replyBlock = $("#replies_comment_163808"); replyBlock.next('.show-all-replies').hide(); replyBlock.html("
@Curtis Yanko<\/a> thanks for your response! <\/p>\n\nHowever, as we know SAST alone isn\'t enough, right? <\/p>\n\nWe still will need tools to perform DAST and IAST.\nIn addition, I believe not every SAST tool will fit every web app stack. Am I wrong?<\/p><\/div><\/div><\/div><\/a>CY<\/span><\/div><\/div>Curtis Yanko<\/span><\/a><\/div>DevSecOps Evangelist & Coach at Shiftleft<\/div><\/div><\/div><\/i>Vendor<\/div><\/span><\/div><\/div><\/div><\/div>Aug 5, 2021<\/div><\/div>@Evgeny Belenky<\/a> You are correct, <\/p>\n\nBut DAST is more about proving SAST findings to remove any doubt. I prefer to use a \'directed\' DAST approach to keep it fast and in-band to the pipeline. <\/p>\n\nBy \'Directed\' I mean, we have a map of endpoints and associated vulns from our SAST and I use that to focus the DAST on specific issues on each endpoint with as much other info as it may need (DB?). <\/p>\n\nI\'m not a fan of IAST right now but then I haven\'t really used it. \nDAST is the proof point on why data flow analysis is key when you consider that DAST is really about abusing user-controlled inputs. So an understanding of user-controlled data flows in your software is so important to identify OWASP Top 10 issues, most of which are injection-related in one way or another.<\/p><\/div><\/div><\/div><\/a>AV<\/span><\/div><\/div>Andrew Van Der Stock<\/span><\/a><\/div>Works<\/div><\/div><\/div><\/i>Real User<\/div><\/span><\/div><\/div><\/div><\/div>Aug 5, 2021<\/div><\/div>@Curtis Yanko<\/a> It is changing this year. We are due to release on September 24, 2021.<\/p><\/div><\/div><\/div><\/a>CY<\/span><\/div><\/div>Curtis Yanko<\/span><\/a><\/div>DevSecOps Evangelist & Coach at Shiftleft<\/div><\/div><\/div><\/i>Vendor<\/div><\/span><\/div><\/div><\/div><\/div>Aug 9, 2021<\/div><\/div>@Andrew Van Der Stock<\/a> thanks, I’ll be sure to look for it.<\/p><\/div><\/div><\/div>"); replyBlock.find('.comment-body').expander(4);
However, as we know SAST alone isn\'t enough, right? <\/p>\n\n
We still will need tools to perform DAST and IAST.\nIn addition, I believe not every SAST tool will fit every web app stack. Am I wrong?<\/p><\/div><\/div><\/div>
@Evgeny Belenky<\/a> You are correct, <\/p>\n\nBut DAST is more about proving SAST findings to remove any doubt. I prefer to use a \'directed\' DAST approach to keep it fast and in-band to the pipeline. <\/p>\n\nBy \'Directed\' I mean, we have a map of endpoints and associated vulns from our SAST and I use that to focus the DAST on specific issues on each endpoint with as much other info as it may need (DB?). <\/p>\n\nI\'m not a fan of IAST right now but then I haven\'t really used it. \nDAST is the proof point on why data flow analysis is key when you consider that DAST is really about abusing user-controlled inputs. So an understanding of user-controlled data flows in your software is so important to identify OWASP Top 10 issues, most of which are injection-related in one way or another.<\/p><\/div><\/div><\/div><\/a>AV<\/span><\/div><\/div>Andrew Van Der Stock<\/span><\/a><\/div>Works<\/div><\/div><\/div><\/i>Real User<\/div><\/span><\/div><\/div><\/div><\/div>Aug 5, 2021<\/div><\/div>@Curtis Yanko<\/a> It is changing this year. We are due to release on September 24, 2021.<\/p><\/div><\/div><\/div><\/a>CY<\/span><\/div><\/div>Curtis Yanko<\/span><\/a><\/div>DevSecOps Evangelist & Coach at Shiftleft<\/div><\/div><\/div><\/i>Vendor<\/div><\/span><\/div><\/div><\/div><\/div>Aug 9, 2021<\/div><\/div>@Andrew Van Der Stock<\/a> thanks, I’ll be sure to look for it.<\/p><\/div><\/div><\/div>"); replyBlock.find('.comment-body').expander(4);
