application security

DAST Security Automation with a Markdown file

I love automation and DevSecOps. Automation is a true force multiplier for already constrained Application Security teams. In my trainings on DevSecOps, one common problem that a lot of students

application security

AppSec Predictions for 2020

A Customary Blogpost I am going to NOT encompass "InfoSec Predictions" in this because "InfoSec" is a HUGE area and I am not nearly qualified enough to be making predictions

serverless

TDD for Serverless - My Setup

I have been building serverless over the last 10 months now. I am currently working on a "not-small" project that spans nearly a 100 functions in Python 3.7. I

application security

Secrets of Secrets

Secrets Management is important. Now, more than ever. Yet, I see very little attention being paid to it by Developers, DevOps teams and surprisingly, even security teams. Secrets are not

application security

On Key-Stretching, Denial-of-Service and Future-Proofing

I had a really interesting conversation with a participant at my recent training at OWASP Melbourne’s always amazing event, AppSecDay Melbourne. We ran 3 Trainings at the event including

application security

Myth-busting Developer Security Training in 2019

Myths for Developer Security Training that I have learned through personal experience over a long span of training developers on security (2012-2019 and counting) Developers don't care about security. Untrue.

application security

Holy s**t! We're really behind!

Have been doing a lot of work with, the Cloud, Kubernetes, Serverless and Containers over the last 2 years, and I realize that we have very little by way of

personal

Applying OKR to a Security Learning Plan

I have recently been reading about a management and measurement framework called OKR (Objectives and Key Results). This framework, was born from Intel's Andy Grove and has been championed in

threat modeling

Thoughts on Using and Scaling Threat Modeling

Some of my pet peeves with Threat Modeling, as its currently done by a lot of orgs out there: Threat Models are generated as tomes, rarely used by the people

cloud

Notes on Open Policy Agent and Docker Security

I am starting to work with Open Policy Agent (OPA) for Kubernetes. OPA is largely known for its ability to behave as a powerful Admission Controller for Kubernetes. However, I

application security

3 Essential AppSec Skills for 2020 and beyond

Have been thinking about this one for a while now, and I thought I'll pen it down in long form. For me, the 3 Essential skills in AppSec, for 2020

serverless

Winning with Serverless DevSecOps Pipelines

There's little doubt that Serverless Technologies are being adopted at a rapid pace [1]. I have personally seen typically stodgy, old-school enterprises take to building out serverless (especially FaaS) projects

serverless

So you wanna build a Production-ready Serverless App?

I've been exploring serverless security for around a year now. Commonly, as a security pro, one typically looks at the offensive angle to any technology. While this can be very

Seven Deadly Sins of Container Security - Part 1

This video is AppSecEngineer's Part 1 of Seven Deadly Sins of Container Security. These specifically refer to 7 different mistakes that people and orgs make when running containerized deployments in

Content-Security-Policy: An Introduction

Content-Security-Policy (CSP) is a major control to protect against Cross-Site Scripting Attacks. This video talks about both offensive and defensive perspectives of Content-Security-Policy implementations for your application Code for the example app: https://github.com/we45/csp-flask Code for the presentation: https://github.com/

application security

Disassembling CVE and CWE for No Fun and No Profit

There's a good chance that you or your colleague(s) will be shuffling through the massive vendor presentation areas at RSA next week. Chances are that, as you make your

we45

we45's Fedex Week

Research and Learning has been a big area of focus at my company, we45. We pride ourselves in teaching and training, new and experienced cohorts who join our organization. Its

graphql

The Hard Way: Security Learnings from Real-world GraphQL

This article comes (relatively) close on the heels of my talk at AppSec California. The talk was: "An Attacker's Perspective of Serverless and GraphQL Applications"The slides for that talk

container

CVE-2019-5736, runC and the Trickle down effect of Bad Advice

"Docker Containers are supposed to run as root", he said, authoritatively on a call. I started to doubt myself. "How can anything running as root, be a good thing?" I

op-ed

Thoughts on Developer Security Training

I have had the good fortune to have trained thousands of developers on Application Security. Private organizations, conferences and even some non-profit groups have engaged us (we45) and my team

container security

Stories of My Experiments with "Distroless" Containers

If you're like me, you're probably using Containers to deploy and run applications. Containers are incredibly convenient to package and run your applications, consistently, with all the necessary dependencies. However,

InfoSec is a lot like Stand-up Comedy

I have been in InfoSec since 2008. I started extensively presenting at conferences and events from 2014 or so (when I felt I had something…

A Guided Tour of the AWS Key Management Service (KMS)-as-Code

I started doing PCI-DSS Audit work in 2008 (yes I know). Since then, PCI-DSS has always had “Requirement 3”, a PCI-DSS set of security…

DynamoDB Injection

I have been developing a bunch of serverless apps and experimenting with serverless security for our (we45’s) work in Pentesting and for…

HOWTO: Amazon Inspector with Terraform

I have been playing around with Terraform for the last 2 months or so, and I really enjoy working on it. The entire approach to…