IT Central Station is now PeerSpot: Here's why

Badges

230 Points
1 Year
Top 5

User Activity

10 months ago
Replied to Andrew Van Der Stock What are the OWASP Top 10 in 2021?
The history of the OWASP Top 10 through the years: https://www.hahwul.com/cullina...
10 months ago
Feels like a false choice to me. They each are trying to do different things as other posters have suggested. What are the outcomes you are looking for?
About 1 year ago
Replied to Curtis Yanko What are the OWASP Top 10 in 2021?
@Andrew Van Der Stock thanks, I’ll be sure to look for it.
About 1 year ago
Replied to Curtis Yanko What are the OWASP Top 10 in 2021?
@Evgeny Belenky You are correct,  But DAST is more about proving SAST findings to remove any doubt. I prefer to use a 'directed' DAST approach to keep it fast and in-band to the pipeline.  By 'Directed' I mean, we have a map of endpoints and associated vulns from our…
About 1 year ago
I’m not sure the top 10 is changing this year but if it is it will be to squeeze more stuff in ;-).  To effectively detect these in a web app you need a status analyzer with deep data flow analysis. I joined ShiftLeft because I felt they had the best tool to change the way…
About 1 year ago
I suppose it depends on just how 'bogus' they are. If they are truly 'bogus' then you are likely looking at a trojan. If, however, we are just talking about a 'bad' security tool then you are talking about trying to manage your security with bad or missing information.
Over 1 year ago
I’ve always viewed sonarqube as a code quality tool that compliments many code security tools like a checkmarx. 
Over 1 year ago
It’s a false choice of a question but DAST exist because folks don’t trust their SAST tool. DAST is good about true positives but bad about false negatives. SAST just has a reputation for false positives but a new generation of SAST tools do a much better job.
Over 1 year ago
If you stop at ‘static analysis’ and leave off the Security Testing part. I don’t even view this tool as a security tool, it’s much more about code quality.
Over 1 year ago
Application Security solutions need to work for developers and facilitate their interaction with AppSec including things like training/education. It needs to be fast enough to work on the main CI/CD pipeline and it needs to be trustworthy.

Projects

Over 1 year ago
I started and run DevOps teams in Fortune
I started and run DevOps teams in Fortune 100 companies

Answers

About 1 year ago
Application Security Tools
Over 1 year ago
Application Security Tools

About me

I know a thing or two because I’ve seen a thing or two

Interesting Projects and Accomplishments