In my prior blog, Continuous Testing – The Quest for Quality at Speed, I described five tenets and some of the practices for continuous testing to help with understanding what continuous testing is. In my consulting work, I find it necessary to use 15 categories of practices to assess an organizations’ continuous testing capabilities. Given […]
Prevent False Positives From Derailing Shift Left
Static application security testing (SAST) tools are designed to balance false positives (incorrect warnings) with false negatives (missed vulnerabilities) primarily because deeper analysis requires more time and computing resources. Both of these are in short supply among developers that are tasked with meeting shorter and shorter product delivery milestones. So, while SAST vendors consider a […]
SAST, DAST, SCA: What’s Best For AppSec Testing?
According to the most recent Verizon Data Breach Investigations Report, almost 90% of data breaches are driven by financial gain, up from 71% in last year’s report. Most noteworthy, however, is that cloud platforms are particularly at risk, with web application attacks increasing by 43%. As more information is stored within cloud infrastructures, and as […]
GrammaTech Allies with GitLab to Advance DevSecOps
GrammaTech announced today it has partnered with GitLab to integrate its GrammaTech CodeSonar static application security testing (SAST) tools with the GitLab Ultimate DevSecOps platform. Vince Arneja, chief product officer at GrammaTech, said integration with continuous integration/continuous delivery (CI/CD) platforms such as GitLab is critical because it enables security scans to run automatically any time […]
What is SAST? Overview + SAST Tools
Static Application Security Testing Overview With the growing number of cybersecurity threats, you must ensure that your software is protected against potential vulnerabilities and threats. One of the most beneficial practices is to use static application security testing (SAST). What You Need to Know Static application security testing is a type of software test used […]
Shifting Left and Static Code Analysis with Perforce
Perforce Product Manager Stuart Foster, and Evangelist Steve Howard, join Mitch Ashley to discuss the importance of creating security software from the beginning of the development process. We discuss shift left, SAST, source code scanning and other pursuits towards this goal. The video is immediately below, followed by the transcript of the conversation. Enjoy! Transcript […]
Snyk Brings AI to DevSecOps
Snyk today at its SnykCon 2020 conference announced a static application security testing (SAST) dubbed Snyk Code that incorporates an interpretable machine learning semantic code analysis engine the company gained through its acquisition of DeepCode earlier this year. The company also announced it has extended its alliance with Docker Inc. to become the exclusive provider […]
Code Security: SAST, Shift-Left, DevSecOps and Beyond
Automation is the key to pushing code security beyond DevSecOps In virtually every industry, developers are dealing with ensuring the safety of their code. Regardless of whether it’s enterprise or applications for automotive, aviation or industrial controls, small systems or large systems, every organization struggles with security. In response, the industry continues to evolve to […]
What Developers Really Think About Pentesting
A developer in their natural habitat is often spotted in a state of deep concentration, coding awesome features to tight deadlines. Feature-building is often our favorite part of the job, and really, it’s the fundamental outcome of the software development life cycle (SDLC). However, as we have discussed before, many of us are still prioritizing […]
3 DevOps Security Best Practices Your Organization Can’t Afford To Ignore
CI/CD pipelines are at the core of daily operations for many businesses today. These processes, when set up correctly, help to keep the delivery process consistent by automating many manual tasks and providing visibility into how the software is being worked on. DevOps is also the place in your technology stack where your infrastructure has […]