AWS recently released a whitepaper on the Security Overview of Lambda. This document is meant to be an in-depth look at Lambda Security. Its definitely a worthwhile read. However, I have tried to simplify and distill some of the most important security points for general consumption A little bit of…

This video is AppSecEngineer’s Part 1 of Seven Deadly Sins of Container Security. These specifically refer to 7 different mistakes that people and orgs make when running containerized deployments in their environment.

I have been in InfoSec since 2008. I started extensively presenting at conferences and events from 2014 or so (when I felt I had something to say). It wasn’t that I had nothing much to say before then, but I constantly felt weird about “not researching enough”, or “Who’s going…

I started doing PCI-DSS Audit work in 2008 (yes I know). Since then, PCI-DSS has always had “Requirement 3”, a PCI-DSS set of security requirements that were typically seen as infamous because of the number of organizations, who would just not be able to fulfill them. What was Requirement 3…

I have been developing a bunch of serverless apps and experimenting with serverless security for our (we45’s) work in Pentesting and for our training on Serverless Security in OWASP AppSecUSA 2018 and I came across this interesting scenario during my research. If you are working with AWS Lambda (Serverless), chances…

I have been playing around with Terraform for the last 2 months or so, and I really enjoy working on it. The entire approach to Infrastructure as Code, especially the modular parts, are not only powerful, but also extremely intuitive and easy-to-use, once you get used to the HCL…

The Problem Ever since I started my journey in DevSecOps and Application Security Automation, one of the key areas of my work has been “Parameterized Scanning”. “Parameterized Scanning” started off when we were attempting to automate an application security test for one of our largest clients, a World’s Top 10…