We just raised a $30M Series A: Read our story


User Activity

12 days ago
Replied to Andrew Van Der Stock What are the OWASP Top 10 in 2021?
The history of the OWASP Top 10 through the years: https://www.hahwul.com/cullina...
17 days ago
Feels like a false choice to me. They each are trying to do different things as other posters have suggested. What are the outcomes you are looking for?
3 months ago
Replied to Curtis Yanko What are the OWASP Top 10 in 2021?
@Andrew Van Der Stock thanks, I’ll be sure to look for it.
3 months ago
Replied to Curtis Yanko What are the OWASP Top 10 in 2021?
@Evgeny Belenky You are correct,  But DAST is more about proving SAST findings to remove any doubt. I prefer to use a 'directed' DAST approach to keep it fast and in-band to the pipeline.  By 'Directed' I mean, we have a map of endpoints and associated vulns from our…
3 months ago
I’m not sure the top 10 is changing this year but if it is it will be to squeeze more stuff in ;-).  To effectively detect these in a web app you need a status analyzer with deep data flow analysis. I joined ShiftLeft because I felt they had the best tool to change the way…
4 months ago
I suppose it depends on just how 'bogus' they are. If they are truly 'bogus' then you are likely looking at a trojan. If, however, we are just talking about a 'bad' security tool then you are talking about trying to manage your security with bad or missing information.
8 months ago
I’ve always viewed sonarqube as a code quality tool that compliments many code security tools like a checkmarx. 
8 months ago
It’s a false choice of a question but DAST exist because folks don’t trust their SAST tool. DAST is good about true positives but bad about false negatives. SAST just has a reputation for false positives but a new generation of SAST tools do a much better job.
8 months ago
If you stop at ‘static analysis’ and leave off the Security Testing part. I don’t even view this tool as a security tool, it’s much more about code quality.
9 months ago
Application Security solutions need to work for developers and facilitate their interaction with AppSec including things like training/education. It needs to be fast enough to work on the main CI/CD pipeline and it needs to be trustworthy.

About me

I know a thing or two because I’ve seen a thing or two

Interesting Projects and Accomplishments