DevSecOps

Invicti’s CTO On Finding The Right AppSec Solution

Expert Insights interviews Frank Catucci, CTO at Invicti.

Frank Catucci - Invicti

Organizations should prioritize complete coverage, accurate results, and speed when choosing an application security (AppSec) solution, Frank Catucci, CTO at Invicti tells Expert Insights. 

We caught up with Catucci on this month’s episode of the Expert Insights Podcast. You can listen to the full conversation here.

The Big Picture: Speed and scalability are the two biggest challenges that AppSec teams are facing today, says Catucci.

  • “Scale and speed is only increasing. It was fantastic for AppSec when releases were on schedules. Now we release software multiple times a day, depending on your environment… The number of different apps and APIs being released are very difficult to keep track of.”

The Key Takeaway: “Make sure that your coverage is complete, the results that you’re getting are accurate, and you’re doing all of this with speed. That’s the perfect trifecta of understanding what’s going to be effective in your DAST solution,” Catucci says.

  • “The number one thing you need to do is make sure you’re not getting noise,” he says. “It only takes a second to burn a bridge with a developer when you give them a false positive… First and foremost is making sure that that that accuracy is there.”
  • “Automation is going to speed up as many processes as possible,” he explains.  But “When we’re automating, we also need accuracy. We don’t want to sacrifice accuracy for speed.”
  • “I see DAST solutions that don’t necessarily have the broadest coverage. Make sure your portfolio is covered by your DAST solution; meaning what language sets your using, what types of applications and APIs are being used.”

Invicti’s Platform: Catucci is CTO at Invicti – an application security testing provider with more than 3,500 global clients. What sets Invicti apart is its approach to ensuring accurate, focused, and scalable security testing, he says.

  • “We try and deliver what matters. We have an SCA component which looks at libraries and components that are actually being called and used. Not just contained in your product or release…. A traditional SCA can be very noisy. We offer very focused coverage on a broad array of components.”
  • “To go further, we offer a DAST solution that’s scalable, that has the ability to be fully automated, but most importantly, our false positive rate is extremely low, especially when compared to other competitors.”

Where Is AppSec Headed? AppSec has been extremely fast moving over the last few years, Catucci says, and AI is likely to cause the pace of change to accelerate further:

  • “Across the board, the landscape keeps expanding. Not only are we looking at apps and APIs, but now we’re looking at cloud, infrastructures, code to networking, et cetera. And we have to consider how we’re going to secure that with AppSec tooling.”
  • “The perimeter of your network has really changed. Every piece of code that you publish is part of your footprint or the exterior structure of your perimeter. We need to secure that with speed.” 
  • “We have tremendous ability to leverage the power and speed of AI to be able to do things like risk analysis and [assess] the business criticality of applications to find what’s most important to your organization.”
  • “We need to use AI for a couple of things, not just developer code generation. And we need to make sure we are making sure all of that code that’s generated, is being scanned. And we need to make sure that coverage does not degrade just because of the speed of the generation.”

Don’t Forget: We can’t trust AI generated code, just as we wouldn’t blindly trust human generated code, Catucci says.

Final Advice: Catucci’s final piece of advice is for teams to prioritize real-world testing to make sure the solution is the right fit for your environment.

  • “At the end of the day, you need a product that is going to deliver results with the accuracy that you require. That’s going to take testing. That’s going to take knowing your environment, knowing what really needs to work for you and understanding where you have coverage gaps.”
  • “Narrow down your selections or criteria and put products through their everyday real paces. Don’t rely on documentation. You need to understand what works for your organization and your environment. You need to see the results with your own eyes… to make sure that you’re getting the coverage you want. 
  • “You can’t do that with 10 or 12 different [solutions], but if you can narrow down your selection and put them through the real-world paces, that’s where you’ll see products start to outshine each other. And fairly quickly, when we look at real world scenarios and actually securing your environment for what matters.”

Listen to the full conversation on the Expert Insights Podcast:

  • Listen on Apple Podcasts:
  • Listen on Spotify: