Author Archives: Josh Bressers

These are certainly strange times we are living in. None of us will ever forget what’s happening and we will all retell stories for the rest of our days. Many of us asked “tell me about the depression grandma”, similar questions will be asked of us someday. The whirlwind of confusion and chaos got meContinue reading “Who are the experts”

Well, we’ve made it to the end. What started out as a short blog post ended up being 7 posts long. If you made it this far I commend you for your mental fortitude. I’m going to sum everything up with these 4 takeaways. Understand the problem we want to solve Push back on scannerContinue reading “Part 6: What do we do now?”

If you just showed up here, go back and start at the intro post, you’ll want the missing context before reading this article. Or not, I mean, whatever. I’ve spent the last few posts going over the challenges of security scanners. I think the most important takeaway is we need to temper our expectations. EvenContinue reading “Part 5: Which of these security problems do I need to care about?”

We’ve already discussed the perils of code and composition scanning. If you’ve not already read those, you should go back to the beginning. Now we’re going to discuss application scanning. The basic idea here is we have a scanner that interacts with a running application and looks for bugs. The other two scanners run againstContinue reading “Part 4: Application scanning”

If you just showed up here, go back and start at the intro post, you’ll want the missing context before reading this article. In this post we’re going to talk about a newer type of scanner called a composition scanner. The idea here is when you build an application today it’s never just what youContinue reading “Part 3: Composition scanning”

If you just showed up here, go back and start at the intro post, you’ll want the missing context before reading this article. The first type of scanner we’re going to cover are source code scanners. It seems fitting to start at the bottom with the code that drives everything. Every software project has sourceContinue reading “Part 2: Scanning the code”

This post is the first part in a series on automated security scanners. I explain some of the ideas and goals in the intro post, rather than rehashing that post as filler, just go read it, rehashing content isn’t exciting. There are different kinds of security scanners, but the problem with all of them isContinue reading “Part 1: Is your security scanner running? You better go catch it!”

Are you running a security scanner? It seems like everyone is doing it, maybe it’s time to get with it. It’s looking like automated security scanning is the next stage in the long winding history of the security industry. If you’ve never run one of these scanners that’s OK. I’m going to explain what theyContinue reading “The Security Scanner Problem”

Unless you’ve been living under a rock for the past few … forever, you may have noticed that open source is taking took over the world. If software ate the world, open source is the dessert course. As of late there have been an uptick in stories about backdoors in open source software. These backdoorsContinue reading “Backdoors in open source are here to stay”

Recently there was a thread on Twitter I stuck my nose into about appsec and why it doesn’t work. I have a response in there that I believe is a nice way to explain my biggest problem with appsec. I would sum it up as “Appsec isn’t people”. Here is a clever image to help.Continue reading “Appsec isn’t people”