developer - Abhay Bhargav

Building a Static Analysis Security Bot with Gitlab

I am a big believer in Feedback loops. For me, DevSecOps is all about building better feedback loops. If I can get Dev or Ops folks to get quick security feedback on something they have written, with few/no false positives, in a workflow that they are used to, I

automation

Hooking up - Automation (and Security) wins with Hooks

I am inordinately pleased with myself today. No, no, it was nothing earth-shattering. For you, there's a good chance, that its probably nothing. But I am a sucker for small wins, automation and developer-driven workflows. Any wins around Automation and dev-workflows actually. Don't know what I am talking about? Let

serverless

TDD for Serverless - My Setup

I have been building serverless over the last 10 months now. I am currently working on a "not-small" project that spans nearly a 100 functions in Python 3.7. I started working with Test-Driven Development (TDD) around a year ago. Its been quite a large productivity boost for me. This

application security

Myth-busting Developer Security Training in 2019

Myths for Developer Security Training that I have learned through personal experience over a long span of training developers on security (2012-2019 and counting) Developers don't care about security. Untrue. Security doesn't contextualize security issues, attacks and consequences. Context is king."We need OWASP Top 10 Training". OWASP Top 10

application security

Disassembling CVE and CWE for No Fun and No Profit

There's a good chance that you or your colleague(s) will be shuffling through the massive vendor presentation areas at RSA next week. Chances are that, as you make your way through the booths with shiny screens with Dashboards and fancy-looking charts, you'll see one or more of these "C"

graphql

The Hard Way: Security Learnings from Real-world GraphQL

This article comes (relatively) close on the heels of my talk at AppSec California. The talk was: "An Attacker's Perspective of Serverless and GraphQL Applications"The slides for that talk are available here As I was preparing for the talk. I had a project, ThreatPlaybook, that we needed to revamp.

op-ed

Thoughts on Developer Security Training

I have had the good fortune to have trained thousands of developers on Application Security. Private organizations, conferences and even some non-profit groups have engaged us (we45) and my team to do this. Needless to say, this has been an extremely rewarding experience. I have had several clients say that