I love the idea behind Static Application Security Testing (SAST) tools — they aim to create a utopian world clean from application vulnerabilities.

If Dynamic Application Security Testing (DAST) tools look at your application to find doors and windows left open to intruders, SAST tools try to prevent them from being opened in the first place. SAST tools are code scanners that alert developers if they create lines of code that are vulnerable, and provide recommendations on how to fix them. Some of these tools even have IDE integrations so developers can secure the code while writing it!

Sounds amazing…

The idea behind Dynamic Applications Security Testing (DAST) is pretty clever — a tool that simulates a human penetration tester. With the URL of an app to test, the tool gets its hands dirty and provides a vulnerabilities report.

DAST tools are not just contextless fuzzers; they have intelligence and decision-making capabilities that help them show more interesting results.

As a security engineer, I have used DAST multiple times, and have been curious about these tools that threaten to take my job. …

This is the second article in a 2-part blog series. In the previous article, we talked about the major changes in application development in the last several years. In this article, we will discuss how these changes impact application security as we used to know it, and redefined the boundaries.

Extended Boundaries: Application Security is a Widespread Concern

With traditional applications, it was common to see companies invest most of their security efforts on the “edge” — the first layer exposed to the internet. Today, it’s not really possible to do this, because of two main reasons:

Microservice Level Protection: Microservice and API architectures expose more pieces of…


This is the first article in a 2-part blog series outlining how application security has changed (or needs to change). Before I get into the article, let me give you a little background on myself. I am currently the Head of Security Research at Traceable but my personal journey with application security started long ago. …

To welcome the new year, we published a daily tip on API Security during the month of January 2020.

We started this project because we wanted to help developers, security engineers and pentesters learn about API security and API pentesting.

We realize it’s not easy to find resources in these fields, so this is only one project among many others yet to come :)

Don’t forget to follow us on Twitter (@InonShkedy and @Traceable.ai)!

31 API tips - chronological order, raw format

One of our followers, Smodnix, compiled all the tips into a GitHub repository:

Thank you Smodnix 😊!

31 API tips + categories & statistics

I created a detailed spreadsheet including statistics (# of…


In this article I dig into the details about Broken Object Level Authorization (BOLA) — the most common and most severe API vulnerability today according to the OWASP API Security Project.

Insecure Direct Object Reference (IDOR) and BOLA are the same thing. The name was changed from IDOR to BOLA as part of the project.

We hear about large companies that get breached because of BOLA every week. A few well known recent examples include: Uber, Verizon, Facebook, T-Mobile, and the list goes on.

Almost every company has APIs that are vulnerable to BOLA and there are currently no “off…

Let’s talk for a moment about love, relationships and commitment…

Most application security engineers I’ve met have already settled down and found their special one. They stick with that one, stay committed and never have a second thought about another. I’m talking about Burp and Fiddler

To be honest, I was one of those guys. I had found Fiddler and we were exclusive for 5 years. It was a beautiful relationship. A perfect match it seemed. Every time my co-workers tried to introduce me to Burp it went in one ear and out of the other. I only had eyes…

Technology is constantly evolving. We’ve seen this in recent years in the way applications are developed (e.g. CI/CD), delivered (e.g. microservices and cloud) and consumed (e.g. more SaaS and mobile devices). If that wasn’t enough we’re also faced with threats from attackers who are also evolving and always seem to be one step ahead of us, the defenders. If we look to those who are watching this space we see that analysts like Gartner say:

“By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications”

I’ve been a security researcher for many…

BlindSpot is an Israeli app that provides anonymous chat features, and was founded by Dor Refaeli (Bar Refaeli’s brother)

The app started its journey with an aggressive advertising campaign which included billboards and virtual ads.

The app has drawn criticism due to the concern that it would encourage verbal abuse among children and teenagers — its main users.

I’ve performed the penetration test in order to understand whether the app is secure and in fact maintains the privacy of the clients, and also to practice and learn new concepts in the field of Android penetration testing.

After a short test…

This article will talk about a new server side vulnerability that I discovered in the PDF export process.
Many servers are still vulnerable, varying from social networks to financial and governmental websites.

Have you ever surfed the internet and seen a “Download as PDF” button?
Over the past few years, many sites have added the option to export your personal data to an accessible format, as PDF / Word. …

Inon Shkedy

I love to learn, build and break things. Head of Security Research @ Traceable.ai; Security Consultant @ Tangent Logic

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store