A lot is changing due to assistive AI and agentic workflows, clearly affecting the state of Cybersecurity and AppSec. Today it is a real effort to find a tool without AI enhancements, even if that is done just to keep it relevant. Would you buy a tool without an AI assistant today?
Dynamic Application Security Testing (DAST) is a method to test a snapshot of your application for security issues. It differs from static code analysis in the sense that it focuses on functionality, or else how your application reacts to different input sent by the tool used to perform DAST. By definition it is an automated processs done by a tool that you point to the direction of your API or web interface. The tool then has payloads that will be used during test and depending on the application responses it can identify potential issues.
Every developer understands the critical role of comprehensive error logging. Having detailed logs is invaluable during an operational incident, enabling you to swiftly identify and address the source of issues. This principle holds true for security as well.
Let's imagine you are in the situation where you have secured budget to buy tools that analyze the security of your code base. Most probably you will look for a Static Application Security Testing (SAST) solution to scan source code and a Software Composition Analysis (SCA) tool, to create your SBOMs and analyze security/licenses of open-source dependencies.
In this series of blog posts I am aiming to share my view on how to start your own security champions program. This is by no means a step by step guide, but rather an attempt to share my own experiences and lessons with the world.