One thing I am particularly proud of, with our live cloud training is our 'Attack-Detect-Defend' stories and labs.

We take real-world apps on the cloud for AWS, Azure and GCP and simulate

* Attacking and Red-Team
* Cloud Incident Response and Detection Engineering
* Defense

If I were a AppSec/Product Security Head starting an AppSec Program today, I'd focus on the following:
- Role-based security training across engineering teams
- Implementing Policy-as-Code across Cloud-Native control planes - especially Kubernetes
- Risk Assessment for apps

Leading indicators of a solid AppSec/DevSecOps Program

* A Build system that has artifact signing and authenticated provenance

* Test and verification processes that are validated by a Threat Model

* Custom SAST Rules

* Security Defaults for AuthZ/BizLogic issues

Underrated (but highly effective) Cloud/Cloud-Native Security Controls:

* Egress Filtering w/ Network Policies
* Service Access Control - Service Control Policies can restrict blast radius in ways that are extremely effective
* Separate Logging Workspace/Accounts

A path to #DevSecOps mastery

AppSec (vulns and defense) ➡️ DevOps practices ➡️ Individual components of Security automation (SAST, SCA, DAST) ➡️ DevSecOps feedback loops ( pipelines, Git based) ↕️ Implement DevSecops for cloud/kubernetes

Protip: If you wanna know how some srccode is actually working, but are overwhelmed by all the different source files and how they work together, Look at the tests. Tests kinda pull most things together with test data and fixtures. Easier to read and easier to digest #code

Unpopular opinion: Controlling access to secrets in systems (cloud/kube) is MORE important than the quality/type of encryption (or lack thereof) used to protect these secrets

Looks dope :)

An underrated aspect of AppSec and Secure Coding is not exposing the insecure functionality in the first place.

Let's say you have a XML parsing library that may be used by devs wrongly/insecurely. By disabling certain functions in the library, its not vulnerable to XML

Things you should be reviewing (at a high level) when reviewing Security Architecture:

* Workload and Environment
* Functionality
* Code and Build env

Keep it simple. Don't complicate

I am now convinced that by reading the docs (for anything) with reasonable depth, you're doing 10x more than nearly anyone else is doing

Things to ditch in 2024:

- DAST. Leave this to pentesters and bounty-hunters. Building a program at scale is hard with DAST

- Users on Cloud environments: Roles and Policies attached to them are the way to go.

- Sh***y Secure Code Training. You need Secure Software Training.

Have a 6.5 hour flight now and basically dedicating it to Microsoft Sentinel and KQL work

This is a great read on a vulnerability identified by the Stedi team in the AWS STS works.

IAM is complex and has far-reaching implications. This one cuts across AWS IAM, OIDC tokens and resource policy trust

stedi.com/blog/stedi-dis…

Looking around and unable to find significant RCE or insecure deserialization vulns for Go apps or libraries.

You have some garden variety command injection due to poor coding, but none of the yaml, pickle, java object serialization type of vulnerabilities (esp due to

Unlike aws, which I feel is more unified (from a security perspective) I feel azure security is more discrete (and more consequently complicated). There’s 3 distinct worlds in securing azure IMO and all of them are non-trivial

- securing services deployed on azure (VMs,

Par for the course with msft these days. But still pretty bonkers

Your periodic reminder that Google Cloud Functions ( and many other Google cloud services you setup) may be configured with the Default Compute Engine Service Account.

And this Service Account has 'Editor' privs, that are very wide-ranging.