Badges
75 Points
3 Years
User Activity
About 3 years ago
Replied to Andrew Van Der Stock What are the OWASP Top 10 in 2021?
The history of the OWASP Top 10 through the years:
https://www.hahwul.com/cullina...
About 3 years ago
Answered a question: Which gives you more for your money - SonarQube or Veracode?
Feels like a false choice to me. They each are trying to do different things as other posters have suggested. What are the outcomes you are looking for?
Over 3 years ago
Replied to Curtis Yanko What are the OWASP Top 10 in 2021?
@Andrew Van Der Stock thanks, I’ll be sure to look for it.
Over 3 years ago
Replied to Curtis Yanko What are the OWASP Top 10 in 2021?
@Evgeny Belenky You are correct,
But DAST is more about proving SAST findings to remove any doubt. I prefer to use a 'directed' DAST approach to keep it fast and in-band to the pipeline.
By 'Directed' I mean, we have a map of endpoints and associated vulns from our SAST…
Over 3 years ago
Answered a question: What are the OWASP Top 10 in 2021?
I’m not sure the top 10 is changing this year but if it is it will be to squeeze more stuff in ;-).
To effectively detect these in a web app you need a status analyzer with deep data flow analysis. I joined ShiftLeft because I felt they had the best tool to change the way…
Over 3 years ago
Answered a question: What are the threats associated with using ‘bogus’ cybersecurity tools?
I suppose it depends on just how 'bogus' they are. If they are truly 'bogus' then you are likely looking at a trojan. If, however, we are just talking about a 'bad' security tool then you are talking about trying to manage your security with bad or missing information.
Almost 4 years ago
Answered a question: What is the biggest difference between Checkmarx and SonarQube?
I’ve always viewed sonarqube as a code quality tool that compliments many code security tools like a checkmarx.
Almost 4 years ago
Answered a question: SAST vs. DAST: Which is better for application security testing?
It’s a false choice of a question but DAST exist because folks don’t trust their SAST tool. DAST is good about true positives but bad about false negatives. SAST just has a reputation for false positives but a new generation of SAST tools do a much better job.
Almost 4 years ago
Answered a question: Is SonarQube the best tool for static analysis?
If you stop at ‘static analysis’ and leave off the Security Testing part. I don’t even view this tool as a security tool, it’s much more about code quality.
Almost 4 years ago
Answered a question: When evaluating Application Security, what aspect do you think is the most important to look for?
Application Security solutions need to work for developers and facilitate their interaction with AppSec including things like training/education. It needs to be fast enough to work on the main CI/CD pipeline and it needs to be trustworthy.
Projects
Almost 4 years ago
I started and run DevOps teams in FortuneI started and run DevOps teams in Fortune 100 companies
Answers
About 3 years ago
Application Security Tools
Over 3 years ago
Application Security Tools
Almost 4 years ago
Application Security Tools
Almost 4 years ago
Application Security Tools
Almost 4 years ago
Application Security Tools
About me
I know a thing or two because I’ve seen a thing or two
Interesting Projects and Accomplishments
Almost 4 years ago