We changed our name from IT Central Station: Here's why

Badges

User Activity

4 days ago
We have so far looked at leveraging OWASP ZAP to perform DAST on the APIs. As long as APIs use the Open API framework, we are able to do this easily for different authentication methods and get reports for different thresholds. So far this has sufficed our need. Commercial…
5 days ago
Security posture will include a number of things. The following artifacts should be scanned to ensure they are secure, configured correctly and free from malware or sensitive information: OSS modules and frameworks Containers Serverless functions APIs and…
5 days ago
Infrastructure as a Code scripts testing, API security testing and SCA will gain more relevance and importance this year.  Customers may also like to have a modular framework to pick and choose different areas of DevSecOps (SAST, SCA, DAST, IAST, OAST, etc) as per their…
26 days ago
SCA looks at open-source libraries only and associates vulnerabilities, license analysis with the open-source libraries. Helps maintain inventory of SBOM SAST looks at the proprietary application source code and does the same - assesses code health, vulnerabilities,…
26 days ago
WhiteSource has released a utility to detect log4j vulnerability in the codebase.  Take a look at this if it helps. In our case, a lot of projects use Elastic Search and Azure DevOps Server - both of them have log4j being used and that's where additional fixes have to be…
26 days ago
Hello @Charles Race, A lot of responses already on this one. Considerations will include on-premises vs SaaS, one tool vs modular approach to using different tools. I will share some additional details 1. Snyk: It can do SAST, SCA, Containers, IaaC scripts - all 4. They…
About 1 month ago
Replied to reviewer1650858 How does Snyk compare with SonarQube?
@reviewer1650858 : Did you use Snyk for both SAST and SCA analysis. If yes, for SAST, did you upload source code to synk platform for getting results. As per documentation, they need source code to be uploaded for 24 hrs after which they remove it.
About 1 month ago
3 months ago
Believe no single tool will address all OWASP Top 10 issues. One will need a combination of tools and approaches as was also mentioned in the recent OWASP anniversary webinars. A01-2021: Broken Access Control has moved to number 1 on the list this year compared to number 5…
3 months ago
Both SAST and DAST are complementary to each other.  The best approach is to include both SAST and DAST. SAST: Inspects underlying source code, requires understanding of source design, Is  utilized early in the development cycle and the average cost to remediate issues is…
4 months ago
Multiple aspects need to be looked at. I'm listing a few critical ones: 1. Hidden passwords and secrets within the application. 2. Check IaaC, Docker, K8 scripts - do they have the right configuration? Wrt Kubernetes and "Hardening Guidance" were released by NSA and CISA…
4 months ago
We have used SonarQube quite a lot and this is great to check code quality, security hotspots much earlier in the SDLC and fix those. The community edition is free to use, can be used on-premises and is integrated seamlessly with Jenkins and others. The Enterprise and…
7 months ago
OWASP ZAP is open source, free to use and one of the most active open source projects in DAST space. There are weekly updates being done to this project. Lot of add-ons are available which make this an excellent product. The newly created automation framework (AF) is the…
7 months ago
@Evgeny Belenky Yes. We have used it for typescript, java, .NET, SQL. Coverage depends on the rules available for each language. It is possible to import more rules if required. My experience has been great till now. 
7 months ago
We have been using SonarQube and SonarLint (IDE) for quite some time on multiple projects and it is one of the best if not the best.  It can handle multiple tech stacks, gives a good view of the static code in terms of vulnerabilities, hotspots, code smells, bugs, etc.…
8 months ago
I believe we need to cover the SDLC from start to end as much as possible while ensuring that this does not mean too many dashboards and also keeping the cost of development in mind. 1. IDE Checks: This is the 1st step in shift left approach. Many open source tools…
8 months ago
SonarQube is great product for static code analysis. But the setup of the same takes lot of time and is tricky depending on the language in scope. For example, for .NET it needs different dependencies to be installed compared to Java. I would expect that SonarQube at the…

Reviews

Questions

About 1 month ago
Application Security

Answers

26 days ago
Application Security Testing (AST)
3 months ago
Application Security
7 months ago
Application Security Testing (AST)
7 months ago
Application Security
8 months ago
Application Security Testing (AST)
8 months ago
Application Security

About me

Passionate about using technology to bring value to business.