We’re creating a super-useful series called Security Engineer interview questions, where we dive into real-world interview questions on AppSec from Glassdoor, Indeed.com and other sources. This week, I dive into the question “What is XXE” with the aid of an amazing lab from our Learning Path on Application Security. Enjoy!


AWS recently released a whitepaper on the Security Overview of Lambda. This document is meant to be an in-depth look at Lambda Security. Its definitely a worthwhile read. However, I have tried to simplify and distill some of the most important security points for general consumption

A little bit of background on my work in Lambda. I work with AWS Lambda every day. I continue to build and release production-grade applications on Lambda and have deployed complex stacks in EdTech, Security Automation and Payment Processing, built entirely as an event-driven system on AWS Lambda. I really love AWS Lambda and…


This video is AppSecEngineer’s Part 1 of Seven Deadly Sins of Container Security. These specifically refer to 7 different mistakes that people and orgs make when running containerized deployments in their environment.


I have been in InfoSec since 2008. I started extensively presenting at conferences and events from 2014 or so (when I felt I had something to say). It wasn’t that I had nothing much to say before then, but I constantly felt weird about “not researching enough”, or “Who’s going to want to listen to me?” and so on. Somehow, in 2014, I decided to abandon a lot of doubts that I had and started to put more of my work “out there”.

That’s been the best decision I have made so far

Since 2014, I have spoken at several…


I started doing PCI-DSS Audit work in 2008 (yes I know). Since then, PCI-DSS has always had “Requirement 3”, a PCI-DSS set of security requirements that were typically seen as infamous because of the number of organizations, who would just not be able to fulfill them. What was Requirement 3? It pertained “Protecting Cardholder Data”, more specifically “at rest”. And when someone says “Protecting Data at rest”, you naturally gravitate towards that one dreaded word, “Crypto”. No, I don’t mean the other dreaded avatar of “Crypto” (as in CryptoCurrency), but “Crypto” as in Cryptography.

The problem was never encrypting and…


I have been developing a bunch of serverless apps and experimenting with serverless security for our (we45’s) work in Pentesting and for our training on Serverless Security in OWASP AppSecUSA 2018 and I came across this interesting scenario during my research.

If you are working with AWS Lambda (Serverless), chances are that you would be working with AWS’s NoSQL Database, DynamoDB. DynamoDB is AWS’s cloud NoSQL solution that supports both Document models (like MongoDB) and Key-Value models (like Redis). DynamoDB and Lambda are a popular combination that several developers use to develop and run serverless applications on AWS infrastructure.

A Quick note on DynamoDB

As…


I have been playing around with Terraform for the last 2 months or so, and I really enjoy working on it. The entire approach to Infrastructure as Code, especially the modular parts, are not only powerful, but also extremely intuitive and easy-to-use, once you get used to the HCL (Hashicorp Configuration Language).

Today, I’d like to detail a simple use-case where Terraform is used as a way to provision and configure an Amazon EC2 Server (I’ll be using Ubuntu in this example) and configure Amazon Inspector to scan said server for security vulnerabilities once provisioned.

While this appears to be…


The Problem

Ever since I started my journey in DevSecOps and Application Security Automation, one of the key areas of my work has been “Parameterized Scanning”. “Parameterized Scanning” started off when we were attempting to automate an application security test for one of our largest clients, a World’s Top 10 Travel Portal. Before Parameterized Scanning, the pen tester had to rely either on manually crawling through the application to identify parameters, consequently testing them to identify security vulnerabilities, or use the “spider” feature of the Web Application Scanner. The spider feature of most Web Application Vulnerability Scanners has become a…

Abhay Bhargav

CTO of we45 (An AppSec Company), DevSecOps Greasemonkey, Passionate Security Technologist and Creator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store