Multi-factor authentication (MFA) is the process of proving your identity. This article first details the available “factors” and introduces typical attack strategies, then explains how to implement a thorough MFA strategy in web applications. The Three Primary Authentication Factors MFA Factor 1: Something You Know The most common authentication method in the digital […]

Jacob Garrison 26 Sep, 2023

When Bionic was founded in 2019, our mission was to help enterprises get control of their application chaos. At the time, this was seen as unorthodox because other vendors focused on securing infrastructure, not apps. Most companies we spoke to claimed to have CNAPP but had no idea what was happening inside their code. We […]

Idan Ninyo 19 Sep, 2023

Today, we’re pleased to announce that we’re being acquired by cybersecurity leader CrowdStrike to amplify and extend their cloud security capabilities to the application layer. Together, CrowdStrike and Bionic will help customers manage security and business risk that comes with two of the greatest challenges in technology: ephemeral, cloud-native services and highly dynamic, rapidly changing […]

Jamie Gale 19 Sep, 2023

Michael Tayo is an Assistant Vice President and Principal Information Security Engineer at U.S. Bank where he is responsible for providing visionary guidance for the enhancement of cloud and application security product offerings. With over 10 years of experience as an Information Security Professional, Michael specializes in designing and deploying cutting-edge security solutions to enhance […]

Jacob Garrison 13 Sep, 2023

In this article, we’ll describe how a global leader in customer engagement and employee management let Bionic show them how fast they can achieve total visibility into one of their most complex applications.  The company has thousands of employees around the world who support dozens of products. As a publicly traded company, it is critical […]

Amanda Gass 08 Sep, 2023

What is an Injection Attack?   Injection attacks are malicious code inside an input that causes unintended software behavior. Log4Shell, the most lethal zero-day vulnerability of 2022, is an injection attack. One easy way to visualize this idea is to imagine a normal input as <input>, and an injection attack as an <in<attack>put>. It’s simply […]

Jacob Garrison 29 Aug, 2023

Amanda Alvarez is a DevSecOps Architect consultant at Trace3 with a passion for helping people learn more about software security.  She is a highly-motivated practitioner who enjoys creating developer-oriented solutions with an emphasis on increasing effective feedback loops to help companies balance agility with security.  Her mission is to spread awareness on scalable and sustainable […]

Jacob Garrison 28 Aug, 2023

What Is Risk? Let’s be frank. Risk represents the possibility of loss. In business terms, loss is in the form of cash, customers, partners, revenue, IP, corporate data, and brand loyalty. Global Risk & Compliance (GRC) teams calculate, manage, and mitigate the possibility of loss across the business (and IT). So, what’s the role of […]

Stephen Burton 18 Aug, 2023

Here at Bionic, we continue to push the boundaries of what’s possible to help our customers secure their cloud-native applications. Today, we’re announcing a direct integration with ServiceNow, Bionic Events, and a reimagined dashboard. These updates supercharge the state of application security posture management and help you achieve unprecedented visibility into and continuous control over […]

Jamie Gale 09 Aug, 2023

Every security startup needs a superhero. Snyk created the Dobermann. At Bionic, we created a badass bulldog. Here’s the story… He was just an ordinary bulldog from a small town in England, owned by a bad actor. Then one day, his owner left the back door open, and Billy escaped! Billy was vulnerable and became […]

Stephen Burton 09 Aug, 2023

  Jeevan Singh is the Director of Product Security at Twilio, where he is embedding security into all aspects of the software development process. He enjoys building security culture within organizations and educating staff on security best practices. He’s responsible for architecting security programs, driving security strategy, and mentoring and growing security engineers and managers. Before […]

Jacob Garrison 02 Aug, 2023

Attackers live in production because that’s where valuable data resides. Organizations spend $3 million annually combating bad actors with their Security Operations Centers (SOCs), according to Ponemon. That same study found reducing false positives to be the single most important activity for security teams.  In this article, I’ll explain how application security teams prioritize risks […]

Jacob Garrison 26 Jul, 2023

Data breaches cost about $4,000,000, on average. It’s clear why dedicated teams focus on resolving application vulnerabilities and ensuring their software is secure. This article explains vulnerability management and compares the popular methods for handling vulnerability sprawl. What is a Software Vulnerability? All categories of computer security issues, software and hardware, are Common Weakness Enumerations […]

