You can invest in a WAF or pentesting or code scanning, but if the developers continue to make the same (or worse) mistakes, then you're basically trying to patch a water leak with scotch tape, it might work for a bit but eventually it will break. That's why you gotta do training
-
-
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Well unlike others I would choose Pen Test. Because that will make the vulnerabilities real and lead to short term fixes, and a change in culture which will lead to developer training. The other way around (dev training first) will seem theoretical and still be deprioritised.
- Još 2 druga odgovora
Novi razgovor -
-
-
Developer training, but as part of that encourage them to play with free scanners like
@zaproxy :) The ZAP HUD is a great way to learnHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
*if you have no other money* is key here, as without more money, C and D are utterly pointless. A does add some security (not much, assuming it only has OoTB config) and B might, in time make things better. So, A if it’s a short term “we must do something” else B
-
This was my justification for A too, though I did assume better than OoTB
Kraj razgovora
Novi razgovor -
-
-
Check the CIS top 20. ;). Pentest will be last one.
- Još 4 druga odgovora
Novi razgovor -
-
-
"developer training" because that's the one that could result in less of a need for the other 3
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Pen testing (not singular) as it is actionable. Sec really needs to be built into the dev process though.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.