Badges
70 Points
3 Years
User Activity
Over 3 years ago
Answered a question: What tools do you rely on for building a DevSecOps pipeline?
Everything in technology focuses on People, Process & Technology. What binds these together is business requirements and understanding the needs of each Line Of Business. Often each Line of Business requires completely different requirements, but what tools help you meet…
Over 3 years ago
Answered a question: What is the best Application Security Testing platform?
The first thing you'd want to do is
1. Look at your application inventory to determine the language and framework coverage.
2. The following would be what has the developer integrations with my current and future state CI/CD toolset, Developer IDE's
3. Do I have the…
Almost 4 years ago
Answered a question: SAST vs. DAST: Which is better for application security testing?
The easiest way to remember the role of each:
SCA & SAST = Am I Vulnerable
DAST & IAST = Am I Exploitable (In some cases together, they complement SAST)
RASP & WAF = Can I Protect Myself (Fixing the code is the primary option)
Almost 4 years ago
Answered a question: When evaluating Static Code Analysis Software, what aspect do you think is the most important to look for?
Choosing the right static analysis software requires multiple components:1. What are my business requirements and do I have champion BUs 2. What does your application portfolio look like (Lang. developed, Line of Code, etc.) and do we have a complete application inventory…
Almost 4 years ago
Answered a question: What alternatives are there for Fortify WebInspect and Fortify SCA?
Rendra,
You need to ask yourself a few questions: 1. Do I know is the technology stack (languages) that needs to be supported? 2. Do I have access to the Source Code, just Binaries OR Both? 3. Do I need to support SCA(FOSS) 4. Do I need a unified Dashboard for reporting for…
Almost 4 years ago
Replied to Oscar Van Der Meer What alternatives are there for Fortify WebInspect and Fortify SCA?
@Oscar Van Der Meer Fortify SCA (Static Code Analyzer) was around way before SCA (Software Composition Analysis). There are various integrations with Software Composition Analysis (SonaType, BlackDuck, Snyk, WhiteSource, and OWASP Dependency Checker & Track. The reason…
Projects
Almost 4 years ago
Turning a major financial customer from a nonTurning a major financial customer from a non believer to the most robust customer. That customer is now a referenceable customer.
Answers
Over 3 years ago
Static Application Security Testing (SAST)
Over 3 years ago
Static Application Security Testing (SAST)
Almost 4 years ago
Application Security Tools
Almost 4 years ago
Static Code Analysis
Almost 4 years ago
Software Composition Analysis (SCA)
About me
Thomas Ryan is an established expert on cyber & physical security specializing in red team operations, application and supply chain security, information operations & personal protection. His precision focus during his career has been on offensive and defensive security operations and their application within both public and private organizations.
Thomas serves as Board Advisor for numerous companies while functioning as the Founder of Asymmetric Response, a boutique security firm.
In 2010 Thomas gained global notoriety for his research known as “The Robin Sage Experiment”. His research focused on the dangers and threats around social media. To this day the impact of this research is still relevant as well as 10x greater. Currently, Robin Sage Experiment's concepts are being taught in 28 universities in their cybersecurity and homeland security courses. It’s also be referenced in 100’s of security research papers and is currently used in many red teams and intelligence collection operations. Additionally, Thomas has been assigned several CVEs for exploits discovered and referenced 3 different times in the MITRE ATT&CK Framework.
Interesting Projects and Accomplishments
Almost 4 years ago