Reasonable 🔐AppSec #4 - More DAST, Five Security Articles, Photo, and Podcast Corner

Hey there,

Happy Friday! Back in the US and struggling to return to the East Coast time zone.

In this week’s issue of Reasonable Application Security:

• Still, talking about if anyone needs DAST? 🙋‍♂️

• Photo of the week 📸

• Five security articles 📰 that are worth YOUR time

• Application Security Podcast 🎙️Corner

Still, talking about if anyone needs DAST? (cont’d) 🙋‍♂️

I seem to have poked a bear 🐻 following my comments last week on DAST. I took my thoughts to my Kerr Secure blog, added a few more points, and then released the article as a post on LinkedIn. I wonder which classic AppSec heart I should break next.

Here are the highlights that I took away from the LI thread:

• Dean Argon —advocates for integrating Dynamic Application Security Testing (DAST) within a broader security program rather than using it standalone. He suggests combining DAST and SAST to validate exploitability, filter non-exploitable vulnerabilities, and offer developers real-life, applicable training through focused analysis and remediation guidelines.

• Jeff Williams —supports Interactive Application Security Testing (IAST), as it integrates security testing into normal testing processes, providing comprehensive coverage across custom code, libraries, and frameworks. He argues that traditional SAST can't capture the full vulnerability path, and DAST yields false positives due to its limited visibility and resource intensity. Hence IAST emerges as the optimal solution due to its distributed nature, pipeline compatibility, and higher accuracy with fewer false positives and negatives.

• Sean Finley —suggests that while DAST is required in certain situations, such as by contracts in more traditional companies, it isn't generally an efficient use of time or budget. He advocates for IAST, which he claims provides near-zero false positives and is as fast as your tests, although it requires application instrumentation. Therefore, tools like Burp or Zap might be better for organizations without complete test automation.

• Brian Reed — agrees that DAST can be challenging for web applications but asserts that it's considerably different and more effective for mobile apps. He highlights that specific tools, like NowSecure, can quickly perform DAST within a DevSecOps pipeline in 15-20 minutes, depending on app complexity, and can be used on build or pull requests like a GitHub Action.

• Sean Poris —expresses a strong skepticism towards DAST, stating it doesn't deliver its promised value and is primarily helpful for compliance purposes. He suggests that other tools integrated into the engineering flow are more beneficial. While DAST might identify some fundamental issues in a fledgling security program, it shouldn't be considered a cornerstone of application security anymore in its traditional sense.

Give the comments on the post a read for even more thoughts on the usefulness of DAST.

Photo of the week 📸

The castle is a security illustration of the past. We no longer live in a world where we can build and keep an application within protective castle walls. The applications we build exist without walls and fortification. You could argue that we fortify the applications as they make their way through a pipeline, gaining assurance with each successful tool that returns no blocking results.

I enjoyed standing in the courtyard of this castle overlooking Edinburgh. The only rub was the seemingly hundreds of steps up the side of the hill to reach the overlook.

Five Security Articles 📰 that Are Worth YOUR Time

• A prompt injection is a technique whereby an AI chatbot is convinced by a malicious (or maybe just mischievous) actor to produce a response different from the one expected initially. (more)

• A comprehensive technical analysis of supply chain threats and their corresponding mitigations in SLSA, with an introduction to the supply chain threats that SLSA protects against. I never miss a good list of threats for threat modeling. (more)

• Atlassian’s take on the paved path to balancing security and innovation. (more)

• open-appsec ML-based WAF protects against modern SQLi AutoSpear evasion techniques. (more)

• Due to escalating consequences of poor cybersecurity practices, board members are pushing for increased attention to cybersecurity-induced risks. With the proper discussions aimed at resilience, they can advance towards providing effective oversight, despite lacking the necessary understanding to ask the right questions. (more)

Podcast 🎙️ Corner

I love making podcasts. In Podcast Corner, you get a single place to see what I’ve put out this week. Sometimes they are my podcasts. Other times they are podcasts that have caught my attention.

• I did the Scale to Zero Podcast and discussed Learning Application Security, threat modeling, and the importance of people, processes, tools, and governance as a framework for AppSec.

• I did the first episode of the Security Champions Podcast with my good friend Michael Burch. I talked about the Security Champion Framework I released via Github.

• Application Security Podcast

  • This is from a few months ago, but worth drawing your attention.

  • Sarah-jane Madden -- Threat Modeling to established teams

    • Sarah-Jane joins us to discuss her talk at OWASP Dublin, "Far from green fields — introducing Threat Modeling to established teams." She shares lessons learned from her 3-year journey and is transparent with the mistakes she made along the way.

• Security Table — new episode next week.

• Threat Modeling Podcast — new episode next week.

🤔 Have questions, comments, or feedback? I'd love to hear from you!

🔥 Reasonable AppSec is brought to you by Kerr Ventures.

🤝 Want to partner with Reasonable AppSec? Reach out, and let’s chat.