Web Security Blog

Modern AppSec KPIs: Moving from scan counts to real risk reduction

Tue, 24 Jun 2025

It’s an interesting time to be leading security for a software-driven organization. The speed at which we deliver code has never been faster, and the expectations around security have also never been higher. As a result, the metrics we’ve historically used to measure application security are increasingly inadequate, even misleading.

Read more

3 ways that security tool sprawl can hurt application security testing

Fri, 19 Jan 2024

About that vulnerability… Are you sure it’s fixed?

Fri, 12 Jan 2024

The HHS outlines vital new pillars of action for cybersecurity in healthcare

Thu, 04 Jan 2024

3 big reasons why 2024 will be a fierce and noisy year for cybersecurity

Fri, 22 Dec 2023

CVSS 4.0 is here. Will it make vulnerability scores more useful?

Thu, 14 Dec 2023

Never mind the buzzwords: Here’s the straight deal on application security

Wed, 29 Nov 2023

Looking for the best in DAST: How to select DAST tools for DevSecOps

Fri, 10 Nov 2023

SolarWinds, the SEC, and the CISO: Who is legally responsible for security?

Thu, 02 Nov 2023

An abundance of caution: Why the curl buffer overflow is not the next Log4Shell

Tue, 24 Oct 2023

Rapid Reset HTTP/2 vulnerability: When streaming leads to flooding

Mon, 16 Oct 2023

Top 5 application security misconfigurations

Thu, 12 Oct 2023