Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Internet Security | DShield SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Dealing with application in-security

At the recent SANS Application Security Summit, I had the pleasure to chat with some of the brightest minds in the appsec field. Aside from educating the developers, everyone seems to agree that we need to roll security into development lifecycle and make sure we test the security aspects of applications before letting them move into production. On the testing front, there has been lots of activity in the product space.

You can have static code scanner which is able to scan code for vulnerability. The approach is obviously more thorough but can generate tons of alerts which could overwhelm the user. Rolling it into the development lifecycle can be a big challenge, organizations are struggling to place it between developer and QA, some organizations are more successful than others. Overall, organizations have to really change their development culture to adopt a static source scanning product.

The runtime analysis tools (commonly known as web application scanners)

I will be teaching next: Defending Web Applications Security Essentials - SANS Cyber Security East: Feb 2022


93 Posts
ISC Handler
Sep 5th 2007

Sign Up for Free or Log In to start participating in the conversation!