Jacob Garrison 20 Jul, 2023

Jeremiah Salamon is the Information Security Director at one of the nation’s premier law firms. He has over a decade of experience in Security Operations, Security Architecture and Engineering, and Governance, Risk & Compliance working in small businesses and large enterprise environments with regulated data. Regardless of the size or complexities of the organization, Jeremiah […]

Jacob Garrison 19 Jul, 2023

Single-Page Applications (SPAs) took the software world by storm. After all, could anything be more important than a seamless user experience? Well, if you ask me, secure data is equally as important. And SPAs are far more challenging to secure than traditional multi-page web applications. In this article, you’ll learn about security concerns in SPAs. […]

Jacob Garrison 13 Jul, 2023

Broken authentication is a term for vulnerabilities in the authentication of systems that allows unauthorized access to user accounts and sensitive information. It occurs when the authentication process is flawed or improperly implemented, making it susceptible to exploitation by attackers. Broken authentication can occur for various reasons, including weak passwords, insecure password storage, session management […]

Bionic Team 07 Jul, 2023

Sean Wright is a veteran application security engineer with software development roots. Within security, he has a particular interest in TLS encryption and supply chain attacks. He believes security teams must be business enablers with a focus on efficiency. I had the pleasure of hosting Sean on this week’s episode of Champions of Security. Here’s […]

Jacob Garrison 05 Jul, 2023

API security isn’t a checkbox. Security teams must create a multi-faceted API security approach that scales with the velocity of development teams. With API attacks up 400% this year, it’s no wonder that building a comprehensive API security program is a top priority for modern enterprises. In this article, we’ll detail the necessary components of […]

Jamie Gale 30 Jun, 2023

As the industry’s first ASPM solution, we are fully committed to helping security and engineering teams manage risk effectively and efficiently. Today, we are announcing Bionic Signals and Business Risk Scoring. These capabilities help engineers correlate and contextualize security signals so they can rapidly prioritize and resolve business risk. Bionic Signals   Bionic ingests data […]

Jamie Gale 27 Jun, 2023

Shanief Webb is well-versed in the disciplines of computer science, cybersecurity, and digital forensics. He has over 8 years of diverse cybersecurity experience working for the FBI, Google, Cox Communications, IBM, Slack, Dropbox, and now Okta. I had the pleasure of hosting Shanief on this week’s episode of Champions of Security. Here’s the full episode […]

Jacob Garrison 21 Jun, 2023

Chris Romeo, CEO and Co-founder of Kerr Ventures, and Dustin Lehr, Head of Platform Security at Fivetran, joined me for a live LinkedIn session. If you missed out, here’s the recording and my three key takeaways. Key Takeaways #1: A Passionate Security Champion Leader is Vital A sustainable security champions program requires a skilled, motivated […]

Jacob Garrison 16 Jun, 2023

Walter Haydock is the Founder and Chief Executive Officer of StackAware, a cybersecurity risk management and communication platform. He is also the author of the blog Deploying Securely. Previously, he was a Director of Product Management at Privacera, a data governance startup backed by Accel and Insight Partners – as well as PTC – where […]

Jacob Garrison 12 Jun, 2023

Micah Jackson is a Senior Red Team Engineer who was an application security lead when we filmed this episode. He’s a hacker who enjoys breaking things and building them back stronger. As a security enthusiast, he enjoys diving into every facet of security, from firewalls to malware reverse engineering. Key Takeaway 1: Find a Cybersecurity […]

Jacob Garrison 31 May, 2023

End-to-end application security programs are no longer optional but imperative. With security vulnerabilities skyrocketing and the growing sophistication of cyberattacks, organizations face the daunting challenge of figuring out which vulnerabilities pose the most risk to their business.  To address this pressing need, the Application Security Orchestration and Correlation (ASOC) concept has emerged as an approach […]

Bionic Team 25 May, 2023

Tom Kanan is a nine-year veteran of business-to-business security sales. He’s an active member of OWASP and the Cloud Security Alliance who believes in deeply understanding his customer’s business needs. This episode focuses on improving the dynamics between security and sales teams, both internally and externally. Key Takeaway 1: Salespeople See Confidential Data Proprietary information […]

Jacob Garrison 24 May, 2023

I had the pleasure of chatting with Rajendra (Raj) Umadas, who is working as the Head of Information Security at Actblue. He’s been involved in security programs for some truly cutting-edge organizations, like Etsy, Spotify, WeWork, and Compass. Raj is not just a security expert, but also a true leader. Our conversation weaves together his […]

