If you are using appsec tools in your pipeline you are probably asking what their benefits are. Typically, Static Application Security Testing (SAST) tools are prone to identifying false positives, which creates a lot of noise. The leadership questions why your tools, which were meant to reduce the number of vulnerabilities is reporting more vulnerabilities than ever. Furthermore, your Software Composition Analysis (SCA) tools appear to lack accuracy by reporting that all your code is at risk because you used a single dependency in one part of your application software. On the other hand, if you are scanning container images,…Continue readingAppsec tooling: value vs process