> Code analysis: I don't think I've ever had a security team member read source code. Maybe I'm not remembering, but I genuinely can't think of one. I would love to have this happen though.
I think this is cost prohibitive - You would need person that knows a lot about security and can program (and what is more a programmer that can read code to find vulnerabilities - this is whole another level).
Running tools and building models requires a lot cheaper personnel and I suspects that megacorps security starts from bottom line up.
Yeah fully agree. It's a big ask. Reading my comments again today, I made it sound more negative than I should have. It would be awesome to have that, but often unrealistic.
About bottom up training, I'd also love to have some extensive training on app security too. I know some basics, but learning some more systematic security testing would be cool.
I think this is cost prohibitive - You would need person that knows a lot about security and can program (and what is more a programmer that can read code to find vulnerabilities - this is whole another level).
Running tools and building models requires a lot cheaper personnel and I suspects that megacorps security starts from bottom line up.