James Berthoty -- Is DAST Dead? And the future of API security
May 31, 2024
auto_awesome
James Berthoty, a cloud security engineer with a rich IT background and founder of Latio Tech, dives into the evolving landscape of application security. He critiques traditional DAST tools, emphasizing their limitations with modern applications and the pressing need for advanced API security solutions. The conversation explores the ongoing challenges of software patching and how AI can streamline these processes. With a focus on actively engaging in open-source sustainability, Berthoty advocates for a proactive approach to security over mere identification of issues.
James Berthoty emphasizes the transition of mid-sized companies towards application security, highlighting the importance of actionable fixes over generic alerts.
The podcast discusses the evolving relevance of DAST in light of API security, stressing the necessity for hands-on engagement with security tools for effective remediation.
Deep dives
James Berthodi's Career Journey and Insights
James Berthodi has over ten years of experience in technology, transitioning from roles in IT operations to cloud security engineering. His journey includes significant positions at companies like Spartan Race and ReliaQuest, where he gained deep insights into the application of security from an operational perspective. His experiences reveal that traditionally, only large enterprises dedicated sufficient resources to application security, an area he believes smaller companies are now beginning to explore due to evolving cloud and code practices. This progression towards security awareness emphasizes the need for practical results rather than generic alerts, especially as mid-size companies confront their first real encounters with application security.
The Status of DAST and API Security
The discussion around Dynamic Application Security Testing (DAST) raises questions about its current relevance, as some argue it is outdated compared to new methods like API security. James shares that his own early experiences with DAST tools led him to understand their shortcomings, particularly with legacy products that generate numerous false positives and lack a modern application context. However, he notes that API security should not be dismissed, as it incorporates methodologies that are crucial for securing modern applications, especially those built on complex architectures like GraphQL. The challenge lies in selecting and properly implementing DAST tools, which require more than just a plug-and-play approach to yield valuable results.
Challenges Surrounding Vulnerability Management
The conversation also touches on the complexities of managing Common Vulnerabilities and Exposures (CVEs) and the notion of reachability analysis, emphasizing that these concepts often complicate rather than simplify security practices. James expresses frustration with CVEs, particularly their tendency to generate false positives that obscure which vulnerabilities truly demand attention from mid-size companies. He argues that while reachability analysis can provide insights, it doesn't substitute for the need to address vulnerabilities effectively through patch management. The fundamental issue is that security practitioners often struggle to facilitate the real remediation of vulnerabilities, leading to an ever-increasing backlog despite the implementation of multiple security tools.
The Importance of Innovation in Application Security
Innovation in application security is being driven significantly by emerging vendors and community-driven platforms, which can offer more tailored solutions than traditional tools. James highlights his efforts with Latio Tech to create a resource that helps practitioners easily evaluate and compare security products, addressing a gap he has seen in the industry. He notes the need for security professionals to engage hands-on with their tools and technologies to foster better collaboration with development teams. By improving understanding and communication within security workflows, the application security community can move away from merely finding vulnerabilities to actively fixing them, ultimately leading to better security outcomes.
James Berthoty, a cloud security engineer with a diverse IT background, discusses his journey into application and product security. James highlights his career trajectory from IT operations to cloud security, his experiences with security tools like Snyk and StackHawk, and the evolving landscape of Dynamic Application Security Testing (DAST) and API security. They delve into the practical challenges of CVEs, reachability analysis, and the complexities of patching in mid-sized companies. James shares his views on the often misunderstood role of WAF and the importance of fixing issues over merely identifying them.
