The complexity of modern applications and APIs makes them extremely difficult to test for security vulnerabilities. Traditional tools like static (SAST) and dynamic (DAST) scanners are complex to run and produce far too many false positive and false negative results. This inevitably leads to siloed appsec testing teams, bottlenecks, long feedback loops, and large security backlogs.
Fortunately, there’s a way out of this trap. Using interactive application security testing (IAST), we can get inside the running application and directly measure security. Anyone who can use a browser can find complex, critical vulnerabilities without scanning, without security expertise, and without changing anything about their development process. IAST runs in real time and merges highly accurate security testing into all your normal QA activity. In this talk, you’ll learn how IAST works and how it can unlock the benefits of DevSecOps.
Jeff will share data showing how large real-world companies have transformed their application security programs, eliminated their security backlog, slashed their mean time to remediate vulnerabilities, and cut their new vulnerability rate. And more importantly, they’ve merged their quality and security testing infrastructures and aligned the interests of the development and security teams. These organizations are getting secure code moving and delivering value to customers at high velocity.