[Rickasaurus]

It's funny, I've never seen a dev team that really deeply internalized security without someone embedded who was an expert. It's just too hard, too easy to make a mistake.

I don't think these tools are the answer though, they make it easy for CISOs to look good, driving down the number, but is it real security?

You really need experts thinking about the security of your app. Ideally someone who thinks like a hacker.

[Kalium]

You're right. You do need that person. IMO, it's a lot easier to accept their feedback when you understand that using a functional language offers you no significant security gains by virtue of being functional.

In my limited and less-than-universal experience as a security person thinking like a hacker, those scanners can and do enable real security enhancements. Keeping up on your patching is real security, as is having a system that can point out which inputs you didn't validate and what code paths they're on. Couple them with someone with the right experience and background, and you have the basis of a real application security program!

Which is to say that you're absolutely right. Having the right person in the right place is absolutely critical. I think it be possible that it might not always be sufficient.

[bawolff]

Oh i agree 100% with that. Off the shelf static analysis tools have massive noise and rarely come up with useful vulns.

Most of the time they end up making a 20 page report with 500 issues that nobody reads because 499 of the issues are stupid.

(However, they can work if highly tuned to specific environment and workflow)