Blog
An Easy Cybersecurity Model for Busy Execs
Do you know what your organization's attack surface is? Attack surface is everything that a bad person (aka “attacker”) can interact with or touch. Your organization’s attack surface consists of PIA:...
Cybersecurity Threat Modeling for Business Leaders
As a business leader, you are likely familiar with SWOT analysis. SWOT is a strategic planning exercise to help identify a business’s Strengths, Weaknesses, and Opportunities, as well as Threats...
5 Ways to Increase Pen Testing ROI
Carve COO Max Sobell presenting on "Shifting Security Left" at Giphy HQ. Many a CTO and VP of Engineering has begrudgingly spent money on penetration tests in order to make their enterprise...
Security is a Long Distance Event
Twenty-five miles and seven hours into my first 50 mile trail running race, I told myself there are only twenty-five miles and seven hours to go. It should be simple - just keep going, right? This...
WASM Security Assessment Techniques
Do we have a problem? The World Wide Web have been struggling with how to create portable, efficient and safe programs (pick two) for decades. The current best of breed attempt is called WebAssembly...
3 Ideas to Improve Application Security Today
Application Security, or AppSec, is a race between your business and bad actors. Whether you realize it or not, people and bots are constantly attacking and probing your Internet-facing and...
Security Champions: How to grow your security team without making a single hire
As we discussed in our previous post: your best appsec engineer is already on your team, you just need to find them. In larger development organizations, however, this one person might not be enough...
Stop wasting money on PCPs (Pretty Crappy Pentests)
A company asked us for help with a troubling issue: anonymous web site users would randomly become authenticated as other users in their financial services application. The client’s engineering team...
The 5 Most Common GraphQL Security Vulnerabilities
Intro - GraphQL GraphQL (GQL) is a popular data query language that makes it easier to get data from a server to a client via an API call. GQL is commonly deployed as a critical piece of the...
Your best appsec engineer candidate is already on your engineering team. You just don’t know it yet.
There are things you can do to improve application security even if you’re unable to recruit and retain an application security engineer.