Jacob Garrison 17 May, 2023

Gartner recently released its first-ever Innovation Insight for Application Security Posture Management (ASPM).  What is ASPM? If you’re new to the topic, Gartner provides the following definition.  Application security posture management analyzes security signals across software development, deployment and operation to improve visibility, better manage vulnerabilities and enforce controls. Security leaders can use ASPM to […]

Jamie Gale 15 May, 2023

Soufiane Alami is now a Principal DevOps Cybersecurity Engineer for Fidelity Investments. When we filmed episode 5 of Champions of Security, he worked as a cloud and application security engineer for Ford Motors.  Buckle up, because you’re in for a wild ride. 3 Key Takeaways Much of what Soufiane and I talk about in this […]

Jacob Garrison 10 May, 2023

Applications and services rely on APIs to communicate with other applications and services. To facilitate these communications, API usage has grown rapidly over the past few years. In 2021, the global API management market was $2.8B, and it is expected to reach $41.5B by 2030. API growth also means attack surface expansion. APIs can be […]

Bionic Team 10 May, 2023

I caught up recently with Justus Post, Principal Cyber Security Architect at Bose. Justus is a prime example of why developers make great security pros. After all, if you understand how something is built, you’ll be able to secure it.  Justus developed an interest in technology (and more importantly, an interest in breaking technology) as […]

Jacob Garrison 08 May, 2023

Veteran penetration tester David Ethington joined me on the third episode of Champions of Security. David’s vast experience in offensive and defensive cybersecurity in the Army, as a consultant, and now as an information security architect for Paramount gives him a broad view of the cybersecurity industry. We had an excellent conversation about cybersecurity education, […]

Jacob Garrison 02 May, 2023

I had the pleasure of hosting Vimalathithan Rajasekaran on episode 2 of my podcast, Champions of Security.  Vimal has a truly fascinating professional background. He spent several years in engineering and developer roles at Visa, Safeway/Albertsons/Kroger, and United Airlines. Once he started developing cloud and serverless functions in AWS, he began to see how critical […]

Jacob Garrison 21 Apr, 2023

This blog isn’t about a specific security topic or feature of our product. Rather, it’s about the broader security community. This week, we are launching a podcast, “Champions of Security,” as a way to better serve this community. Why Champions of Security? Over the last year, I’ve heard countless compelling stories from security-minded humans that […]

Jacob Garrison 12 Apr, 2023

What is API Authentication? API authentication is a process used to verify the identity of a client that is attempting to access an API. Once the identity of an API client is verified, API authorization ensures the client is allowed to access protected resources or perform privileged actions within the API.  Authentication is typically achieved […]

Bionic Team 10 Apr, 2023

Cryptography is the art of disguising data to keep it secure. I’m intentionally calling it an art because, when implemented correctly, it does a beautiful job of protecting valuable information. The alternative is to store data in plaintext – a reckless and negligent strategy. Take, for example, the time Marriott exposed 5 million unencrypted passport […]

Jacob Garrison 22 Mar, 2023

Over $6 billion is lost to identity theft each year. Some digital theft results from malicious programs like keyloggers and spyware, but unaware developers also introduce silent threats. Unencrypted data is always dangerous. This blog focuses on data in transit, but similar principles apply to data at rest. In the following sections, I demonstrate how […]

Jacob Garrison 22 Feb, 2023

Data is information. So a Chief Information Security Officer should be responsible for securing data, right? And while securing data is definitely a team sport that spans across engineering, DevOps, product, security, GRC, and other departments, it’s often the CISO who is up at night, worrying about potential data breaches, exorbitant fines, legal implications, and […]

Jamie Gale 07 Feb, 2023

Protecting sensitive or personal data of employees and customers is one of – if not the – most important responsibility of any business. While most of the world is adopting data protection laws, there are misconceptions about who needs to comply with which regulations and what information or data is actually covered.  The first step […]

Jamie Gale 27 Jan, 2023

The job of every security professional is to decipher buzzwords created by analysts and vendors. ASOC and ASPM are the latest, which are increasingly relevant in 2023 as applications become cloud-native (more distributed tech) and incorporate CI/CD (loads of f***king changes). In this post, I shall try to explain what ASOC and ASPM are, why […]

