You no doubt know the phrase, "if you don't have anything nice to say, don't say anything at all." A better take on this idea might be: "if you don't have anything helpful to say, don't say anything at all." In other words, pointing out problems is not necessarily a bad thing. But simply pointing out problems without offering guidance on solving them adds little value. You could apply this wisdom to many domains of life. But let's consider it within the context of software security scanning. After all, if you're reading this blog, chances are you're interested in development or security. The point I'd like to make is this: security scanning tools that simply find problems, but do little or nothing to help you solve them, don't really enhance software security in a meaningful way. For security scanning to be worth the time and effort, you need tools that not only point out the problems within your code, but also provide meaningful guidance on resolving them.
Not All AppSec Scanning Is Created Equal
Latest Blog Posts