Jayesh Ahire

When we talk about security testing, traditionally, we talk about SaaS, DAS, IaaS to some extent, right? SAS being the static application security testing, DAS being dynamic application security testing. First thing, SAS, when we talk about SAS, it's purely looking at your code and trying to find what is wrong. And when you look at just a code, it doesn't have any context.

When we talk about security testing, traditionally, we talk about SaaS, DAS, IaaS to some extent, right? SAS being the static application security testing, DAS being dynamic application security testing. First thing, SAS, when we talk about SAS, it's purely looking at your code and trying to find what is wrong. And when you look at just a code, it doesn't have any context.

When we talk about security testing, traditionally, we talk about SaaS, DAS, IaaS to some extent, right? SAS being the static application security testing, DAS being dynamic application security testing. First thing, SAS, when we talk about SAS, it's purely looking at your code and trying to find what is wrong. And when you look at just a code, it doesn't have any context.

It's just lines and lines of code. You're going through it. You're going through some function and seeing... Maybe this is too wide open. Maybe this library is old. Maybe there's some problem with this specific. There's no dynamicity in it. And that's where the DAST comes into picture. But traditionally, DAST has always been more of a black box.

It's just lines and lines of code. You're going through it. You're going through some function and seeing... Maybe this is too wide open. Maybe this library is old. Maybe there's some problem with this specific. There's no dynamicity in it. And that's where the DAST comes into picture. But traditionally, DAST has always been more of a black box.

It's just lines and lines of code. You're going through it. You're going through some function and seeing... Maybe this is too wide open. Maybe this library is old. Maybe there's some problem with this specific. There's no dynamicity in it. And that's where the DAST comes into picture. But traditionally, DAST has always been more of a black box.

It's somebody sitting outside your system and trying to make an attack.

It's somebody sitting outside your system and trying to make an attack.

It's somebody sitting outside your system and trying to make an attack.

when that somebody is sitting outside your system they definitely don't understand your application well and that's where the false positives in the dash comes into picture but looking at the api specifically all of these tools like all of the traditional security testing tools operate at the application level the api interactions are pretty different when we talk about api specifically there's a lot to digest which is let's say you have thousand apis and most of these apis are

when that somebody is sitting outside your system they definitely don't understand your application well and that's where the false positives in the dash comes into picture but looking at the api specifically all of these tools like all of the traditional security testing tools operate at the application level the api interactions are pretty different when we talk about api specifically there's a lot to digest which is let's say you have thousand apis and most of these apis are

when that somebody is sitting outside your system they definitely don't understand your application well and that's where the false positives in the dash comes into picture but looking at the api specifically all of these tools like all of the traditional security testing tools operate at the application level the api interactions are pretty different when we talk about api specifically there's a lot to digest which is let's say you have thousand apis and most of these apis are

each other most of these apis are talking to third parties and when all of these interactions are going on the attack surface you have becomes very large and at the same time the amount of knowledge somebody might need to go and exploit the application is not something which you can replicate with it needs way more context it needs way more insight into the business logic of the application

each other most of these apis are talking to third parties and when all of these interactions are going on the attack surface you have becomes very large and at the same time the amount of knowledge somebody might need to go and exploit the application is not something which you can replicate with it needs way more context it needs way more insight into the business logic of the application

each other most of these apis are talking to third parties and when all of these interactions are going on the attack surface you have becomes very large and at the same time the amount of knowledge somebody might need to go and exploit the application is not something which you can replicate with it needs way more context it needs way more insight into the business logic of the application

And that's where the API security testing part comes into picture because with API security testing specifically, you're dealing with the APIs first of all. And you're making sure that all of these different interactions you're talking about, all of these dependencies, you're talking about the third parties. So we are replicating the business logic abuse at its truest sense.

And that's where the API security testing part comes into picture because with API security testing specifically, you're dealing with the APIs first of all. And you're making sure that all of these different interactions you're talking about, all of these dependencies, you're talking about the third parties. So we are replicating the business logic abuse at its truest sense.

And that's where the API security testing part comes into picture because with API security testing specifically, you're dealing with the APIs first of all. And you're making sure that all of these different interactions you're talking about, all of these dependencies, you're talking about the third parties. So we are replicating the business logic abuse at its truest sense.

Let's say, talking about something around payment gateways. So if you're sending the sensitive information about your user to the payment gateway, and that's excessive data exposure, that can only be caused at the APLF and DAS tools picking up on it or SaaS tools picking is pretty hard by definition.

Let's say, talking about something around payment gateways. So if you're sending the sensitive information about your user to the payment gateway, and that's excessive data exposure, that can only be caused at the APLF and DAS tools picking up on it or SaaS tools picking is pretty hard by definition.