Boring AppSec
Subscribe
Sign in
Home
Archive
About
New
Top
Discussion
Edition 14: To WAF or not to WAF
Effectiveness of WAFs are a hotly debated subject in AppSec circles. This editions tries to bring a structure to that discussion.
Sandesh Mysore Anand
Jan 2
7
Share this post
Edition 14: To WAF or not to WAF
boringappsec.substack.com
Copy link
Twitter
Facebook
Email
Edition 13: SAST primer - Goals of a SAST program
Third in a 4-part primer on SAST. This edition talks about what a successful SAST program looks like.
Sandesh Mysore Anand
Nov 7, 2021
2
Share this post
Edition 13: SAST primer - Goals of a SAST program
boringappsec.substack.com
Copy link
Twitter
Facebook
Email
Edition 12: AppSec Primer - How SAST tools work?
2nd in a 4-part primer on Static Application Security Testing (SAST). This edition gives you an overview of what SAST tools look like under the hood.
Sandesh Mysore Anand
Oct 17, 2021
2
Share this post
Edition 12: AppSec Primer - How SAST tools work?
boringappsec.substack.com
Copy link
Twitter
Facebook
Email
Edition 11: AppSec Primer - SAST - Part 1
First in a four part primer on Static Application Security Testing (SAST). This edition talks about what SAST is and why it's needed.
Sandesh Mysore Anand
Oct 10, 2021
4
Share this post
Edition 11: AppSec Primer - SAST - Part 1
boringappsec.substack.com
Copy link
Twitter
Facebook
Email
Edition 10: Selling AppSec
In AppSec, most Security controls are implemented by folks outside the Security team. You cannot improve your AppSec posture, without "selling" the…
Sandesh Mysore Anand
Oct 3, 2021
1
Share this post
Edition 10: Selling AppSec
boringappsec.substack.com
Copy link
Twitter
Facebook
Email
Edition 9: A build v/s buy framework for AppSec
Incorrect buy v/s build decisions can have serious downstream impact on security posture and team morale. This edition builds a framework that can help…
Sandesh Mysore Anand
Sep 26, 2021
2
Share this post
Edition 9: A build v/s buy framework for AppSec
boringappsec.substack.com
Copy link
Twitter
Facebook
Email
Edition 8: To train or not to train
Training is easy to get started, but hard to scale. Its also hard to measure outcomes from it. In this post, we explore alternates to training that can…
Sandesh Mysore Anand
Sep 19, 2021
2
Share this post
Edition 8: To train or not to train
boringappsec.substack.com
Copy link
Twitter
Facebook
Email
Edition 7: Using force multipliers to scale AppSec programs
AppSec programs are hard to scale. What works for a portfolio of 10 applications don't work for 1000 apps. Piggybacking off existing organizational…
Sandesh Mysore Anand
Sep 12, 2021
3
Share this post
Edition 7: Using force multipliers to scale AppSec programs
boringappsec.substack.com
Copy link
Twitter
Facebook
Email
Edition 6: Top 4 AppSec metrics and why they are so hard to measure
You can't improve what you cannot measure, but measuring incorrectly can drive incentives in the wrong direction. Here's a hypothesis on "good" AppSec…
Sandesh Mysore Anand
Sep 5, 2021
5
Share this post
Edition 6: Top 4 AppSec metrics and why they are so hard to measure
boringappsec.substack.com
Copy link
Twitter
Facebook
Email
Edition 5: How to consume AppSec advice from the internet?
AppSec advice on the internet often makes me go "that sounds great, but it would never work for me". In this edition, we try to build a framework to…
Sandesh Mysore Anand
Aug 29, 2021
2
2
Share this post
Edition 5: How to consume AppSec advice from the internet?
boringappsec.substack.com
Copy link
Twitter
Facebook
Email
Edition 4: The mad maze of supply chain attacks and what it means for AppSec
There is some consensus on how to handle security defects in software we write. We have lesser luck with managing vulnerabilities in 3rd party software…
Sandesh Mysore Anand
Aug 22, 2021
2
Share this post
Edition 4: The mad maze of supply chain attacks and what it means for AppSec
boringappsec.substack.com
Copy link
Twitter
Facebook
Email
Edition 3: "What AppSec assessment type are you?"
Among the oldest problems in AppSec is making tradeoffs on assessment types (SAST, DAST, IAST and so on). This edition attempts to design a framework to…
Sandesh Mysore Anand
Aug 15, 2021
3
2
Share this post
Edition 3: "What AppSec assessment type are you?"
boringappsec.substack.com
Copy link
Twitter
Facebook
Email
This site requires JavaScript to run correctly. Please
turn on JavaScript
or unblock scripts