Stephen Burton 20 Jan, 2023

Many past social media breaches resulted from scraping. Most recently, a hacker scraped over 400 million records from Twitter. And it’s only a matter of time before another data breach occurs using the same technique. In this blog, I’ll explain how hackers scraped those user records from Twitter and how to mitigate these attacks. Data […]

Jacob Garrison 12 Jan, 2023

Today, we’re pleased to announce a partnership with the industry leader in cloud security, Wiz to provide next-generation Cloud and Application Security. The Wiz + Bionic partnership will help customers manage security and business risk that comes with two of the greatest challenges in technology: ephemeral, cloud-native services and highly dynamic, rapidly changing applications in […]

Jamie Gale 11 Jan, 2023

Applications are your business. Your customers see more value every time engineers push code. And that’s why your engineers are continuously empowered to move faster.  But, with all these changes in production, your application security posture is morphing. Enter the application security team. They exert a massive amount of effort on risk remediation. And now, […]

Jacob Garrison 28 Dec, 2022

For years, software teams have been shifting left and implementing DevSecOps. How do they know it’s truly improving their risk posture? There isn’t a single security professional that will state, “We’ve never been breached, which means we don’t have risks in production.” What makes measuring application risk complicated is, traditionally, exploits in production are unknown […]

Jacob Garrison 14 Dec, 2022

Shifting left is proven to help DevSecOps teams create more secure applications by earlier inclusion of security testing practices in the application development lifecycle and CI/CD pipeline. The Cloud Security Alliance estimates that about 90 percent of organizations are in various stages of adopting DevSecOps. IBM’s 2022 Cost of a Data Breach report notes that, among […]

Jamie Gale 06 Dec, 2022

Meta is a technology behemoth that’s constantly under attack. And unfortunately, it has a long list of security events resulting in the loss of user data. Keep in mind Meta attracts top-caliber software engineers. As the first letter of the envied FAANG / MAANG acronym, it’s an institution employing the best of the best. So, […]

Jacob Garrison 29 Nov, 2022

Many security outsiders think data leaks result from diligent efforts by seasoned hackers. In reality, minor oversights and mistakes in code frequently cause data breaches. And with engineers pressured to release features quickly, it’s no wonder these mistakes are common. Unsecured Application Programming Interfaces (APIs) are particularly dangerous because they’re synonymous with Broken Access Control, […]

Jacob Garrison 17 Nov, 2022

There are two high vulnerabilities in OpenSSL versions 3.0.0 – 3.0.6. On November 1, the project released OpenSSL version 3.0.7, which mitigates potential exploitation from CVE-2022-3602, “X.509 Email Address 4-byte Buffer Overflow,” along with CVE-2022-3786, “X.509 Email Address Variable Length Buffer Overflow.”  What is OpenSSL? OpenSSL is one of the most widely used encryption libraries […]

Jacob Garrison 31 Oct, 2022

Today we’re talking about CVE-2022-42889 aka Text4Shell. We’ll walk you through what it is, what you need to know and do to protect your applications, and dive into how Bionic is helping customers understand their overall risk related to this vulnerability. What is Text4Shell? Text4Shell is a vulnerability within the widely used Apache Commons Text […]

Jamie Gale 26 Oct, 2022

Companies innovate through applications to reach new customers and markets with greater speed. This blog discusses what applications were, how applications have evolved, and why Application Security Posture Management (ASPM) is a must-have for organizations that run modern apps in the cloud.  What was an Application? Before we get into modern applications, let’s take a […]

Jamie Gale 13 Oct, 2022

The startup world is on fire and the DevSecOps space even more so. With nearly every company fighting for talent, I chose to join Bionic, the Application Security Posture Management (ASPM) company, as their first Chief Revenue Officer. Here’s why. Before Bionic Before I joined Bionic, I was Chief Operating Officer at AppDynamics, the worldwide […]

Philip Coady 11 Oct, 2022

Many security solutions assign numerical scores to indicate the risk that a threat poses so that customers can prioritize which issues to fix first. Teams work through endless tickets, trusting blindly that the assigned score accurately represents the (business) risk that a threat poses.  If all risk scores were created equal (and accurate), then this […]

Jamie Gale 03 Oct, 2022

Over the last several years, targeted, “boutique” cloud security solutions have consolidated into one-stop shops, known as Cloud-Native Application Protection Platforms (CNAPPs).  This blog discusses the evolution of the CNAPP and its predecessors: Cloud Access Security Broker (CASB) Cloud Workload Protection Platform (CWPP) Cloud Security Posture Management (CSPM) Cloud Infrastructure Entitlement Management (CIEM). We’ll then […]

