# Minimum Viable Appsec - Defense sector has sucky appsec apparently - Acquisition cycles are not in sync with software acquisition - If it is not in the contract then dont expect to get it - “IT is handling it” - People who want the woftware dont ask for security - NIST Minimum Standards - STRIDE - not comprehensive or exhaustive but concise - Put standards in contracts