Badges

User Activity

4 days ago
Multiple aspects need to be looked at. I'm listing a few critical ones: 1. Hidden passwords and secrets within the application. 2. Check IaaC, Docker, K8 scripts - do they have the right configuration? Wrt Kubernetes and "Hardening Guidance" were released by NSA and CISA…
17 days ago
We have used SonarQube quite a lot and this is great to check code quality, security hotspots much earlier in the SDLC and fix those. The community edition is free to use, can be used on-premises and is integrated seamlessly with Jenkins and others. The Enterprise and…
3 months ago
OWASP ZAP is open source, free to use and one of the most active open source projects in DAST space. There are weekly updates being done to this project. Lot of add-ons are available which make this an excellent product. The newly created automation framework (AF) is the…
3 months ago
@Evgeny Belenky Yes. We have used it for typescript, java, .NET, SQL. Coverage depends on the rules available for each language. It is possible to import more rules if required. My experience has been great till now. 
3 months ago
We have been using SonarQube and SonarLint (IDE) for quite some time on multiple projects and it is one of the best if not the best.  It can handle multiple tech stacks, gives a good view of the static code in terms of vulnerabilities, hotspots, code smells, bugs, etc.…
4 months ago
I believe we need to cover the SDLC from start to end as much as possible while ensuring that this does not mean too many dashboards and also keeping the cost of development in mind. 1. IDE Checks: This is the 1st step in shift left approach. Many open source tools…
4 months ago
SonarQube is great product for static code analysis. But the setup of the same takes lot of time and is tricky depending on the language in scope. For example, for .NET it needs different dependencies to be installed compared to Java. I would expect that SonarQube at the…

About me

Passionate about using technology to bring value to business.