Today, we bring you our latest collaboration with the OWASP Orange County chapter, where Daniel Blazquez, our Technical Product Marketing Lead, presented a talk on “The beauty of runtime AppSec done right”.
In this talk, we looked at how AppSec practices seem to waver between static and runtime activities. Static activities such as code scans or code reviews have context and depth but lack visibility on the true behavior of the software. On the other hand, runtime activities like penetration testing, use of dynamic scanners or WAFs, have no direct access to the internal part of the application due to the fact that they follow an external approach.
Nowadays, the reality is that DevOps teams demand a full picture of their application security posture, which would be ideally achieved by combining both the static and dynamic approaches. In this talk, we propose a new approach based on runtime observability that provides not only vulnerabilities and attacks, but also app deployment intelligence, sensitive data visibility, and API discovery capabilities.
During the presentation, we analyze the legacy approach of both Static and Dynamic approaches with a focus on why we need better runtime observability in AppSec. Among others, we give answers to pressing questions such as:
- Are production conditions uncovering new vulnerabilities in my code or in my dependencies?
- Are my endpoints leaking sensitive data?
- Is someone trying (and succeeding) to exploit vulnerabilities as a consequence of all this?
Watch the full presentation in the video below.
At Hdiv Security, our mission is to help teams that build modern applications automate security through the entire application lifecycle. If you are interested in finding out more and how we can help your organization, let us know!