Jamie Gale 14 Sep, 2022

APIs are the hottest attack vector in modern software. In this blog, we’ll look at how APIs add risk and best practices for securing them. For anyone who doesn’t know, API stands for Application Programming Interface. APIs provide a way for software programs to communicate with the external world. And securing these interfaces is a […]

Jacob Garrison 01 Sep, 2022

New Critical Risk Scoring and CyberArk integration, and seamless agentless integrations with Kubernetes and Amazon. Bionic has been extremely busy this quarter ensuring that our customers (and future customers) have the best Application Security Posture Management (ASPM) solution. Check out what we’ve been up to. Critical Risk Scoring  Bionic Risk Score is Bionic’s interpretation of […]

Bionic Man 08 Aug, 2022

Data Privacy is one of the major driving forces behind application and information security. Organizations are constantly trying to ensure that the private data of their customers, employees, and partners are secure; but what exactly is private data? To be simplistic, private data is information that relates to a person or entity that should not […]

Matt Rose 04 Aug, 2022

According to Business Wire, 75% of CISOs are concerned that too many application vulnerabilities leak into production, despite a multi-layered security approach. Why do you think this is? The new fad is shifting left – meaning application security isn’t focused on securing your business-critical applications in production. Companies are using incomplete application maps produced by […]

Matt Rose 22 Jul, 2022

Have you ever had one of your executives tell you that they want all your business-critical applications to be 100% secure? Maybe not in those exact words but something similar?  I hate to be the bearer of bad news; there is no such thing as a 100% secure application. Applications always have risks; it is […]

Matt Rose 21 Jul, 2022

Cloud security posture management (CSPM) is a cloud-level tool that identifies (and potentially remediates) risks across cloud infrastructures. So what is CSPM really good at? Visualizing and mapping the cloud infrastructure. But what about the applications that run inside the cloud environment, and all of the app services, databases, and APIs that comprise the application? […]

Matt Rose 15 Jul, 2022

Our friends over at OWASP defines API security as a security strategy that focuses on understanding and mitigating security risk associated with APIs. With an extreme focus on securing these APIs, API security tools have been popping up left and right. API security tools are extremely good at what they do: gathering an inventory of […]

Matt Rose 11 Jul, 2022

Jenkins, the very popular open-source automation platform used by enterprises worldwide for building, testing, and deploying software, announced last week that it had identified 34 security vulnerabilities affecting 29 plugins. Of the 34 security vulnerabilities, 29 are categorized as zero-day issues.  Full details of the announcement can be found in this disclosure by Jenkins on […]

Matt Rose 08 Jul, 2022

Application Security Posture Management (ASPM) is a hot new technology that organizations and analysts are investigating and researching. They are reading vendor reports, social media posts, and even blogs like this one to try and educate themselves on ASPM. Even with this research, there are still questions and confusion about ASPM. A common question I […]

Matt Rose 30 Jun, 2022

The official definition of insight is “the capacity to gain an accurate and deep intuitive understanding of a person or thing.” Having complete insight into your application’s security risks is the key to making them secure and compliant.  Most organizations look at application security risk in individual silos of their application architectures and not how […]

Matt Rose 23 Jun, 2022

Let’s face it – Application Programming Interfaces or APIs are a foundational part of modern applications. They are just as crucial as home-grown code, open-source packages, frameworks, and libraries in your application’s architecture. One of the questions I have heard for years while working with commercial enterprise applications is: do you have an API? If […]

Matt Rose 15 Jun, 2022

Let’s just face the fact there is no such thing as a perfect application. All applications have bugs and will continue to have bugs because as soon as one is fixed a new code release introduces a new set of bugs that also need to be fixed. Companies use terms like “hotfixes” and “point updates” […]

Matt Rose 01 Jun, 2022

It is probably not a surprise to say the use of open source packages in application development is here to stay. Depending on what research report you have read, as there are so many, the percentage of the code in an application being open source is anywhere from 30% to 80% of the total application […]

Matt Rose 19 May, 2022

Cloud Security Posture Management – CSPM – is quickly becoming the gold standard for every organization with cloud-first initiatives. CSPM tools help cloud security teams document and visualize what resources live in their cloud environments and determine whether the proper security controls are in place.  The reason why CSPM has become the gold standard is […]

