You can't improve what you cannot measure, but measuring incorrectly can drive incentives in the wrong direction. Here's a hypothesis on "good" AppSec…
5
Effectiveness of WAFs are a hotly debated subject in AppSec circles. This editions tries to bring a structure to that discussion.
7
Incorrect buy v/s build decisions can have serious downstream impact on security posture and team morale. This edition builds a framework that can help…
2
First in a four part primer on Static Application Security Testing (SAST). This edition talks about what SAST is and why it's needed.
4
Training is easy to get started, but hard to scale. Its also hard to measure outcomes from it. In this post, we explore alternates to training that can…
2
2nd in a 4-part primer on Static Application Security Testing (SAST). This edition gives you an overview of what SAST tools look like under the hood.
2
AppSec programs are hard to scale. What works for a portfolio of 10 applications don't work for 1000 apps. Piggybacking off existing organizational…
3
Each week, this newsletter will have 1-2 essays on a topic of interest from application security.
5
Among the oldest problems in AppSec is making tradeoffs on assessment types (SAST, DAST, IAST and so on). This edition attempts to design a framework to…
3
2
Third in a 4-part primer on SAST. This edition talks about what a successful SAST program looks like.
2
In AppSec, most Security controls are implemented by folks outside the Security team. You cannot improve your AppSec posture, without "selling" the…
1
Software inventories are hard to build and even harder to maintain. If they don't serve a specific purpose, it is not worth all the effort. It's useful…
3