Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
This piece is part of our ‘Faculty Focus' series, an interview-style article where a member of the IANS Faculty shares firsthand, practitioner-based insights on an infosec topic. In this feature Tanya Janca discusses common DAST and SAST tool challenges facing security teams and provides tips to promote tool adoption.
Tanya Janca is the best-selling author of ‘Alice and Bob Learn Application Security’. She is the Director of Developer Relations and Community at Bright Security,
as well as the founder of We Hack Purple, an online learning community that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty-five years, won countless awards, and has been everywhere
from public service to tech giants, writing software, leading communities, founding companies and ‘securing all the things’. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks on 6
continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives.
Tanya: The challenges that I have seen with both SAST and DAST tools include:
As these tools are further developed, and as companies mature the content and advice that they provide, I fully expect this problem to keep improving yearly.
I recommend that companies get training on DAST tools before using them against any production environments. I would also advise that whenever possible, test against non-production environments to reduce any risks.
Often the security team is doing their best to build this trust and get buy-in from the developer teams that making time for security bug fixes is important.
If the software developers have tuned their CI/CD pipeline such that it takes 8 minutes to run every single test they need vs. a DAST tool that takes 6 hours, or a SAST that takes 1.5 hours, this will cause frustration.
Tanya: Some best practices that work well include:
I want the AppSec tools to improve everyone’s daily work, so developers can perform their jobs more securely. That’s a huge win for any AppSec professional.
Tanya: Automated tools:
I literally can't imagine doing AppSec without any automated tools to help me. It would seem like a mountain that I could never climb. I hear security professionals talk about these tools all the time. We want them to continue to mature and improve, just
like the rest of our security industry.
READ: How to Select the Right DAST and SAST Tools
Our Faculty are comprised of over 100 renowned security practitioners with deep, domain-based knowledge who understand - firsthand - the challenges faced by CISOs and their teams.
IANS connects clients with Faculty to help them make better decisions, grow professionally, save time & stay compliant. Get in touch to learn more about how we can help move your security program forward.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
February 21, 2024
By IANS Research
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.
February 15, 2024
By Alex Sharpe, IANS Faculty
IANS Faculty member Alex Sharpe discusses the risks around AI adoption and provides governance guidance to make your AI launch safe and mitigate risk.
February 13, 2024
By IANS Faculty
Learn how to how to use NIST to modify secure baseline configurations to account for risk and improve security posture.