deeply in understanding the customer's background and motivations rather than solely focusing on company attributes. Varga emphasizes that effective sales involve understanding a client's origin story—their childhood, upbringing, and what truly matters to them, as these factors significantly influence decision-making. He learned this approach early in his career at RSA Security, where the focus was always on asking “what's in it for this person?” Sean, whose entire family works in sales, particularly highlights his mother's empathetic approach and adherence to the "golden rule" as major influences on his own style. He asserts that AppSec sales, unlike simpler product sales, involve navigating complex organizational structures and diverse stakeholders like DevOps and AppDev. To manage this complexity, he utilizes a living document—a customer-facing blueprint that details tech stacks, pain points, goals, metrics, and the entire purchase process, allowing for quick disqualification of unsuitable leads and ensuring he's always ready for client discussions.

To illustrate how "success lives and dies with your customer," Sean recalls an epiphany from his time at Veracode. While there, he came to see that AppSec sales are akin to selling diet and exercise, meaning they require significant behavioral change and commitment from the client. Because of this, he values ensuring a customer is truly ready for a solution rather than forcing a sale that might lead to failure, a lesson reinforced by a former Secure Code Warrior CEO. He acknowledges the common complaint from practitioners about lengthy sales processes, but argues that in complex AppSec environments, extensive discovery and multiple meetings are necessary to understand an organization. There are inevitably unique requirements, internal politics, and team structures in every organization, and managing those details is essential for ensuring the solution provides actual long-term value and avoids security fatigue. Varga identifies different types of customers, suggesting that organizations merely seeking compliance without true engagement should opt for open-source or entry-level tools, while more mature enterprises benefit from comprehensive, guided solutions. Ultimately, he believes that while anyone with drive and intellectual curiosity can learn to sell anything, domain expertise provides an advantage in the intricate and rapidly evolving AppSec landscape.

Beat the summertime rays with the tested and approved slightly pre-stressed Dad hat. Visit our merch store to find it and other nice podcast swag.

And, if you have thoughts you’d like to share with Seth and Ken and the Absolute AppSec audience, join us in Slack. Show topics often originate as discussion points with the Slack audience, and the newsletter incorporates that discussion as well. So, join in there to offer ideas for what you’d like the podcast to cover as well as pick the brains of a number of industry experts.

Stay Secure,

Seth & Ken

Related Episodes

https://www.youtube.com/live/TJyl4CESnMk - Episode #218 with GalahCyber’s Cole Cornford - Security Startups, Developer Training - The business side of the industry is discussed in this episode with advice and also emphasis on knowing what people are looking for when they think of Application Security services.

https://www.youtube.com/live/PoR2G8e6V5o - Episode #203 - GitHub Sales Shlomi Shaki - Security Tools – Some similar topics bubble up for understanding what organizations experience and need when it comes to security products. This episode includes some discussion of Gartner, but more of the magic quadrant thoughts bubble up when Shlomi returned to the podcast in episode #217.

https://www.youtube.com/live/EoaWnNwSS8o - Ep. #200 w/ Jerry Gamblin - Startups, CVEs - The discussion for the early part of this episode with CVE guru Jerry Gamblin includes a deep-dive into startups and investment decisions that go into the creation of new security products. Selling startup ideas and products is different in some degrees from selling established products but there are some insights into what works for knowing who needs what going forward in the security software industry.

Absolute AppSec Happenings

https://gizmodo.com/humans-are-starting-to-talk-more-like-chatgpt-study-claims-2000628916 - “Humans Are Starting to Talk More Like ChatGPT, Study Claims” From Gaiyoung Lee at Gizmodo (via Seth in the Absolute AppSec slack). We asked ChatGPT what we should make of this article, and it said “Response 2 Great question — and a very human one! AI tools like ChatGPT, especially when responding to prompts or writing online. It suggests that exposure to AI-generated text might be influencing the way we write and speak — making our language more formal, polite, and structured, but also more generic or robotic at times.” Wow, look at that: em dashes.

https://medium.com/deriv-tech/brewing-trouble-dissecting-a-macos-malware-campaign-90c2c24de5dc- Brewing Trouble — Dissecting a macOS Malware Campaign – This write-up from Deriv Tech (the author is @RamdonDhiraj on X) of a Malware campaign that used a GitHub repo, and users’ ingrained habit of trusting homebrew install processes, and namely password inputs, to harvest credentials, brings up some interesting thoughts about our set patterns and the day-to-day processes we engage in.

https://www.dryrun.security/blog/constructing-a-trustworthy-evaluation-methodology-for-contextual-security-analysis - “Constructing a Trustworthy Evaluation Methodology for Contextual Security Analysis” - From Peter Karman, one of the fine folks at DryRun! (Ken also shared this in the Absolute AppSec slack). In the development of their product, DryRun has also had to come up with a methodology for determining what counts as good, or how they rate the output they get from various security vulnerability bake-offs. Peter explains the criteria the team there have been using to evaluate these things.

Upcoming Events

Where in the world are Seth and Ken?

August 9, 2025 - State of (Absolute AppSec), AppSec Village DEFCON Edition - 10:15 AM on a Saturday is the current expected time for the panel, but check back on this space if there are any updates. Joining Seth and Ken for this panel covering everything au courant will be Jason Haddix and Tanya Janca, so should be sure to be set alarm clocks if you’ll be out in Vegas for the annual hacker gathering.

August 11-12, 2025 - Harnessing LLMs for Application Security - Back to DEF CON, but this time with an updated course. Integrating LLMs into AppSec from static to dynamic analysis. Tips, tricks and more.