automation Look Ma! No Swagger! An approach to automated doc generation for Serverless Apps All of this started with this question #lazyweb is there an easier way to doc APIs other than Swagger/OpenAPI? Looking for some options. — Abhay Bhargav (@abhaybhargav) October 1,
application security Stale-State Serverless Security Flaws I'd like to introduce a possibly new class of serverless security flaws with a story. For our training business at we45, we orchestrate servers. A lot of servers. These servers
application security Building a Static Analysis Security Bot with Gitlab I am a big believer in Feedback loops. For me, DevSecOps is all about building better feedback loops. If I can get Dev or Ops folks to get quick security
automation Hooking up - Automation (and Security) wins with Hooks I am inordinately pleased with myself today. No, no, it was nothing earth-shattering. For you, there's a good chance, that its probably nothing. But I am a sucker for small
kubernetes 5 Must-Have Kubernetes Security Tools My entire months of June and July have been consumed by Kubernetes. All, largely owing to the Kubernetes Security Masterclass Training that are we are bringing to BlackHat USA 2020
application security A List of Secure Defaults I do a lot of work at the intersection of Continuous Application Security a.k.a DevSecOps, and Threat Modeling. I see that companies have started to take both these
training Tips for Speaking and Training Remotely Remote work is the future of work - Alex Ohanian Sr, RedditNow that all of you are probably reading this at home, I feel compelled to write this piece. For
threat modeling Mozilla's Rapid Risk Assessment (RRA) - Interview I have always been passionate about Threat Modeling. Especially at efforts at: scaling itspeeding it updoing it collaboratively without having your Product Engineering Teams hating you Codifying it, or..Integrating
graphql Why I am giving up on GraphQL (kinda) I started playing around with GraphQL around 2 years ago. I was stunned by the power of the technology. Especially: The ability to dynamically fetch different attributes at runtime without
agile Think "Feedback" over "Pipelines" for DevSecOps Success For a while now, the term DevSecOps has become synonymous with Pipelines. That is natural. DevOps, for the longest time has been associated with pipelines. I am sure, that if
application security DAST Security Automation with a Markdown file I love automation and DevSecOps. Automation is a true force multiplier for already constrained Application Security teams. In my trainings on DevSecOps, one common problem that a lot of students
application security AppSec Predictions for 2020 A Customary Blogpost I am going to NOT encompass "InfoSec Predictions" in this because "InfoSec" is a HUGE area and I am not nearly qualified enough to be making predictions
serverless TDD for Serverless - My Setup I have been building serverless over the last 10 months now. I am currently working on a "not-small" project that spans nearly a 100 functions in Python 3.7. I
application security Secrets of Secrets Secrets Management is important. Now, more than ever. Yet, I see very little attention being paid to it by Developers, DevOps teams and surprisingly, even security teams. Secrets are not
application security On Key-Stretching, Denial-of-Service and Future-Proofing I had a really interesting conversation with a participant at my recent training at OWASP Melbourne’s always amazing event, AppSecDay Melbourne. We ran 3 Trainings at the event including
application security Myth-busting Developer Security Training in 2019 Myths for Developer Security Training that I have learned through personal experience over a long span of training developers on security (2012-2019 and counting) Developers don't care about security. Untrue.
application security Holy s**t! We're really behind! Have been doing a lot of work with, the Cloud, Kubernetes, Serverless and Containers over the last 2 years, and I realize that we have very little by way of
personal Applying OKR to a Security Learning Plan I have recently been reading about a management and measurement framework called OKR (Objectives and Key Results). This framework, was born from Intel's Andy Grove and has been championed in
threat modeling Thoughts on Using and Scaling Threat Modeling Some of my pet peeves with Threat Modeling, as its currently done by a lot of orgs out there: Threat Models are generated as tomes, rarely used by the people
cloud Notes on Open Policy Agent and Docker Security I am starting to work with Open Policy Agent (OPA) for Kubernetes. OPA is largely known for its ability to behave as a powerful Admission Controller for Kubernetes. However, I
application security 3 Essential AppSec Skills for 2020 and beyond Have been thinking about this one for a while now, and I thought I'll pen it down in long form. For me, the 3 Essential skills in AppSec, for 2020
serverless Winning with Serverless DevSecOps Pipelines There's little doubt that Serverless Technologies are being adopted at a rapid pace [1]. I have personally seen typically stodgy, old-school enterprises take to building out serverless (especially FaaS) projects
serverless So you wanna build a Production-ready Serverless App? I've been exploring serverless security for around a year now. Commonly, as a security pro, one typically looks at the offensive angle to any technology. While this can be very
Seven Deadly Sins of Container Security - Part 1 This video is AppSecEngineer's Part 1 of Seven Deadly Sins of Container Security. These specifically refer to 7 different mistakes that people and orgs make when running containerized deployments in
Content-Security-Policy: An Introduction Content-Security-Policy (CSP) is a major control to protect against Cross-Site Scripting Attacks. This video talks about both offensive and defensive perspectives of Content-Security-Policy implementations for your application Code for the example app: https://github.com/we45/csp-flask Code for the presentation: https://github.com/