But DAST is more about proving SAST findings to remove any doubt. I prefer to use a \'directed\' DAST approach to keep it fast and in-band to the pipeline. <\/p>\n\n
By \'Directed\' I mean, we have a map of endpoints and associated vulns from our SAST and I use that to focus the DAST on specific issues on each endpoint with as much other info as it may need (DB?). <\/p>\n\n
I\'m not a fan of IAST right now but then I haven\'t really used it. \nDAST is the proof point on why data flow analysis is key when you consider that DAST is really about abusing user-controlled inputs. So an understanding of user-controlled data flows in your software is so important to identify OWASP Top 10 issues, most of which are injection-related in one way or another.<\/p><\/div><\/div><\/div>
@Curtis Yanko<\/a> It is changing this year. We are due to release on September 24, 2021.<\/p><\/div><\/div><\/div><\/a>CY<\/span><\/div><\/div>Curtis Yanko<\/span><\/a><\/div>DevSecOps Evangelist & Coach at Shiftleft<\/div><\/div><\/div><\/i>Vendor<\/div><\/span><\/div><\/div><\/div><\/div>Aug 9, 2021<\/div><\/div>@Andrew Van Der Stock<\/a> thanks, I’ll be sure to look for it.<\/p><\/div><\/div><\/div>"); replyBlock.find('.comment-body').expander(4);
@Andrew Van Der Stock<\/a> thanks, I’ll be sure to look for it.<\/p><\/div><\/div><\/div>"); replyBlock.find('.comment-body').expander(4);
@Curtis Yanko<\/a> thanks for your response! <\/p>\n\n<\/a>CY<\/span><\/div><\/div>Curtis Yanko<\/span><\/a><\/div>DevSecOps Evangelist & Coach at Shiftleft<\/div><\/div><\/div><\/i>Vendor<\/div><\/span><\/div><\/div><\/div><\/div>Aug 5, 2021<\/div><\/div>
However, as we know SAST alone isn\'t enough, right? <\/p>\n\n
We still will need tools to perform DAST and IAST.\n
In addition, I believe not every SAST tool will fit every web app stack. Am I wrong?<\/p><\/div><\/div><\/div>
@Evgeny Belenky<\/a> You are correct, <\/p>\n\n<\/a>AV<\/span><\/div><\/div>Andrew Van Der Stock<\/span><\/a><\/div>Works<\/div><\/div><\/div><\/i>Real User<\/div><\/span><\/div><\/div><\/div><\/div>Aug 5, 2021<\/div><\/div>
But DAST is more about proving SAST findings to remove any doubt. I prefer to use a \'directed\' DAST approach to keep it fast and in-band to the pipeline. <\/p>\n\n
By \'Directed\' I mean, we have a map of endpoints and associated vulns from our SAST and I use that to focus the DAST on specific issues on each endpoint with as much other info as it may need (DB?). <\/p>\n\n
I\'m not a fan of IAST right now but then I haven\'t really used it. \n
DAST is the proof point on why data flow analysis is key when you consider that DAST is really about abusing user-controlled inputs. So an understanding of user-controlled data flows in your software is so important to identify OWASP Top 10 issues, most of which are injection-related in one way or another.<\/p><\/div><\/div><\/div>
@Curtis Yanko<\/a> It is changing this year. We are due to release on September 24, 2021.<\/p><\/div><\/div><\/div><\/a>CY<\/span><\/div><\/div>Curtis Yanko<\/span><\/a><\/div>DevSecOps Evangelist & Coach at Shiftleft<\/div><\/div><\/div><\/i>Vendor<\/div><\/span><\/div><\/div><\/div><\/div>Aug 9, 2021<\/div><\/div>
@Andrew Van Der Stock<\/a> thanks, I’ll be sure to look for it.<\/p><\/div><\/div><\/div>"); replyBlock.find('.comment-body').expander(4);