Badges
User Activity
Over 1 year ago
Answered a question: What are the differences between SonarQube and CAST AIP?
Hi Joe - SonarQube is essentially a static code quality tool and has multiple versions (community is free and then we have developer, enterprise, and data center versions which are paid). As per the latest branding from CAST, they don't market AIP as a separate product and…
Over 1 year ago
Answered a question: Which software is ideal for code quality and security?
@Tej Muchhala : Code Quality and Security are 2 different domains and depending on how deep you want to go, the choice of tools will vary.1. SonarQube - This has both community editions and commercial editions. The community has limited scope and no reporting. The…
Almost 2 years ago
Answered a question: Can you please provide a centralized view of all testing types including SAST, DAST, SCA, and manual penetration testing?
When you say centralized view, do you mean different testing categories which should be looked at for matured software development? If yes, sharing my views on important ones.
1. Functional Testing (either using open source frameworks like playwright, cypress, and selenium…
Almost 2 years ago
Answered a question: What is the best way to track open-source license compatibility?
We have used the following tools and they work well in giving a detailed licensing posture for open-source libraries - WhiteSource/Mend and CAST HL. Both of them give what licenses are in use and whether they are risky or ok to use
For example, GPU license is always risky…
Over 2 years ago
Contributed a review of CAST Application Intelligence Platform: Has a security dashboard that's helpful because it gives compliance checks based on some of the leading frameworks in the industry
Over 2 years ago
Answered a question: How do you use the MITRE ATT&CK framework for improving enterprise security?
MITRE ATT&CK framework provides different attack patterns. While the main website has lot of information, microsoft wrote this blog to share details on how Azure maps to this framework. This is excellent read
MITRE ATT&CK® mappings released for built-in Azure security…
Almost 3 years ago
Answered a question: How do you protect your API from security threats?
We have so far looked at leveraging OWASP ZAP to perform DAST on the APIs. As long as APIs use the Open API framework, we are able to do this easily for different authentication methods and get reports for different thresholds. So far this has sufficed our need
Commercial…
Almost 3 years ago
Answered a question: What is Security Posture and what categories of Security Posture Management do exist?
Security posture will include a number of things
The following artifacts should be scanned to ensure they are secure, configured correctly and free from malware or sensitive information:
OSS modules and frameworks
Containers
Serverless functions
APIs and declarative…
Almost 3 years ago
Answered a question: What are your top DevOps and DevSecOps predictions for 2022?
Infrastructure as a Code scripts testing, API security testing and SCA will gain more relevance and importance this year.
Customers may also like to have a modular framework to pick and choose different areas of DevSecOps (SAST, SCA, DAST, IAST, OAST, etc) as per their…
Almost 3 years ago
Asked a question: SonarQube Community Edition vs SonarQube Enterprise Edition
Almost 3 years ago
Answered a question: What is the difference between SAST and SCA tools?
SCA looks at open-source libraries only and associates vulnerabilities, license analysis with the open-source libraries. Helps maintain inventory of SBOM
SAST looks at the proprietary application source code and does the same - assesses code health, vulnerabilities, security…
Almost 3 years ago
Answered a question: What does the Log4j/Log4Shell vulnerability mean for your company?
WhiteSource has released a utility to detect log4j vulnerability in the codebase.
Take a look at this if it helps. In our case, a lot of projects use Elastic Search and Azure DevOps Server - both of them have log4j being used and that's where additional fixes have to be…
Almost 3 years ago
Answered a question: What is the best Application Security Testing platform?
Hello @Charles Race
A lot of responses already on this one. Considerations will include on-premises vs SaaS, one tool vs modular approach to using different tools. I will share some additional details
1. Snyk: It can do SAST, SCA, Containers, IaaC scripts - all 4. They have…
About 3 years ago
Replied to reviewer1650858 How does Snyk compare with SonarQube?
@reviewer1650858 : Did you use Snyk for both SAST and SCA analysis. If yes, for SAST, did you upload source code to synk platform for getting results. As per documentation, they need source code to be uploaded for 24 hrs after which they remove it.
