Matt Rose

All Stories by Matt Rose

  • Data Privacy is one of the major driving forces behind application and information security. Organizations are constantly trying to ensure that the private data of their customers, employees, and partners are secure; but what exactly is private data? To be simplistic, private data is information that relates to a person or entity that should not […]

  • According to Business Wire, 75% of CISOs are concerned that too many application vulnerabilities leak into production, despite a multi-layered security approach. Why do you think this is? The new fad is shifting left – meaning application security isn’t focused on securing your business-critical applications in production. Companies are using incomplete application maps produced by […]

  • Have you ever had one of your executives tell you that they want all your business-critical applications to be 100% secure? Maybe not in those exact words but something similar?  I hate to be the bearer of bad news; there is no such thing as a 100% secure application. Applications always have risks; it is […]

  • Cloud security posture management (CSPM) is a cloud-level tool that identifies (and potentially remediates) risks across cloud infrastructures. So what is CSPM really good at? Visualizing and mapping the cloud infrastructure. But what about the applications that run inside the cloud environment, and all of the app services, databases, and APIs that comprise the application? […]

  • Peter Chestna is CISO of North America at Checkmarx. He is also a Board Member for the DevSecCon Global Community and MergeBase. Rafal Los joins Matt Rose on episode 17 of Tattoos, Code, and Data Flows in a conversation around improving the cybersecurity industry (including some very spicy takes on the industry). Peter is a […]

  • Our friends over at OWASP defines API security as a security strategy that focuses on understanding and mitigating security risk associated with APIs. With an extreme focus on securing these APIs, API security tools have been popping up left and right. API security tools are extremely good at what they do: gathering an inventory of […]

  • Jenkins, the very popular open-source automation platform used by enterprises worldwide for building, testing, and deploying software, announced last week that it had identified 34 security vulnerabilities affecting 29 plugins. Of the 34 security vulnerabilities, 29 are categorized as zero-day issues.  Full details of the announcement can be found in this disclosure by Jenkins on […]

  • Rafal Los is the Founder and Host of Down the Security Rabbithole Podcast. He is also an Advisory Board Member at the Security Advisor Alliance. Rafal Los joins Matt Rose on episode 17 of Tattoos, Code, and Data Flows in a conversation around improving the cybersecurity industry (including some very spicy takes on the industry). […]

  • ASPM is a hot new technology that organizations and analysts are investigating and researching. They are reading vendor reports, social media posts, and even blogs like this one to try and educate themselves on ASPM. Even with this research, there are still questions and confusion about ASPM. A common question I have often heard is, […]

  • The official definition of insight is “the capacity to gain an accurate and deep intuitive understanding of a person or thing.” Having complete insight into your application’s security risks is the key to making them secure and compliant.  Most organizations look at application security risk in individual silos of their application architectures and not how […]

  • Let’s face it – Application Programming Interfaces or APIs are a foundational part of modern applications. They are just as crucial as home-grown code, open-source packages, frameworks, and libraries in your application’s architecture. One of the questions I have heard for years while working with commercial enterprise applications is: do you have an API? If […]

  • Let’s just face the fact there is no such thing as a perfect application. All applications have bugs and will continue to have bugs because as soon as one is fixed a new code release introduces a new set of bugs that also need to be fixed. Companies use terms like “hotfixes” and “point updates” […]

  • It is probably not a surprise to say the use of open source packages in application development is here to stay. Depending on what research report you have read, as there are so many, the percentage of the code in an application being open source is anywhere from 30% to 80% of the total application […]

  • Cloud Security Posture Management – CSPM – is quickly becoming the gold standard for every organization with cloud-first initiatives. CSPM tools help cloud security teams document and visualize what resources live in their cloud environments and determine whether the proper security controls are in place.  The reason why CSPM has become the gold standard is […]

  • Site Reliability Engineers (SREs) face very complicated problems every day. Our team at Bionic has recently been speaking with a lot of SRE leaders and learning about the ongoing challenges they face daily such as: “What happens when a cloud region or a zone fails?” “Which applications and services are affected by this failure?” A […]

  • As most everyone knows, the investigation on the recently announced SpringShell RCE (CVE-2022-22965) has begun. The point of this blog is not to discuss SpringShell’s issue, so much as dive into preemptive actions and remote code execution or RCE. There are already plenty of blogs and articles written about the incident, but I’m sharing how […]

