In my travels, the usage of threat modeling occurs whenever a security
resource is assigned to an application development project. This peaked
several years ago and now is on the decline as the trend of software
development going offshore makes it more challenging to either get a
security resourc
Should a security professional have a preference when both have
different value propositions? While there is overlap, a static analysis
tool can find things that pen testing tools cannot. Likewise, a pen test
can report on secure applications deployed insecurely which is not
visible to static analy
This doesn't feel like responsible disclosure and is not the way to
announce weaknesses in software. It is best to deal with scenarios that
have already been addressed.
From: sc-l-boun...@securecoding.org
[mailto:sc-l-boun...@securecoding.org] On Behalf Of Matt P