Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Dealing with application in-security - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Dealing with application in-security

At the recent SANS Application Security Summit, I had the pleasure to chat with some of the brightest minds in the appsec field. Aside from educating the developers, everyone seems to agree that we need to roll security into development lifecycle and make sure we test the security aspects of applications before letting them move into production. On the testing front, there has been lots of activity in the product space.

You can have static code scanner which is able to scan code for vulnerability. The approach is obviously more thorough but can generate tons of alerts which could overwhelm the user. Rolling it into the development lifecycle can be a big challenge, organizations are struggling to place it between developer and QA, some organizations are more successful than others. Overall, organizations have to really change their development culture to adopt a static source scanning product.

The runtime analysis tools (commonly known as web application scanners)

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London July 2022


93 Posts
ISC Handler
Sep 5th 2007

Sign Up for Free or Log In to start participating in the conversation!