Let’s face it! Security teams are not capable of ensuring secure development life cycles themselves. They can only get the ball rolling but to keep the momentum going software development and DevOps teams also need to go the extra mile.

Thinking about the different roles involved in the task of DevSecOps adoption, it is quite easy to imagine the difficulty of aligning different teams with different priorities, team sizes, and skillsets to work towards the same goal.

That is why we need to clearly set the expectations from each team to make the process as easy to digest as possible…


We have all been involved in many training sessions in our careers. Sometimes willingly and sometimes not.

Let’s try to remember when those sessions had our full attention.

Without exception, it was when there was truly something in it for us.

Before we decide that a training session is worth our time, effort and attention, it needs to meet at least one of the following requirements.

  • To satisfy our curiosity in a subject we are interested in.
  • To remove a barrier that is standing in the way of advancing in our careers or education.

Software engineers also go through the…


In the modern software development life cycle, there is a variety of security tools used in different phases of development pipelines.

While SAST and SCA are more heavily used in the coding phase, as we approach the production phase DAST, IAST, Container Security or In-App Protection tools also come into play to provide end-to-end security in the pipeline.

On top of these tools, organizations also rely on other sources like manual penetration testing or bug bounty programs to detect vulnerabilities that are harder to find as they are mostly business logic related.

Application security orchestration and correlation platforms have emerged…


Cybersecurity has always been considered a technical issue. Undoubtedly it is. However, its affinity with marketing is most of the time overlooked.

Brand images are created in people’s minds and that is where they live. While marketing works to get the brand name out there or to sustain a positive image in people’s minds, cybersecurity is all about protecting that image.

Trying to build a strong brand image, companies allocate generous amounts of resources to marketing almost from day one. …


Nowadays there is a wide variety of security layers used by organizations at different stages of the software development life cycle. Static code analysis, dynamic analysis, penetration tests, bug bounty programs, or manual findings all offer different frequencies and different coverage levels to catch vulnerabilities.

Software developers need to deal with all vulnerabilities coming from these different sources while ensuring that they release new features or new applications within the deadlines.

Under the pressure of releasing applications at the speed of DevOps, security is not a luxury every software developer can afford.

Nevertheless, with the rising trend of secure coding…


In the ever-changing landscape of Appsec and DevOps, we have recently started to talk about shifting center instead of shifting left. This is because there is no right or left in the circular movement of software development which DevOps symbol perfectly demonstrates. You can also shift center and integrate Sec into entire DevOps through 5 continuous circular phases ;

– Threat Modeling

– Scan

– Analyze

– Remediate

– Monitor

Before diving into each phase, it is worth noting that like DevOps, DevSecOps is also a matter of culture. As well as testing your technical expertise, building a solid DevSecOps…


Photo by Felix Mittermeier on Unsplash

In this post, we will talk about some quick and easy software security mitigation tricks that every developer can use on a daily basis.

Those quick fixes are called “damage limitation strategies” in general. We would like to talk about 7 practical strategies which you can use while developing your (secure) systems.

Let’s dive straight into them.

1 — Strlen:

As you may already know, input validation is a crucial element of application security and you should know that the easiest way to identify an anomaly is the “length” of your data/input. So, in your system if an input has…


Photo by Alex Knight on Unsplash

If the title of this post has attracted your attention and you have started to read it, you are probably aware of the fact that your security team is only as effective as your development team. Regardless of how effectively your security team is identifying vulnerabilities, getting rid of the vulnerabilities always boils down to the capability and the willingness of the developer who is going to fix the issue. Speaking of the willingness of developers, we all know it can deteriorate pretty quickly when they are asked to log in to disparate tools to perform different tasks. …


Photo by Andrew Seaman on Unsplash

With the trend of shifting left which means performing security tests earlier in the software development life cycle, last minute deployment issues are about to be a thing of the past. However, the variety of security tools used in the process still creates complexity when deciding on which project to scan at what frequency. Considering the limited resources used in the security departments and the extra costs associated with concurrent scan features of scanners, we need to find new ways of optimising the scan times.

The most common approach we observe in the field is running security tests on a…


Photo by Isaac Smith on Unsplash

When it comes to remediation of vulnerabilities, there is a two fold approach that needs to be adopted by every organisation. First comes the elimination of all false positive findings and prioritization of the relevant ones. Without this initial step, everything you do can simply be a waste of time even though you think you are putting in all the hard work to stay on top of vulnerabilities. Speed is good only if you are going at the right direction, otherwise you are only drifting away from your destination faster. Second step is the remediation of all relevant vulnerabilities as…

Can Bilgin

Co-Founder & COO at Kondukto.io

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store