Jeff Williams

Check out my latest article: How to Vulnerability linkedin.com/pulse/how-vuln… via @LinkedIn

#OWASP @LASCONATX Conference is starting with @planetlevel 's keynote about the flawed mindset holding security back: #LASCON

Had a great time chatting with @planetlevel on Coffee & OSS today about all kinds of #tech topics. Video is live on YouTube and podcast is available wherever you find them. Take a look/listen and thanks! coffeeandopensource.com/guest/jeff-wil…

Join us on August 14 to learn why existing approaches to application security fall short, and how #DevOps principles can improve #AppSec practices. Register here: bit.ly/4fVNahF

@dbleich Into the Kandinskyverse

Channelling Kandinsky... #milesmorales #SpiderMan #IntoTheSpiderVerse #colorkey #color #design #visualdevelopment #animation ©SonyPicturesAnimation

Austin #owasp chapter meeting coming up 3/26 at lunchtime. Both in-person with free lunch and virtual. Great speaker - @planetlevel ! Register here: owasp.org/www-chapter-au…

Break free from the tunnel vision of traditional AppSec tools like #SAST and #DAST. They lack context, leading to a skewed view of your application security. Our Co-Founder and CTO @planetlevel breaks down the modern-day solution on @AppSecPodcast: youtube.com/watch?v=SLoShV…

In the 2023 Security Survey, @forrester reports that breach numbers continue to rise. Watch the webinar recap with @planetlevel and #Forrester analyst, Janet and learn how to secure your #apps in 2024 with a context-focused solution, Runtime Security: contrastsecurity.com/contrast-forre…

Congratulations to @cribl_io, @contrastsec, and @druvainc for being recognized in the @Gartner_inc Peer Insights Customers' Choice 2023👏 ✨Cribl - Voice of the Customer for Event Stream Processing cribl.io/news/cribl-amo… ✨Contrast Security - Voice of the Customer for AppSec Testing contrastsecurity.com/gartner-voice-… ✨Druva - Only Customers’ Choice for Disaster Recovery as a Service druva.com/blog/druva-2x-… #gartner #gartnerpeerinsights

@IAMZee67 @contrastsec I’ll just leave this here… macchaffee.com/blog/2023/wafs/

@contrastsec @planetlevel I would add WAF as the first line defense before bad payload gets to the application. Once the payload gets to the Server then yes RunTime can do its thing.

Learn how our financial technology customer improved their application security by implementing #RuntimeProtection, which detects and blocks attacks in real-time. Watch our co-founder and CTO @planetlevel's conversation with Derek Fisher to see how they did it. #AppSec

Ditch #AppSec's broken math and discover the modern-day approach to analyze real-time data and detect vulnerabilities: contrastsecurity.com/security-influ…

We are excited to announce that our Secure Code Platform has been recognized by our customers in the 2023 #Gartner Peer Insights' Voice of the Customer for Application Security Testing! See why we received a 4.7/5 rating & a 94% willingness to recommend: contrastsecurity.com/gartner-voice-…

This should be a good discussion building on Janet’s extensive analysis of the appsec industry

@ddccffvv Agree! For most things, B is the most cost-effective approach. There are a few things that are pretty accurate early and can be found with SAST/SCA. But for most vulnerabilities, waiting a few minutes for IAST testing and full context from a fully assembled, running app is best.

However, if you tell me I can only pick one scenario, I'm going with B (shift left be damned!). I'm fixing actual issues late, instead of hoping I've fixed everything early. Not even hesitating.

Who is a sucker for devsec / appsec resources? 🙋‍♂️

@ddccffvv Over 62% of open source libraries are completely inactive - never even load into memory. Of code that does run, over 2/3 is custom code… just 1/3 is libraries. And when a library has a vulnerability, exploitation is *possible* only 10% of the time.

citation for the exploitability of CVE's number. Can't find the statistic for usage of vulnerable code in libraries, but it's something @planetlevel talked about.

@ddccffvv In modern pipelines, A and B are only minutes apart. So it's not worth it to shift that far left and lose ALL the context of the running app/API. Wait a few minutes, and get a much smaller list.

@planetlevel Scenario B is then an opportunity to get to the root cause. The best goal here might not be a "quick time to fix", but answering the question: "why did we not catch this issue earlier?"

@ddccffvv I don't see why Scenario B items are "bigger" -- they're the same issues as in Scenario A, but true positives. You *could* fix a root cause, and eliminate a whole bunch of them at a time, but that's different.

@stevespringett Except that even heavyweight SAST isn’t accurate enough. Lightweight SAST is kind of a joke. If it’s fast, it’s trash :-) And if it’s slow you can’t integrate into workflows. Especially if you include triage. Try IAST if you want fast and accurate during workflows.

You can't have DevSecOps without DevOps. On the @FedGovToday podcast, @LMaccherone explains how, flow, feedback, and a culture of experimentation and learning are essential to #DevSecOps. Listen now: soundcloud.com/fed-gov-today/…

Experts say scan-and-fix will remain for some time. But #appsec tools are evolving to provide prioritization and automation. Here's what you need to know, ft. insights from @edgeroute, @travismcpeak, @planetlevel, @izar_t, and more. hubs.ly/Q025m0Z70

WAFs leave back-end systems vulnerable to attacks. Read @TAKellermann's thoughts on why Contrast Protect RASP is the #API solution to block back-end attacks and reduce false positives, helping your dev teams prioritize vulnerabilities: contrastsecurity.com/security-influ…