Matt Rose 11 May, 2022

Site Reliability Engineers (SREs) face very complicated problems every day. Our team at Bionic has recently been speaking with a lot of SRE leaders and learning about the ongoing challenges they face daily such as: “What happens when a cloud region or a zone fails?” “Which applications and services are affected by this failure?” A […]

Matt Rose 26 Apr, 2022

As most everyone knows, the investigation on the recently announced SpringShell RCE (CVE-2022-22965) has begun. The point of this blog is not to discuss SpringShell’s issue, so much as dive into preemptive actions and remote code execution or RCE. There are already plenty of blogs and articles written about the incident, but I’m sharing how […]

Matt Rose 07 Apr, 2022

As you’re probably knee-deep in reacting to the Spring Framework RCE we wanted to provide some helpful information on how to tackle this issue. For all the details from Spring on this RCE here is a link to the granular details of the issue: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement. Just like the Log4Shell vulnerability, there are a lot of […]

Matt Rose 31 Mar, 2022

Bionic Announces $65M Series B Financing from Insight Partners, Cyberstarts, and Battery Ventures Accelerating investment in R&D, sales & customer success for our rapidly growing Application Security Posture Management platform Bionic, the industry’s first Application Security Posture Management platform, is proud to announce a $65 million Series B funding round led by New York-based global […]

Idan Ninyo 21 Mar, 2022

I have been talking about Application Security Posture Management (ASPM) a lot these days. The articles, blogs, and glass board sessions about the aspects of ASPM got me thinking. What are some other new and exciting ways ASPM could help organizations do things better? I immediately thought of threat modeling. Bionic ASPM Level Set Bionic […]

Matt Rose 09 Mar, 2022

My company, Bionic, announced our platinum sponsorship of the OWASP Organization. Everybody knows that the OWASP Top 10 is the gold standard for application security, so I think this news is impressive. I have been in the application security industry for 17 years, and OWASP has been there with me every step of the way. […]

Matt Rose 01 Mar, 2022

This is a follow-up blog to my blog from last week about Application Security Superheros. Yes, I know the blog was a bit cheesy, but that was the goal. I wanted to get people thinking about what modern-day application security professionals need to be with a bit of humor. Now let’s add some real-world examples […]

Matt Rose 09 Feb, 2022

Are you an application security superhero? Do you fly in at the last minute to thwart evil hackers like Iron Man, or are you more of the deep thinker that prevents hacks from even happening like Professor X?  The comparison is a bit crazy, but that is where we are at these days. There is […]

Matt Rose 31 Jan, 2022

I recently ran an unofficial poll on LinkedIn asking how people found every instance of Log4J in their application portfolio. The options I gave were CMDB (Configuration Management Database), SBOM (Software Bill of Materials), SCA (Software Composition Analysis), and internal detective work. The overwhelming majority, 54% to be exact, said internal detective work. These results […]

Matt Rose 20 Jan, 2022

I recently read this article on DevOps.com, and it got me thinking. Why is an SBOM not dynamic and updated every time a release happens in your CI/CD pipeline? To keep up with the speed of DevOps, organizations are scaling back things like QA and SBOM updates to only look at the latest release and […]

Matt Rose 21 Dec, 2021

How are you going to address the Log4J issue? The recent major exploit around Log4J (CVE-2021-44228) is a big deal and all over the press.  But how are you planning on finding every instance of Log4J in your very complex application? Missing even one instance of Log4J versions 2.0 to 2.14.1 could be a disaster […]

Matt Rose 11 Dec, 2021

Drawing a picture sounds like an easy request. A request probably more suited to a kindergartener than a tech industry blog, but it is a serious question. I am not asking you to draw a picture of your family pet or favorite vacation spot but an exact picture of your application architecture. Now you see […]

Matt Rose 09 Dec, 2021

You have probably heard about the recent Peloton API hack.  If you have not heard about the details, this link describes the Peloton API Hack. This incident further cements that IoT and PII are directly in the crosshairs for hackers.  Every platform these days requires you to give up personal information in order to create […]

Matt Rose 02 Dec, 2021

Bionic allows teams to detect, and manage application drift in real-time. Drift in this context doesn’t relate to infrastructure as drift rarely occurs with infrastructure-as-code in ephemeral environments. Bionic allows teams to quickly baseline and lock in their application architectures, so they have drift policies that can notify them in real-time should an architecture change. […]

