PSA. Zero Trust is really "Low Implicit Trust" Zero Trust should be driven with: * Identity first and Continuous Verification * Least Privilege AuthZ * Network Segmentation - done as specific, more focused isolated workloads * Encryption of workloads in transit and rest *

This would have resulted in most blockbuster software products never existing in the first place. Things often move from mediocrity to excellence. Takes time

My favorite OSS tools to automate as part of a DevSecOps workflow * Semgrep for SAST * Checkov for IaC SAST * Syft, Grype for SBOM generation and SCA scans * Zap and Nuclei for DAST * Gitleaks for secret scanning * MobSF Mobile Security Code Scanning * Steampipe - Cloud Queries

I like the idea of "inversion thinking". Its basically when you have a project/decision and instead of thinking about how it can be successful, you think about how it can fail and identify scenarios to avoid failure Exactly what Threat Modeling is, for every app that you develop

Everyone is building a boatload of apps with Claude + Cursor. And here I am thinking about all the vulnerabilities being introduced, that developers (who're mostly not aware of them), are completely ignoring It's going to be wild times for AppSec and AppSec Teams

Our last training for the year is something you can take from the comfort of your home. Don't miss it. Tons of new content added to our always popular DevSecOps masterclass

Some of my favorite Kubernetes security tools * KubeAudit - Useful tool to audit Kubernetes misconfigs * Kyverno - The.best.policy management tool for Kubernetes * KubeArmor - Runtime Security enforcement for Kubernetes clusters. Underrated, powerful tool

Common question I get asked about #ThreatModeling. "Which methodology is the best?" Any methodology (your creation even) that: * Gives devs concrete plans 🧱 * gives security teams ability to prioritize ⏰ * can be run w/o security folks 𐄳 * helps w/ iterative dev workflows ♼

Every org I talk to feels that they're messing up their Security Champions program. What you should do instead? - Get them continuous training - Don't blame them - Incentivize them. Remember, they're going beyond the call of duty - Get feedback from them. Its a two-way street

A little underwhelmed after the massive hype around Cursor + Claude workflow. Definitely better than GH Copilot, but a lot to be desired, if you know how to code. If you don't know how to code, I can see how this is magic to lots of people.

I heard somewhere that the best teacher is someone who's more interested in learning than in teaching. I tend to agree. I have always learned more, not only about the subject matter, but how it gets through to someone and what resonates with people This is what makes teaching

“So DevSecOps is about automating security in DevOps right?” Is a common question, to which my response is “no it’s about harmonizing security as part of DevOps”. Harmonizing includes things like: * Having security discussions/threat modeling the sprint * Feedback loops at

This has the potential to be a very powerful feature for DynamoDB. Lots of possibilities to be able to define granular access control patterns for apps and users accessing DynamoDB tables Using patterns to restrict access to certain types of partition keys and sort keys is very

AppSec Issues can be identified in multiple places 1. At the level of Security Knowlege/Awareness Developer or Product Engineering Team 2. At security issues identified at the user-story/requirements 3. When the developer writes code 4. When the code is built into an artifact 5.

The number of new features and courses we're shipping for AppSecEngineer in September, boggles the mind!

Thanks very much for your compliments. Please DM with details. Will help out when you need to renew