Today, we're revealing our first episode with Aleksandr Krasnov, the principal security engineer at Meta, who challenges the effectiveness of existing DAST tools with us.
Aleksandr Krasnov is the principal security engineer at Meta, responsible for all things security at Instagram and WhatsApp. Previously, he was responsible for AppSec and offensive security at Thinkific and served as a product security engineer at Dropbox, Palo Alto Networks, and other companies.
Throughout his career, Alek used multiple security tools, including Dynamic Application Security Testing (DAST) tools. As we began discussing this podcast with him, he immediately raised a topic we strongly agree with: the scarcity of effective DAST tools in the market.
In our conversation, Alek shares:
- Why organizations shouldn't only focus on shift left
- The value of defending left, but attacking right, and why DAST is a part of this strategy
- Why he thinks Nuclei stands out in open-source dynamic testing tools
- The criteria he considers when evaluating DAST tools and what would elevate a tool to the status of a dominant player
- His recommendations to AppSec engineers on how they should deal with the current limitations of the DAST
- How to drive efficient collaboration between engineers and the security team when it comes to dynamic testing
- Whether DAST is adapted to smaller or larger orgs and what's impact when security sits within engineering or finance
- What to do when SAST or SCA are not enough, why he considers Semgrep among the next generation of vendors, and why custom rules must become an essential part of DAST
- What the future of DAST tools look like