Stephen Burton 22 Nov, 2021

In our previous blog about cloud migrations & dependencies, we discussed the importance of understanding application dependencies when performing cloud migration and modernization projects. There are a handful of challenges that those projects introduce, including: The manual burden of documentation & collaboration Lack of application visibility Application complexity We dive deeper into those challenges below. […]

Bionic Man 11 Nov, 2021

Continuous Delivery (CD) and Infrastructure as Code (IaC) means apps, clusters, and environments are constantly changing in your business. Drift occurs when an app, microservice, or infrastructure ‘drifts’ out of its intended configuration or approved operating boundaries. In short, drift is difficult to detect and introduces risk which isn’t seen or managed until something serious […]

Stephen Burton 10 Nov, 2021

After 16+ years in application security, one of the questions I have consistently heard asked is about false positives. Questions like “what is your false-positive percentage” or “how do you deal with so many false positives produced by this tool or that tool.” False-positive is a term that has become the black eye of application […]

Matt Rose 10 Nov, 2021

Bionic provides teams with a real-time living architecture map of their applications, showing all services, APIs, libraries, dependencies, and data flows. You can think of it as a visual software bill of materials or an SBOM, as it’s called. This is particularly useful for understanding black box applications, accelerating cloud migrations, or even refactoring monolithic […]

Stephen Burton 09 Nov, 2021

Bionic can help teams automate threat modeling and security reviews. We use an agentless approach to scan and reverse engineer your applications in any environment. The output is a real-time living architecture map that is code-level accurate. You can now threat model or review security based on what actually exists in your application versus estimating […]

Stephen Burton 09 Nov, 2021

Bionic helps teams rapidly understand which applications and services are accessing PII, PCI, and other sensitive data sources. Visualize with Business Context For example, below we can see six business applications that Bionic has discovered along with 68 unique services, which are mapped showing their dependencies to databases. In seconds, we can filter this map to […]

Stephen Burton 08 Nov, 2021

Think of Personal Identifiable Information (PII) as gold that companies store about their customers. Gold must be kept in a safe place at all times, with restricted access, effective governance, and auditing to secure it. However, we live in a world today where everything is code. Meaning more things touch corporate gold than ever before. […]

Stephen Burton 03 Nov, 2021

Understanding dependencies is everything when it comes to cloud migrations. If you get this wrong, the entire cloud migration can fail. Right now, companies are relying on manual documentation and people to map and understand application dependencies and data flows. This process can take sometimes between 6-12 months and are prone to mistakes. For those […]

Bionic Man 03 Nov, 2021

You are probably thinking, what the heck is this guy talking about. I didn’t even know there was a Static Analysis 1.0 or 2.0, so how can there be a Static Analysis 3.0? Static Analysis as a foundational Application Security platform has been around since the early 2000s. It has evolved to fit with the […]

Matt Rose 02 Nov, 2021

We have all probably heard about the recent news on the Twitch data breach.  Yes, it is a huge deal, and the hack has received a ton of press.   But I am amazed that the thing people are focusing on most is how much money the top streamers are making on a monthly or yearly […]

Matt Rose 25 Oct, 2021

Do you ever ask yourself ‘What the Fudge’ is going on in my apps? Yes, I know you thought the acronym meant something else, but I am trying to keep this blog PG; but please feel free to define the abbreviation however you want. It is an easy question to ask, but with today’s distributed […]

Matt Rose 19 Oct, 2021

In order to comply with EU GDPR compliance, you must be able to understand and map out your data flows to identify potential risks. Specifically, you are required to map data flows relating to PII (Personal Identifiable Information) and identify which applications are accessing PII data. Data maps allow companies to visualize and understand how […]

Bionic Man 14 Oct, 2021

A Brief History Observed I have been in Static Analysis Security Testing (SAST) for 15+ years. I have worked with some of the largest organizations in the world on scanning their code for security vulnerabilities. From Waterfall to DevOps to Cloud-Native Development, I have seen many changes in how application code is developed and released. […]

Matt Rose 12 Oct, 2021

As engineering teams accelerate and scale their cloud and CI/CD initiatives, the rate of change in production (and the business) starts to increase dramatically. Continuously delivering small incremental code changes is proven to lower the risk of production incidents and downtime. In addition, tools like DataDog, Splunk, Dynatrace, and New Relic can detect application performance […]

Stephen Burton 28 Sep, 2021