We changed our name from IT Central Station: Here's why

Badges

User Activity

3 months ago
Replied to Andrew Van Der Stock What are the OWASP Top 10 in 2021?
The history of the OWASP Top 10 through the years: https://www.hahwul.com/cullina...
3 months ago
Feels like a false choice to me. They each are trying to do different things as other posters have suggested. What are the outcomes you are looking for?
5 months ago
Replied to Curtis Yanko What are the OWASP Top 10 in 2021?
@Andrew Van Der Stock thanks, I’ll be sure to look for it.
5 months ago
Replied to Curtis Yanko What are the OWASP Top 10 in 2021?
@Evgeny Belenky You are correct,  But DAST is more about proving SAST findings to remove any doubt. I prefer to use a 'directed' DAST approach to keep it fast and in-band to the pipeline.  By 'Directed' I mean, we have a map of endpoints and associated vulns from our…
5 months ago
I’m not sure the top 10 is changing this year but if it is it will be to squeeze more stuff in ;-).  To effectively detect these in a web app you need a status analyzer with deep data flow analysis. I joined ShiftLeft because I felt they had the best tool to change the way…
7 months ago
I suppose it depends on just how 'bogus' they are. If they are truly 'bogus' then you are likely looking at a trojan. If, however, we are just talking about a 'bad' security tool then you are talking about trying to manage your security with bad or missing information.
11 months ago
I’ve always viewed sonarqube as a code quality tool that compliments many code security tools like a checkmarx. 
11 months ago
It’s a false choice of a question but DAST exist because folks don’t trust their SAST tool. DAST is good about true positives but bad about false negatives. SAST just has a reputation for false positives but a new generation of SAST tools do a much better job.
11 months ago
If you stop at ‘static analysis’ and leave off the Security Testing part. I don’t even view this tool as a security tool, it’s much more about code quality.
12 months ago
Application Security solutions need to work for developers and facilitate their interaction with AppSec including things like training/education. It needs to be fast enough to work on the main CI/CD pipeline and it needs to be trustworthy.

About me

I know a thing or two because I’ve seen a thing or two

Interesting Projects and Accomplishments