Abhay Bhargav

Last Week in AppSec - Aug 30 - Sep 7

Interesting stories and blogs from the Last week in AppSec iHide Tool from TrustedSec => https://www.trustedsec.com/blog/introducing-ihide-a-new-jailbreak-detection-bypass-tool/Container Isolation Techniques => https://blog.aquasec.com/container-isolation-techniquesAWS OIDC with SPIFFE => https://developer.squareup.com/blog/aws-oidc-authentication-with-spiffe/AWS SDK Official Swift Release => https://aws.amazon.com/

Last week in AppSec - Aug 23 - 29 2021

In this segment of "Last week in AppSec", I explore some interesting news and content from the world of AppSec, Cloud Security, Kubernetes Security and more... Here's what I am talking about in this issue: ChaosDB => https://chaosdb.wiz.io/ Mark Dowd’s Keynote in HITB Singapore => https:

threat modeling

Better OKRs for Security through Effective Threat Modeling

If you've read any management article, book or interview recently, its unlikely that you've not come across the term "OKR". The term (and practice) has become as entrenched with management culture, as its founding company, Intel, has with microchips. OKR is a goal-setting methodology that can be used by companies,

application security

TL;DR on AWS Lambda Security Model

AWS recently released a whitepaper on the Security Overview of Lambda. This document is meant to be an in-depth look at Lambda Security. Its definitely a worthwhile read. However, I have tried to simplify and distill some of the most important security points for general consumption A little bit of

automation

Look Ma! No Swagger! An approach to automated doc generation for Serverless Apps

All of this started with this question #lazyweb is there an easier way to doc APIs other than Swagger/OpenAPI? Looking for some options. — Abhay Bhargav (@abhaybhargav) October 1, 2020 I was tired. We had this large API that we'd built out over time. And of course! Just like

application security

Stale-State Serverless Security Flaws

I'd like to introduce a possibly new class of serverless security flaws with a story. For our training business at we45, we orchestrate servers. A lot of servers. These servers are used by our many students to practice and learn concepts around Application Security, Cloud Security, Kubernetes Security, Cloud Security

application security

Building a Static Analysis Security Bot with Gitlab

I am a big believer in Feedback loops. For me, DevSecOps is all about building better feedback loops. If I can get Dev or Ops folks to get quick security feedback on something they have written, with few/no false positives, in a workflow that they are used to, I

automation

Hooking up - Automation (and Security) wins with Hooks

I am inordinately pleased with myself today. No, no, it was nothing earth-shattering. For you, there's a good chance, that its probably nothing. But I am a sucker for small wins, automation and developer-driven workflows. Any wins around Automation and dev-workflows actually. Don't know what I am talking about? Let

kubernetes

5 Must-Have Kubernetes Security Tools

My entire months of June and July have been consumed by Kubernetes. All, largely owing to the Kubernetes Security Masterclass Training that are we are bringing to BlackHat USA 2020 👍🎉(you should register if you haven't already). And while we have been running Kubernetes Security trainings for a while now,

application security

A List of Secure Defaults

I do a lot of work at the intersection of Continuous Application Security a.k.a DevSecOps, and Threat Modeling. I see that companies have started to take both these disciplines very seriously, especially today. This is not surprising. When you have rapid application delivery processes, the need to pre-empt

training

Tips for Speaking and Training Remotely

Remote work is the future of work - Alex Ohanian Sr, RedditNow that all of you are probably reading this at home, I feel compelled to write this piece. For the last 4 years, I have spent approximately 500 hours delivering highly technical training or speaking at various events, all

threat modeling

Mozilla's Rapid Risk Assessment (RRA) - Interview

I have always been passionate about Threat Modeling. Especially at efforts at: scaling itspeeding it updoing it collaboratively without having your Product Engineering Teams hating you Codifying it, or..Integrating it with DevOpsOn the other hand, I have always found Mozilla to be a fascinating organization. They are a non-profit,

graphql

Why I am giving up on GraphQL (kinda)

