At the recent SANS Application Security Summit, I had the pleasure to chat with some of the brightest minds in the appsec field. Aside from educating the developers, everyone seems to agree that we need to roll security into development lifecycle and make sure we test the security aspects of applications before letting them move into production. On the testing front, there has been lots of activity in the product space.
You can have static code scanner which is able to scan code for vulnerability. The approach is obviously more thorough but can generate tons of alerts which could overwhelm the user. Rolling it into the development lifecycle can be a big challenge, organizations are struggling to place it between developer and QA, some organizations are more successful than others. Overall, organizations have to really change their development culture to adopt a static source scanning product.
The runtime analysis tools (commonly known as web application scanners)
Sep 5th 2007
1 decade ago