Thanks - I think the article captures the challenges of modern appsec pretty well. But I'm afraid I'm not aligned with Nir on the solution. You've written about the "SaaSification of Code" in an earlier Cyber Why. Unfortunately, you can't do very much security analysis of the individual pieces of a complex distributed app. For example, an injection path might go through a web front end, a bunch of serverless functions and APIs, and eventually reach a sink. Moving static analysis (and SCA to a lesser extent) to the left loses context and results in far worse results (both FP and FN).

What we need to address the challenges Nir pointed out is better *context* -- and it doesn't really exist until the entire thing is built and running. To me, the "shift smart" strategy is to do security activities when they are fast, accurate, scalable, actionable, and cost-effective. And for most rules in modern apps, that means a runtime analysis of some sort. If you'd like, I'm happy to do a guest post explaining why the "shift left" strategy has failed and many companies are now "left" with huge backlogs of false positives and very little assurance that they've addressed the important issues.

Expand full comment