Your AST Guide for the Disenchanted: Part 3

David Brumley
September 22, 2020
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

In our previous post, we discussed that the key ingredient to a true DevSecOps process is accurate testing. In this post, we’ll share how to implement an accurate Application Security Testing program that effectively manages risk, while protecting developer productivity.

Two of Each is All You Need

There are many different types of Application Security Testing tools you can choose from. Commonly, it’s questioned why multiple tools are needed. The answer is because there are multiple risks that need to be addressed. The compounding need for multiple tools and management of multiple risks is already reason enough for elevated blood pressure by security teams.

Rest assured, our philosophy is that simplicity is the best facilitator for focus. So, we’ll only ask that you focus on two types of risk and two types of tools. In this blog, we’ll cover the two types of risks to focus on: known and unknown vulnerabilities.

The Known and Unknown Vulnerabilities

Defects are a result of mistakes developers make in their code. When defects are exploitable, they are considered a vulnerability. While there are more than two types of vulnerabilities, we posit that the known and unknown are the minimum to focus on at the beginning of your DevSecOps journey:

  • Known vulnerability. Known vulnerabilities have been disclosed to the software vendor and security community. It is a publicly known vulnerability and is given a CVE identifier. Known vulnerabilities are easier to detect and prevent because there is information or a patch available for fixing issues. 
  • Unknown vulnerability. Unknown vulnerabilities have not been discovered by anyone. They are dormant. Because these vulnerabilities are unknown, when they are found, malicious actors can operate unnoticed for long periods of time. These vulnerabilities are difficult to detect and prevent because there is no information or patch available to fix issues.

As organizations evaluate tools, they’ll want to select tools that address these two risk areas accurately to facilitate the DevSecOps process and mindset.

Until next time…

In this post, we’ve outlined the two types of application security risks to address as a part of your DevSecOps pipeline. In the remainder of the series, we’ll suggest tools that will accurately address these needs and how they complement each other.

Continuous Testing at the Speed of Development.

Find out how ForAllSecure can bring advanced fuzz testing into your development pipelines.

Request Demo Learn More

Stay tuned for the rest of the series. Meanwhile, find out how to get started with DevSecOps in this explainer video featuring ForAllSecure CEO Dr. David Brumley. For immediate information or a demo, contact us at

Share this post

Fancy some inbox Mayhem?

Subscribe to our monthly newsletter for expert insights and news on DevSecOps topics, plus Mayhem tips and tutorials.

By subscribing, you're agreeing to our website terms and privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Add Mayhem to Your DevSecOps for Free.

Get a full-featured 30 day free trial.

Complete API Security in 5 Minutes

Get started with Mayhem today for fast, comprehensive, API security. 

Get Mayhem

Maximize Code Coverage in Minutes

Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.

Get Mayhem