Why is static code analysis and vulnerability scanning no enough?
simplyblockJuly 29, 202400:00:59

Why is static code analysis and vulnerability scanning no enough?

Using static code analysis and multiple levels of vulnerability scanning are a great step towards securing your application. Many of today's scanner also enable runtime scanning of dynamic environments such as Java or Python. However, they all don't secure deeper issues like code injection if yet unknown (no CVE exists yet). For actual zero-day exploits, application behavior analysis using application firewalls is key.

Transcript:
From a user's perspective what would be like the biggest benefit? I mean if I don't have any malicious traffic why would I care?

We still see a lot of application that goes out to production with a number of vulnerabilities in them, that's just fact. You need to ship features as well. When you look to a given software stack based on open source components that has vulnerabilities in them that can be used to break into the container and then in some cases also break in through the node and things like that. If you look to the behavior of what that's actually doing, you only allow that behavior and then a majority of those vulnerabilities become mute because they can't do the step two or the step three. And the exploit chain that they have and being able to contain your application while you still have a lot of velocity in building new features and building and updating your product having something that can automatically contain it and understand it as it evolves is one thing that we think is a added benefit.