Abhay Bhargav Profile picture
AppSec Expert with over 15 yrs of experience | Author of 2 books and Black Hat Trainer | Building the world's best Security Training Platform, @AppSecEngineer
Jun 3, 2022 8 tweets 4 min read
Key Cloudwatch and Cloutrail concepts you should know for security monitoring on @AWS. A 🧵1/ @AWS Let's start with Cloudwatch. Lot of us assume that Cloudwatch is just a log management engine, i.e a time-series DB for logs from various AWS Services and your workloads on AWS. Its so much more than that. It has all of these capabilities
2/ Image
Apr 28, 2022 11 tweets 6 min read
Webhooks are a big part of @kubernetesio. I've recently been going down the webhook rabbithole, especially for offensive use-cases. And here's what I think. A 🧵 1/ @kubernetesio #kubernetes uses an access control object called an Admission Controller. This is beyond AuthN and AuthZ. This allows you to create objects that will allow you the operator to define workloads and configs that are admitted in your cluster. appsecengineer.com/courses-collec…
Mar 31, 2022 9 tweets 7 min read
Container Registry Security controls you didn't know you needed. A 🧵 1/ Let's start with the basics. You need to scan your containers for vulns on the push. For that you need your registry to integrate with security scanners. Most registries support this out of the box. Some like @project_harbor even integrate with multiple scanners. Always 👍 2/
Mar 23, 2022 10 tweets 5 min read
#SSRF is a super popular vulnerability that is leveraged extensively, by bad actors. Let's look at SSRF defense in this 🧵 1/ Let's start with the basics. SSRF happens because your app makes requests to other URLs based on user-generated data. If your app doesnt need to redirect/request random URLs (functionality), ensure that you have a tight allowlist. Only redirect to URLs in the allowlist 2/
Mar 21, 2022 7 tweets 8 min read
IMO #DevSecOps has a close-knit relationship with #ZeroTrust. Let's dive in with a 🧵 I've already tried to cover ZeroTrust as a summary here 👇2/
Mar 15, 2022 10 tweets 6 min read
Realized that there's a huge gap in knowledge for some taxonomy and terms in #infosec. Here's a 🧵 Let's start with CWE from @CweCapec. Common Weakness Enumeration.
* This is 🚫 a scoring system
* This is identifier for a type of vuln
For example: SQL Injection is CWE 89
It has broad "parent" and more specific "child" categories. But EOD, they are Vulnerability IDs 2/
Dec 10, 2021 9 tweets 3 min read
ICYMI, this is how the #log4j #Log4Shell flaw works (in simple english), a 🧵
1. Victim is running a Java Web that uses the log4j logging lib
2. The victim web app has code that logs http request payloads/headers with log statements (example User-Agent)
1/ Image 3. Attacker identifies vulnerable app and makes a request to the server with the User-Agent Value set to this. What does this mean? 2/ Image