David Lindner, Director, Application Security

AppSec Observer

Insight #1 " Removing the entire security team as a cost savings measure will not end up saving you money in the short or long term. Security is a business unit that saves an organization money."   Insight #2 " Whistleblowers have a very important role in our current world, ... Read More

Insight #1 " What is holding you back from evaluating a better way to do application security at your organization? I talk to many who are just flat-out unhappy with their current tools, but they continue to pay for the services every year because of the expense of changing. If ... Read More

Insight #1 " Another breach of a developer environment this week leads us to yet another realization that the Solarwinds-like threat vector is here to stay. If you haven’t started strengthening your dev environments/pipelines, there is no better time than now to start."   Insight #2 " There was a ... Read More

Insight #1 " If you are struggling with the adoption of MFA across your organization, it’s time to focus all your efforts in rolling out a solution that provides the best experience for your users. Enabling MFA is paramount to protecting your organization. Figure out the psychological acceptability of your ... Read More

Insight #1 " The National Defense Authorization Act for Fiscal Year 2023 was recently passed by the US House. This bill has a provision requiring any software purchased by the Department of Defense to be free of all known CVEs. The age of SBOM is here, and even if you ... Read More

Insight #1 "Penetration testing and vulnerability scanning are two different things. Penetration testing will give you information about exploiting vulnerabilities whereas a vulnerability scan will just provide you with potential avenues for exploitation. These two should be used in tandem as one of the many tools in your security toolbox ... Read More

Insight #1 " Are you paying if you get hit with ransomware? I provided my thoughts here. The reality shows that most companies hit with ransomware who pay the ransom, get hit a subsequent time. Are you paying?"   Insight #2 "If you are a SaaS provider, one of the ... Read More

Insight #1 "According to recent research, hackers are now scanning for vulnerabilities within 15 minutes of disclosure. That leaves zero time to upgrade/patch/block/unplug. At this point, any products/techniques to stop zero days should be where you are investing (e.g. RASP, anomaly detection, etc)."   Insight #2 " Recently, I was ... Read More

Insight #1 "Log4j was classified as an “endemic” by the Cyber Safety Review Board this week. It’s really great to see this, as our own data shows that half of the Java applications using Log4j still have not upgraded to the latest version. Time to re-evaluate your patching strategies."   ... Read More

Insight #1 " I see a lot of blame being placed on users (or the intern) when it comes to breaches and security issues. As an industry, we need to move on from this old way of thinking and start utilizing new strategies and technologies to protect users when they ... Read More