application security AppSec Predictions for 2020 A Customary Blogpost I am going to NOT encompass "InfoSec Predictions" in this because "InfoSec" is a HUGE area and I am not nearly qualified enough to be making predictions without coming off like a jackass. That said, with AppSec, I have had the privilege of: running a company with
application security 3 Essential AppSec Skills for 2020 and beyond Have been thinking about this one for a while now, and I thought I'll pen it down in long form. For me, the 3 Essential skills in AppSec, for 2020 and beyond are: Threat ModelingMore organizations are looking to "shift left", especially by way of identifying vulnerabilities early and often
graphql The Hard Way: Security Learnings from Real-world GraphQL This article comes (relatively) close on the heels of my talk at AppSec California. The talk was: "An Attacker's Perspective of Serverless and GraphQL Applications"The slides for that talk are available here As I was preparing for the talk. I had a project, ThreatPlaybook, that we needed to revamp.
container CVE-2019-5736, runC and the Trickle down effect of Bad Advice "Docker Containers are supposed to run as root", he said, authoritatively on a call. I started to doubt myself. "How can anything running as root, be a good thing?" I asked myself. But the gent giving us the piece of advice (nay, justification) was a senior security pro with a
op-ed Thoughts on Developer Security Training I have had the good fortune to have trained thousands of developers on Application Security. Private organizations, conferences and even some non-profit groups have engaged us (we45) and my team to do this. Needless to say, this has been an extremely rewarding experience. I have had several clients say that