  • As you’re probably knee-deep in reacting to the Spring Framework RCE we wanted to provide some helpful information on how to tackle this issue. For all the details from Spring on this RCE here is a link to the granular details of the issue: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement. Just like the Log4Shell vulnerability, there are a lot of […]

  • I have been talking about Application Security Posture Management (ASPM) a lot these days. The articles, blogs, and glass board sessions about the aspects of ASPM got me thinking. What are some other new and exciting ways ASPM could help organizations do things better? I immediately thought of threat modeling. Bionic ASPM Level Set Bionic […]

  • My company, Bionic, announced our platinum sponsorship of the OWASP Organization. Everybody knows that the OWASP Top 10 is the gold standard for application security, so I think this news is impressive. I have been in the application security industry for 17 years, and OWASP has been there with me every step of the way. […]

  • By now, you have probably heard of Cloud Security Posture Management (CSPM) and the many outstanding players such as Wiz, Lacework, and Prisma Cloud. If you have not heard of CSPM or these vendors, then welcome back from your extended trip to outer space. CSPM is one of the hottest technology spaces these days as […]

  • This is a follow-up blog to my blog from last week about Application Security Superheros. Yes, I know the blog was a bit cheesy, but that was the goal. I wanted to get people thinking about what modern-day application security professionals need to be with a bit of humor. Now let’s add some real-world examples […]

  • Are you an application security superhero? Do you fly in at the last minute to thwart evil hackers like Iron Man, or are you more of the deep thinker that prevents hacks from even happening like Professor X?  The comparison is a bit crazy, but that is where we are at these days. There is […]

  • I recently ran an unofficial poll on LinkedIn asking how people found every instance of Log4J in their application portfolio. The options I gave were CMDB (Configuration Management Database), SBOM (Software Bill of Materials), SCA (Software Composition Analysis), and internal detective work. The overwhelming majority, 54% to be exact, said internal detective work. These results […]

  • I recently read this article on DevOps.com, and it got me thinking. Why is an SBOM not dynamic and updated every time a release happens in your CI/CD pipeline? To keep up with the speed of DevOps, organizations are scaling back things like QA and SBOM updates to only look at the latest release and […]

  • How are you going to address the Log4J issue? The recent major exploit around Log4J (CVE-2021-44228) is a big deal and all over the press.  But how are you planning on finding every instance of Log4J in your very complex application? Missing even one instance of Log4J versions 2.0 to 2.14.1 could be a disaster […]

  • Drawing a picture sounds like an easy request. A request probably more suited to a kindergartener than a tech industry blog, but it is a serious question. I am not asking you to draw a picture of your family pet or favorite vacation spot but an exact picture of your application architecture. Now you see […]

  • You have probably heard about the recent Peloton API hack.  If you have not heard about the details, this link describes the Peloton API Hack. This incident further cements that IoT and PII are directly in the crosshairs for hackers.  Every platform these days requires you to give up personal information in order to create […]

  • After 16+ years in application security, one of the questions I have consistently heard asked is about false positives. Questions like “what is your false-positive percentage” or “how do you deal with so many false positives produced by this tool or that tool.” False-positive is a term that has become the black eye of application […]

  • You are probably thinking, what the heck is this guy talking about. I didn’t even know there was a Static Analysis 1.0 or 2.0, so how can there be a Static Analysis 3.0? Static Analysis as a foundational Application Security platform has been around since the early 2000s. It has evolved to fit with the […]

  • We have all probably heard about the recent news on the Twitch data breach.  Yes, it is a huge deal, and the hack has received a ton of press.   But I am amazed that the thing people are focusing on most is how much money the top streamers are making on a monthly or yearly […]

  • Do you ever ask yourself ‘What the Fudge’ is going on in my apps? Yes, I know you thought the acronym meant something else, but I am trying to keep this blog PG; but please feel free to define the abbreviation however you want. It is an easy question to ask, but with today’s distributed […]

  • A Brief History Observed I have been in Static Analysis Security Testing (SAST) for 15+ years. I have worked with some of the largest organizations in the world on scanning their code for security vulnerabilities. From Waterfall to DevOps to Cloud-Native Development, I have seen many changes in how application code is developed and released. […]