About the Author

API scanning and security testing: The core of modern application security

Red Hat Consulting GitLab breach raises concerns over customer data exposure

API pen testing vs. continuous scanning: Key differences & benefits

Stateful API scanning: Why context matters for API security

Automated API vulnerability scanning: Security and compliance benefits

API vulnerability scanning: Tests to run first

Shadow AI: The hidden risk inside your enterprise (and how to manage it)

Web LLM attacks: Securing AI-powered applications

Sensorless (agentless) API discovery explained

API discovery and visibility: The foundations of modern application security

OWASP Top 10 risks for LLMs (2025 update)

Generative AI and cybersecurity in 2025: Risks, opportunities, and what leaders must do

Top 10 ASPM tools for 2025

Smarter, not flashier: How AI enhances DAST on the Invicti Platform

ASPM vendors: Things to look for in an ASPM solution

What is ASPM, or application security posture management?

How to prevent SQL injection vulnerabilities in PHP applications

What’s the difference between ASPM and DAST, SAST, or SCA?

Guide to cryptographic failures: A 2025 OWASP Top 10 threat

Vibe talking: Dan Murphy on the promises, pitfalls, and insecurities of vibe coding

Preventing cross-site scripting (XSS) in Java applications

SQL injection prevention cheat sheet

Is React vulnerable to XSS?

What your vulnerability scanner won’t find: Limitations of automated testing

What is the root cause of SQL injection?

What is the best vulnerability scanning tool?

Top 10 dynamic application security testing (DAST) tools for 2025

Components of dynamic application security testing

Missing X-Frame-Options header? You should be using CSP anyway

Content Security Policy (CSP): Directives, examples, fixes

Missing HTTP security headers: Avoidable risk, easy fix

DAST vs. penetration testing: Key similarities and differences

DAST vs. SAST: Getting real on static and dynamic application security testing

Is DAST only for web applications? A fact-check on vulnerability scanning

What is vulnerability scanning and how do web vulnerability scanners work?

The role of an API scanner in API security

3 types of vulnerability scanners that matter for application security

Black-box security testing

What is API Security? A comprehensive guide to API security

How to prevent CSRF attacks by using anti-CSRF tokens

How To Select a DAST Scanner: DAST Solutions & Tools

CWE Top 25 for 2024: XSS, SQLi, buffer overflows top the list

How to prevent SQL injection

How the BEAST attack works: Reading encrypted data without decryption

Doubling down on components: SCA and Container Security on the Invicti platform

3 AppSec headaches you can cure with Predictive Risk Scoring

Injection Attacks in App Sec: Types, tools, examples

Insecure deserialization in web applications

Debunking the top 5 myths about DAST

The Helix Files: Choose Your Own Adventure

HTTP security headers: An easy way to harden your web applications

The OWASP API Security Top 10 demystified

What’s the big deal with post-quantum cryptography?

How the DORA framework mandates application security testing (and many other things)

A voyage of discovery: Talking APIs with Frank Catucci and Dan Murphy

XSS filter evasion: Why filtering doesn’t stop cross-site scripting

Polyfill supply chain attack: What to do when your CDN goes evil

How to prevent XSS attacks

What the OWASP Top 10 for LLM applications tells us about generative AI security

Making sense of AppSec vs. DevSecOps

Why Predictive Risk Scoring is the smart way to do AI in application security

How to choose the right application security tools

What is DevSecOps and how is it evolving?

How you can disable directory listing on your web server—and why you should

NIST CSF 2.0: The world’s favorite cybersecurity framework comes of age

The xz-utils backdoor: The supply chain RCE that got caught

Why DAST makes the perfect security posture gauge

Never trust an LLM: Prompt injections are here to stay

More than a box to tick: Meet the real DAST

Will autonomous hacking bots change cybersecurity forever?

How AI makes cybersecurity even more asymmetric

3 ways that security tool sprawl can hurt application security testing

About that vulnerability... Are you sure it’s fixed?

3 big reasons why 2024 will be a fierce and noisy year for cybersecurity

CVSS 4.0 is here. Will it make vulnerability scores more useful?

Never mind the buzzwords: Here’s the straight deal on application security

Looking for the best in DAST: How to select DAST tools for DevSecOps

An abundance of caution: Why the curl buffer overflow is not the next Log4Shell

Rapid Reset HTTP/2 vulnerability: When streaming leads to flooding

Top 5 application security misconfigurations

NIST Cybersecurity Framework gets user-friendly: Upcoming changes in CSF v2.0

PCI DSS v4.0 makes integrated application security a compliance requirement

DAST tools are only as good as their setup and support

Building accurate DAST into the CI/CD pipeline saves you time – and money

SAST vs. DAST vs. IAST: Everything you always wanted to know but were afraid to AST

Making automated API vulnerability testing a reality

CWE Top 25 for 2023: Buffer overflows, XSS, SQL injection lead the pack

MOVEit Transfer breaches are a perfect storm of application security risks

What’s missing from the OWASP API Security Top 10 2023

Why penetration testing tools don’t work as enterprise scanners

SQL injection vulnerability in MOVEit Transfer leads to data breaches worldwide

How APIs creep up on you – and how to stay secure regardless

5 reasons why proof-based scanning is a game-changer

5 reasons why continuous vulnerability testing and management beats ad-hoc scanning

Monolithic vs microservices architecture: Which is better for security?

Software security tops ENISA’s list of cybersecurity threats for 2030

Getting real on AI in application security

What’s coming in the OWASP API Security Top 10 for 2023

IDOR, you DOR, everybody DOR: The dangers of direct object references

Spelljacking: When your browser is too helpful

Looking ahead to AFCEA WEST 2024: Building out the 7 pillars of Zero Trust

Picking up a clear signal at OWASP 2023 Global AppSec Dublin

Netsparker’s 2019: The Year in Review

Incorporating business logic to get the best out of DAST

How Invicti can help with AppSec compliance

Vulnerability scanning with PAM in zero trust environments

Invicti adds IAST support for Node.js

Hunting down vulnerabilities with Invicti’s DAST+IAST approach

Know Your Web Application Risks with Invicti’s Kenna Integration

4 Benefits of Using Invicti’s Knowledge Base Feature

How Invicti finds vulnerabilities