You didn’t change anything in your code, yet the scan is different this time. Here’s advice from an Application Security Consultant on why that may be.  Have you ever wondered why you scan code one day and get one result, and then scan the same code a month later and get different results – even…

Documenting flaws that you don't prioritize today will save you time should they become high-severity flaws in the future. Here's the best way to approach them. The topic of mitigations is a commonplace source of questions and discussion for our Application Security Consulting group. This is a…

As important as application security testing is, it's really just the first step in a continuous process to identify and fix flaws. And, depending on your application, you may have hundreds of flaws which require remediation. Some of the most common questions I hear when consulting with customers,…

After nearly 10 years as a security consultant, I've talked to thousands of developers about remediating security flaws in their code. It's not always an easy conversation, and developers have a wide range of emotional reactions, not all of them good. The fact is, developers are increasingly…

Developers don't always respond well to security assessments that highlight flaws in their code. With a little bit of empathy, it's not hard to understand why developers might react with frustration, annoyance, or even hostility. Security testing should be a dispassionate and routine part of the…