Abhay Bhargav

CVE-2019-5736, runC and the Trickle down effect of Bad Advice

"Docker Containers are supposed to run as root", he said, authoritatively on a call. I started to doubt myself. "How can anything running as root, be a good thing?" I asked myself. But

op-ed

Thoughts on Developer Security Training

I have had the good fortune to have trained thousands of developers on Application Security. Private organizations, conferences and even some non-profit groups have engaged us (we45) and my team to do this.

container security

Stories of My Experiments with "Distroless" Containers

If you're like me, you're probably using Containers to deploy and run applications. Containers are incredibly convenient to package and run your applications, consistently, with all the necessary dependencies. However, most containers I

InfoSec is a lot like Stand-up Comedy

I have been in InfoSec since 2008. I started extensively presenting at conferences and events from 2014 or so (when I felt I had something…

A Guided Tour of the AWS Key Management Service (KMS)-as-Code

I started doing PCI-DSS Audit work in 2008 (yes I know). Since then, PCI-DSS has always had “Requirement 3”, a PCI-DSS set of security…

DynamoDB Injection

I have been developing a bunch of serverless apps and experimenting with serverless security for our (we45’s) work in Pentesting and for…

HOWTO: Amazon Inspector with Terraform

I have been playing around with Terraform for the last 2 months or so, and I really enjoy working on it. The entire approach to…

Integrating E2E and Application Security Testing: HOWTo with NightwatchJS and OWASP ZAP

The Problem

Stories of Application Security: “You Get what you Git”

I believe that stories are a great way of getting a complex message across to people. I have started, what I hope would be a series of…

Security is Non-Essential

Yes. I said it. Why? Let me tell you why….

Why your Application Security needs “Skin in the Game”

What is “Skin in the Game”?

AppSec vs Secure Applications

Wait…What??? Don’t they mean the same thing? Well, yes, I used to think so. In fact, I was quite committed to this concept for a very long…

Security Engineer Interview Questions: What’s an HMAC?

At the OWASP Bay Area Meetup recently, I ran into Tad Whitaker. He works in security and was instrumental in organizing the OWASP Bay Area…

The OWASP Top 10–2017: What works and what doesn’t…

Its finally here! :) After several arguments, debates, fanfare and some fury, the OWASP Top 10 2017 is finally making its way to a PDF near…

Better Security Outcomes with Abuser Stories for Scrum Teams

A User Story is a fundamental concept that is used by nearly every Agile or Scrum Team. A User story is a simple description of a feature…

My experiences with Facebook abstinence

I was angry. There was another story about how a section of the media was distorting a cause that I believed in. A short scroll below…

Fear and Loathing — Security in Cashless India

Two thoughts simulataneously come to mind when I think about events that have transpired in the last week. One, of course is the…

4 Ways I beat the Professional Plateau

This was the end of the 2013. I was bored. I had no reason to be. I was the CEO (still am) of an up and coming Information Security firm…

3 Takeaways from the Qatar National Bank Security Breach

The big story this week is around the “alleged” Data breach of Qatar National Bank (QNB). The attack came as a bolt from the blue with the…

English is India’s Number.1 Technology Problem

Yes, you read the title correctly. It sounds absurd, I know. One, because English is not related to technology. Two. Several Indians speak…

Subscribe to Abhay Bhargav