Abhay Bhargav

Abhay Bhargav

Sign in Subscribe

Last Week in AppSec - Aug 30 - Sep 7

Last Week in AppSec - Aug 30 - Sep 7

Interesting stories and blogs from the Last week in AppSec * iHide Tool from TrustedSec => https://www.trustedsec.com/blog/introducing-ihide-a-new-jailbreak-detection-bypass-tool/ * Container Isolation Techniques => https://blog.aquasec.com/container-isolation-techniques * AWS OIDC with SPIFFE => https://developer.squareup.com/blog/aws-oidc-authentication-with-spiffe/ * AWS SDK Official Swift Release => https://aws.amazon.

Last week in AppSec - Aug 23 - 29 2021

Last week in AppSec - Aug 23 - 29 2021

In this segment of "Last week in AppSec", I explore some interesting news and content from the world of AppSec, Cloud Security, Kubernetes Security and more... Here's what I am talking about in this issue: ChaosDB => https://chaosdb.wiz.io/ Mark Dowd’s Keynote in

Better OKRs for Security through Effective Threat Modeling

threat modeling Featured

Better OKRs for Security through Effective Threat Modeling

If you've read any management article, book or interview recently, its unlikely that you've not come across the term "OKR". The term (and practice) has become as entrenched with management culture, as its founding company, Intel, has with microchips. OKR is a goal-setting methodology

Building a Static Analysis Security Bot with Gitlab

application security Featured

Building a Static Analysis Security Bot with Gitlab

I am a big believer in Feedback loops. For me, DevSecOps is all about building better feedback loops. If I can get Dev or Ops folks to get quick security feedback on something they have written, with few/no false positives, in a workflow that they are used to, I

Hooking up - Automation (and Security) wins with Hooks

Hooking up - Automation (and Security) wins with Hooks

I am inordinately pleased with myself today. No, no, it was nothing earth-shattering. For you, there's a good chance, that its probably nothing. But I am a sucker for small wins, automation and developer-driven workflows. Any wins around Automation and dev-workflows actually. Don't know what I

A List of Secure Defaults

application security

A List of Secure Defaults

I do a lot of work at the intersection of Continuous Application Security a.k.a DevSecOps, and Threat Modeling. I see that companies have started to take both these disciplines very seriously, especially today. This is not surprising. When you have rapid application delivery processes, the need to pre-empt

Tips for Speaking and Training Remotely

training Featured

Tips for Speaking and Training Remotely

> Remote work is the future of work - Alex Ohanian Sr, Reddit Now that all of you are probably reading this at home, I feel compelled to write this piece. For the last 4 years, I have spent approximately 500 hours delivering highly technical training or speaking at various

Mozilla's Rapid Risk Assessment (RRA) - Interview

threat modeling Featured

Mozilla's Rapid Risk Assessment (RRA) - Interview

I have always been passionate about Threat Modeling. Especially at efforts at: * scaling it * speeding it up * doing it collaboratively without having your Product Engineering Teams hating you * Codifying it, or.. * Integrating it with DevOps On the other hand, I have always found Mozilla to be a fascinating organization. They

Why I am giving up on GraphQL (kinda)

graphql Featured

Why I am giving up on GraphQL (kinda)

I started playing around with GraphQL around 2 years ago. I was stunned by the power of the technology. Especially: * The ability to dynamically fetch different attributes at runtime without having to change the API itself * Speed of the fetches, even with large datasets * Subscriptions - Ability for the API

Think "Feedback" over "Pipelines" for DevSecOps Success

Think "Feedback" over "Pipelines" for DevSecOps Success

For a while now, the term DevSecOps has become synonymous with Pipelines. That is natural. DevOps, for the longest time has been associated with pipelines. I am sure, that if you've read anything around DevOps or DevSecOps, you'd have heard of the term "CI/CD&

DAST Security Automation with a Markdown file

application security

DAST Security Automation with a Markdown file

I love automation and DevSecOps. Automation is a true force multiplier for already constrained Application Security teams. In my trainings on DevSecOps, one common problem that a lot of students come to me with is "How do I automate DAST?" Admittedly, DAST is hard. DAST products usually have

On Key-Stretching, Denial-of-Service and Future-Proofing

application security

On Key-Stretching, Denial-of-Service and Future-Proofing

I had a really interesting conversation with a participant at my recent training at OWASP Melbourne’s always amazing event, AppSecDay Melbourne. We ran 3 Trainings at the event including our AppSec Essentials Training, DevSecOps MasterClass and our Containers and Kubernetes Security Training. In the AppSec class, I spoke about

Myth-busting Developer Security Training in 2019

application security

Myth-busting Developer Security Training in 2019

Myths for Developer Security Training that I have learned through personal experience over a long span of training developers on security (2012-2019 and counting) * Developers don't care about security. Untrue. Security doesn't contextualize security issues, attacks and consequences. Context is king. * "We need OWASP Top

Applying OKR to a Security Learning Plan

I have recently been reading about a management and measurement framework called OKR (Objectives and Key Results). This framework, was born from Intel's Andy Grove and has been championed in recent times by Venture Capitalist John Doerr. I've been reading his book, "Measure what matters&

Thoughts on Using and Scaling Threat Modeling

threat modeling

Thoughts on Using and Scaling Threat Modeling

Some of my pet peeves with Threat Modeling, as its currently done by a lot of orgs out there: 1. Threat Models are generated as tomes, rarely used by the people who need to be using it (architects, engineering teams, business owners, even security people) 2. Consequently, Threat Modeling does

application security

3 Essential AppSec Skills for 2020 and beyond

Have been thinking about this one for a while now, and I thought I'll pen it down in long form. For me, the 3 Essential skills in AppSec, for 2020 and beyond are: Threat Modeling More organizations are looking to "shift left", especially by way of