I started playing around with GraphQL around 2 years ago. I was stunned by the power of the technology. Especially: The ability to dynamically fetch different attributes at runtime without having to change the API itselfSpeed of the fetches, even with large datasetsSubscriptions - Ability for the API to behave

agile

Think "Feedback" over "Pipelines" for DevSecOps Success

For a while now, the term DevSecOps has become synonymous with Pipelines. That is natural. DevOps, for the longest time has been associated with pipelines. I am sure, that if you've read anything around DevOps or DevSecOps, you'd have heard of the term "CI/CD". Well, let's look at what

application security

DAST Security Automation with a Markdown file

I love automation and DevSecOps. Automation is a true force multiplier for already constrained Application Security teams. In my trainings on DevSecOps, one common problem that a lot of students come to me with is "How do I automate DAST?" Admittedly, DAST is hard. DAST products usually have limited API

application security

AppSec Predictions for 2020

A Customary Blogpost I am going to NOT encompass "InfoSec Predictions" in this because "InfoSec" is a HUGE area and I am not nearly qualified enough to be making predictions without coming off like a jackass. That said, with AppSec, I have had the privilege of: running a company with

serverless

TDD for Serverless - My Setup

I have been building serverless over the last 10 months now. I am currently working on a "not-small" project that spans nearly a 100 functions in Python 3.7. I started working with Test-Driven Development (TDD) around a year ago. Its been quite a large productivity boost for me. This

application security

Secrets of Secrets

Secrets Management is important. Now, more than ever. Yet, I see very little attention being paid to it by Developers, DevOps teams and surprisingly, even security teams. Secrets are not only critical in protecting access to third-party APIs and components like Databases and so on, but are equally important when

application security

On Key-Stretching, Denial-of-Service and Future-Proofing

I had a really interesting conversation with a participant at my recent training at OWASP Melbourne’s always amazing event, AppSecDay Melbourne. We ran 3 Trainings at the event including our AppSec Essentials Training, DevSecOps MasterClass and our Containers and Kubernetes Security Training. In the AppSec class, I spoke about

application security

Myth-busting Developer Security Training in 2019

Myths for Developer Security Training that I have learned through personal experience over a long span of training developers on security (2012-2019 and counting) Developers don't care about security. Untrue. Security doesn't contextualize security issues, attacks and consequences. Context is king."We need OWASP Top 10 Training". OWASP Top 10

application security

Holy s**t! We're really behind!

Have been doing a lot of work with, the Cloud, Kubernetes, Serverless and Containers over the last 2 years, and I realize that we have very little by way of effective security tooling for these technologies (especially at their depth). For me, security tools also need to be very developer

personal

Applying OKR to a Security Learning Plan

I have recently been reading about a management and measurement framework called OKR (Objectives and Key Results). This framework, was born from Intel's Andy Grove and has been championed in recent times by Venture Capitalist John Doerr. I've been reading his book, "Measure what matters" and I find it to

threat modeling

Thoughts on Using and Scaling Threat Modeling

Some of my pet peeves with Threat Modeling, as its currently done by a lot of orgs out there: Threat Models are generated as tomes, rarely used by the people who need to be using it (architects, engineering teams, business owners, even security people)Consequently, Threat Modeling does not scale.

cloud

Notes on Open Policy Agent and Docker Security

I am starting to work with Open Policy Agent (OPA) for Kubernetes. OPA is largely known for its ability to behave as a powerful Admission Controller for Kubernetes. However, I find that Open Policy Agent is a great Admission Controller/Policy Enforcement tool for Docker, HTTP REST API and other

application security

3 Essential AppSec Skills for 2020 and beyond

Have been thinking about this one for a while now, and I thought I'll pen it down in long form. For me, the 3 Essential skills in AppSec, for 2020 and beyond are: Threat ModelingMore organizations are looking to "shift left", especially by way of identifying vulnerabilities early and often