Archive - Boring AppSec

New Top Discussion

Effectiveness of WAFs are a hotly debated subject in AppSec circles. This editions tries to bring a structure to that discussion.

Sandesh Mysore Anand

Jan 2

Third in a 4-part primer on SAST. This edition talks about what a successful SAST program looks like.

Sandesh Mysore Anand

Nov 7, 2021

2nd in a 4-part primer on Static Application Security Testing (SAST). This edition gives you an overview of what SAST tools look like under the hood.

Sandesh Mysore Anand

Oct 17, 2021

First in a four part primer on Static Application Security Testing (SAST). This edition talks about what SAST is and why it's needed.

Sandesh Mysore Anand

Oct 10, 2021

In AppSec, most Security controls are implemented by folks outside the Security team. You cannot improve your AppSec posture, without "selling" the…

Sandesh Mysore Anand

Oct 3, 2021

Incorrect buy v/s build decisions can have serious downstream impact on security posture and team morale. This edition builds a framework that can help…

Sandesh Mysore Anand

Sep 26, 2021

Training is easy to get started, but hard to scale. Its also hard to measure outcomes from it. In this post, we explore alternates to training that can…

Sandesh Mysore Anand

Sep 19, 2021

AppSec programs are hard to scale. What works for a portfolio of 10 applications don't work for 1000 apps. Piggybacking off existing organizational…

Sandesh Mysore Anand

Sep 12, 2021

You can't improve what you cannot measure, but measuring incorrectly can drive incentives in the wrong direction. Here's a hypothesis on "good" AppSec…

Sandesh Mysore Anand

Sep 5, 2021

AppSec advice on the internet often makes me go "that sounds great, but it would never work for me". In this edition, we try to build a framework to…

Sandesh Mysore Anand

Aug 29, 2021

There is some consensus on how to handle security defects in software we write. We have lesser luck with managing vulnerabilities in 3rd party software…

Sandesh Mysore Anand

Aug 22, 2021

Among the oldest problems in AppSec is making tradeoffs on assessment types (SAST, DAST, IAST and so on). This edition attempts to design a framework to…

Sandesh Mysore Anand

Aug 15, 2021

#nojs-banner { position: fixed; bottom: 0; left: 0; padding: 16px 16px 16px 32px; width: 100%; box-sizing: border-box; background: red; color: white; font-family: -apple-system, "Segoe UI", Roboto, Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 13px; line-height: 13px; } #nojs-banner a { color: inherit; text-decoration: underline; } This site requires JavaScript to run correctly. Please turn on JavaScript or unblock scripts