Effectiveness of WAFs are a hotly debated subject in AppSec circles. This editions tries to bring a structure to that discussion.
7
Third in a 4-part primer on SAST. This edition talks about what a successful SAST program looks like.
2
2nd in a 4-part primer on Static Application Security Testing (SAST). This edition gives you an overview of what SAST tools look like under the hood.
2
First in a four part primer on Static Application Security Testing (SAST). This edition talks about what SAST is and why it's needed.
4
In AppSec, most Security controls are implemented by folks outside the Security team. You cannot improve your AppSec posture, without "selling" the…
1
Incorrect buy v/s build decisions can have serious downstream impact on security posture and team morale. This edition builds a framework that can help…
2
Training is easy to get started, but hard to scale. Its also hard to measure outcomes from it. In this post, we explore alternates to training that can…
2
AppSec programs are hard to scale. What works for a portfolio of 10 applications don't work for 1000 apps. Piggybacking off existing organizational…
3
You can't improve what you cannot measure, but measuring incorrectly can drive incentives in the wrong direction. Here's a hypothesis on "good" AppSec…
5
AppSec advice on the internet often makes me go "that sounds great, but it would never work for me". In this edition, we try to build a framework to…
2
2
There is some consensus on how to handle security defects in software we write. We have lesser luck with managing vulnerabilities in 3rd party software…
2
Among the oldest problems in AppSec is making tradeoffs on assessment types (SAST, DAST, IAST and so on). This edition attempts to design a framework to…
3
2