Practical writing on SAST methodology, false positive reduction, code review integration, and application security — for engineers who own the build pipeline, not just the compliance checklist.
SAST runs against source code before a line ships; DAST probes a running application after. Both have a place. The question is what each one actually catches — and which fits the development workflow without requiring a separate security team to read the output.
Read articleThe most common reason engineering teams disable their SAST tool isn't that it misses findings — it's that the false positive rate makes every finding suspect. Confidence scoring, path-scope filtering, and auditable suppression are the practical levers. Here's how to apply them without losing the signal that matters.
Read articleStatic analysis in the review loop should reduce the cognitive load on reviewers, not add to it. When automation triggers alert fatigue, surfaces findings without triage context, or posts comments engineers have learned to ignore, you've hit one of three common implementation mistakes — all fixable.
Read articleBuilt-in rules cover SQL injection, XSS, hardcoded credentials, and the rest of the OWASP Top 10. Custom rules cover what no built-in rule can: your internal auth patterns, your ORM layer, domain-specific injection vectors unique to your stack. This is the YAML pattern syntax — pattern-either, taint tracking, path scoping — you need to write them correctly.
Read articleFinding counts and open vulnerability totals make good dashboards. They make poor indicators of actual security improvement. The metrics that correlate with risk reduction — MTTD from introduction to detection, suppression-to-fix ratio, rule precision per language — tend to be harder to compute but far more useful at planning time.
Read article"Full OWASP Top 10 coverage" is a claim that doesn't survive contact with a real codebase. A03 Injection covers SQL injection, command injection, XSS, and SSRF — each requiring distinct dataflow analysis. Here's how to test coverage claims against your own code, not vendor-curated benchmark suites.
Read articleShift-left security gets cited as the solution to late-stage vulnerability discovery. What it requires in practice is that the PR review workflow functions as a real security checkpoint — not a checkbox before merge. Here's what that actually takes: tooling integration, reviewer expectations, and suppression policies that don't let noise erode discipline.
Read articleDependency confusion and typosquatting capture headlines. The quieter supply chain risk is the unsafe deserialization pattern, the hardcoded credential, or the path traversal introduced in your own pull requests — written by your own engineers. Static analysis catches those at review time, before they reach the default branch.
Read article
