Browsed by
Month: February 2018

SAST, DAST, and IAST. Oh My! (S03E05)

SAST, DAST, and IAST. Oh My! (S03E05)

Pete Chestna is an advocate for SAST, DAST, and IAST tools and a passionate #AppSec enthusiast. A moving quote that Pete shared during this episode is “an #AppSec program is the byproduct of building secure developers.” #Truth

Pete describes the differences between SAST, DAST, IAST, and RASP, the struggles that developers encounter using new tools, false positives that occur and how to reduce them, and advice for building an #AppSec program from scratch versus adding tools to a mature program.

You can find Pete on Twitter @PeteChestna.

Additional information on this topic:

We Are Not Making It Worse (S03E04)

We Are Not Making It Worse (S03E04)

Irene Michlin operates at the intersection of security and agility. She teaches about incremental threat modeling and how to do threat modeling when living in an Agile or DevOps world.

Irene ends the discussion by saying that her goal when working with a team on threat modeling is that they all conclude “We are not making it worse.”

You can find Irene on Twitter @IreneMichlin, and check out Irene’s talk on Incremental Threat Modeling last year at AppSec EU.

Insecure Deserialization (S03E03)

Insecure Deserialization (S03E03)

Bill Sempf joins to talk insecure deserialization. We do a deep dive and contextual review of the generalities of deserialization, and the specifics of how it applies to “.NET”. Bill gets into his journey to understand these types of vulnerabilities and provides some hints and tips for how you can look for them in your code.