Web Security Blog

Modern AppSec KPIs: Moving from scan counts to real risk reduction

Tue, 24 Jun 2025

It’s an interesting time to be leading security for a software-driven organization. The speed at which we deliver code has never been faster, and the expectations around security have also never been higher. As a result, the metrics we’ve historically used to measure application security are increasingly inadequate, even misleading.

Read more

HTTP security headers: An easy way to harden your web applications

Fri, 06 Sep 2024

The OWASP API Security Top 10 demystified

Thu, 29 Aug 2024

What’s the big deal with post-quantum cryptography?

Fri, 16 Aug 2024

Invicti Security

How the DORA framework mandates application security testing (and many other things)

Tue, 06 Aug 2024

A voyage of discovery: Talking APIs with Frank Catucci and Dan Murphy

Thu, 25 Jul 2024

All in one place: Discovery and security testing across your APIs and applications

Tue, 16 Jul 2024

XSS filter evasion: Why filtering doesn’t stop cross-site scripting

Thu, 11 Jul 2024

Polyfill supply chain attack: What to do when your CDN goes evil

Thu, 27 Jun 2024

How to prevent XSS attacks

Thu, 20 Jun 2024

Invicti Security

What the OWASP Top 10 for LLM applications tells us about generative AI security

Thu, 13 Jun 2024

Making sense of AppSec vs. DevSecOps

Thu, 06 Jun 2024

How bad is a missing Content-Type header?

Thu, 23 May 2024