About 3 years ago
Asked a question: How do you use Snyk for running SAST?
About 3 years ago
Answered a question: What are the OWASP Top 10 in 2021?
Believe no single tool will address all OWASP Top 10 issues. One will need a combination of tools and approaches as was also mentioned in the recent OWASP anniversary webinars
A01-2021: Broken Access Control has moved to number 1 on the list this year compared to number 5…
About 3 years ago
Answered a question: SAST vs. DAST: Which is better for application security testing?
Both SAST and DAST are complementary to each other. The best approach is to include both SAST and DAST
SAST: Inspects underlying source code, requires understanding of source design, Is utilized early in the development cycle and the average cost to remediate issues is…
About 3 years ago
Answered a question: When evaluating Application Security, what aspect do you think is the most important to look for?
Multiple aspects need to be looked at. I'm listing a few critical ones
1. Hidden passwords and secrets within the application.
2. Check IaaC, Docker, K8 scripts - do they have the right configuration? Wrt Kubernetes and "Hardening Guidance" were released by NSA and CISA…
Over 3 years ago
Answered a question: Which gives you more for your money - SonarQube or Veracode?
We have used SonarQube quite a lot and this is great to check code quality, security hotspots much earlier in the SDLC and fix those. The community edition is free to use, can be used on-premises and is integrated seamlessly with Jenkins and others. The Enterprise and…
Over 3 years ago
Over 3 years ago
Answered a question: What is your experience regarding pricing and costs for OWASP Zap?
OWASP ZAP is open source, free to use and one of the most active open source projects in DAST space. There are weekly updates being done to this project. Lot of add-ons are available which make this an excellent product. The newly created automation framework (AF) is the…
Over 3 years ago
Contributed a review of CodeScene: Great for identifying hotspots, has an excellent knowledge map, and makes it easy to find files
Over 3 years ago
Replied to Vishal-Goyal Is SonarQube the best tool for static analysis?
@Evgeny Belenky Yes. We have used it for typescript, java, .NET, SQL. Coverage depends on the rules available for each language. It is possible to import more rules if required. My experience has been great till now.
Over 3 years ago
Answered a question: Is SonarQube the best tool for static analysis?
We have been using SonarQube and SonarLint (IDE) for quite some time on multiple projects and it is one of the best if not the best.
It can handle multiple tech stacks, gives a good view of the static code in terms of vulnerabilities, hotspots, code smells, bugs, etc…
Over 3 years ago
Answered a question: What tools do you rely on for building a DevSecOps pipeline?
I believe we need to cover the SDLC from start to end as much as possible while ensuring that this does not mean too many dashboards and also keeping the cost of development in mind
1. IDE Checks: This is the 1st step in shift left approach. Many open source tools integrate…
Over 3 years ago
Answered a question: What needs improvement with SonarQube?
SonarQube is great product for static code analysis. But the setup of the same takes lot of time and is tricky depending on the language in scope. For example, for .NET it needs different dependencies to be installed compared to Java. I would expect that SonarQube at the…
Over 3 years ago
Contributed a review of CAST Highlight: Excellent support, works seamlessly with most languages, and useful for knowing about the readiness of the codebase for cloud migration
Reviews
Over 2 years ago
CAST Application Intelligence Platform
Over 3 years ago
CodeScene
Questions
Answers
Almost 2 years ago
Software Composition Analysis (SCA)
Almost 2 years ago
Software Composition Analysis (SCA)
Over 2 years ago
Intrusion Detection and Prevention Software (IDPS)
Almost 3 years ago
Application Security Tools
Almost 3 years ago
Application Security Tools
Almost 3 years ago
Application Security Tools
Almost 3 years ago
Static Application Security Testing (SAST)
About 3 years ago
Application Security Tools
About 3 years ago
Application Security Tools
Over 3 years ago
Application Security Tools
Over 3 years ago
Static Application Security Testing (SAST)
Over 3 years ago
Static Application Security Testing (SAST)
About me
Passionate about using technology to bring value to business.