The Qwiet blog

The rise of AI-generated code has indeed been a productivity breakthrough. However, it has also ushered in a new class of threat that most security teams are not adequately prepared for: the urgent and looming danger of slopsquatting. What Is Slopsquatting? Slopsquatting is a novel and unprecedented supply chain attack that exploits a flaw in […]

Developers build. It’s what they do best. But when security enters the equation, teams face a pivotal question: Should we develop our security tooling or buy something purpose-built? Let’s be honest. Building your tools can feel empowering. You know your stack, your risks, your workflow. But internal security systems aren’t just hard, they’re risky. And […]

Key Takeaways As a software developer, security professional, or technical decision-maker, it is essential to recognize that internal code is not inherently secure; it is often unscanned. Custom frameworks and in-house libraries frequently do not appear in public CVE databases and typically do not match known patterns, making them invisible to most rule-based application security […]

Key Takeaways While promising immediate feedback, real-time scanning often creates ‘noise’ without context. This ‘noise’ refers to the excessive and irrelevant alerts that tools running in the IDE or pre-save phase can generate. These tools may flag unreachable or non-exploitable code, leading to alert fatigue and dev pushback. CI/CD scanning, with its promise of higher […]

Key Takeaways All-in-one platforms trade depth for surface-level coverage: Bundling SAST, DAST, IAST, RAST, and ASPM into a single tool often leads to overlap in low-risk areas (e.g., basic code vulnerabilities) and blind spots in high-risk ones (e.g., complex business logic vulnerabilities). Context-aware tools, which understand an application’s specific context, outperform general-purpose scanners: These tools […]

Key Takeaways Static tools miss logic-driven vulnerabilities. Traditional SAST tools flag obvious syntax-level risks but fail to understand business rules, multi-tenant boundaries, or the actual intent behind code behavior. Qwiet’s comprehensive analysis traces full execution paths across helpers, middleware, and services. Modeling code as a connected graph uncovers hidden risks buried in trusted-looking utilities, such […]

After years of uncovering investment and retail banking fraud, I’ve developed a finely tuned radar for risk disguised as innovation. So when security vendors market “community rules” as a revolutionary leap forward, my fraud-detection instincts go haywire. It’s a wolf in sheep’s clothing, a potential threat masquerading as transparency. Let’s be clear: regulated financial institutions […]

RSA 2025 is almost here, and if you plan just to wing it, good luck. With a packed schedule and an overwhelming amount of vendor noise, this year’s conference will be full of AI hype, a key theme shaping the discussions and presentations. You’ll need a solid plan to cut through the clutter and get […]

Did you miss the first post? Check out: AppSec House of Cards: Legacy Scanners vs. Agentic Workflows Modern applications aren’t monoliths. They’re sprawling, service-based systems built in multiple languages and stitched with queues, APIs, and serialization layers. In this environment, user input doesn’t just move it migrates across boundaries. The Business Risk: When One Missed […]