As important as application security testing is, it's really just the first step in a continuous process to identify and fix flaws. And, depending on your application, you may have hundreds of flaws which require remediation. Some of the most common questions I hear when consulting with customers, particularly new customers, are, “how can I make sure I’m remediating the flaws I find,” followed by… READ MORE ›

In previous posts in this blog series, I've explained that AppSec teams should have empathy for developers as they go through the stages of grief after an unfavorable security assessment of their code. In this post, we wrap up by discussing how to get developers to move through the final two stages – from bargaining to acceptance. Bargaining: "We have a firewall that handles this." The bargaining… READ MORE ›

After nearly 10 years as a security consultant, I've talked to thousands of developers about remediating security flaws in their code. It's not always an easy conversation, and developers have a wide range of emotional reactions, not all of them good. The fact is, developers are increasingly responsible for quality assurance and security testing of their code, tasks that didn’t used to be part of… READ MORE ›

Developers don't always respond well to security assessments that highlight flaws in their code. With a little bit of empathy, it's not hard to understand why developers might react with frustration, annoyance, or even hostility. Security testing should be a dispassionate and routine part of the software development lifecycle – application security professionals will tell you it’s never personal… READ MORE ›