Bro, if I use environment variables, once the attacker gets RCE, they will possibly access environment variables. So is it best practices?
@AppSecEngineer12 күн бұрын
It’s very difficult to not use env-vars itself. The key is to ideally use env-vars sparingly. For example, you’ll have to probably configure a secrets management solution to handle app secrets, but the secret to access the secrets management solution will probably need to be an env-var. however, this is still lower risk because one can secure the secrets management solution with access control, audit trails etc Env-vars do have an inherent risk, but reducing the blast radius of the secret in the env-var is more important
@AppSecEngineer12 күн бұрын
Besides, rce will generally mean that the app env is completely compromised. Even if you had that secret in a config file, it would still be pwned
@clouddevops26726 күн бұрын
thanks for this video. keep sharing your knowledge.
@AppSecEngineer24 күн бұрын
Thank you! We will!
@user-zm6ld2qq8p27 күн бұрын
Provide some resources to learn AI Security
@AppSecEngineer24 күн бұрын
hey, you can learn with our AI & LLM Security Collection on AppSecEngineer : www.appsecengineer.com/ai-llm-security-collection
@NaveenSiddareddy29 күн бұрын
2 things : 1. its going to be hard to pool all the attributes from various apps and 2nd like you said people will start asking some list, set operations on permissions data . ideally its outside the scope of auth engine but since it holds all relevant data clients will ask!
@nishithalva4329Ай бұрын
How about API only applications, is there anything specific we have to do?
@AppSecEngineerАй бұрын
CSRF is typically not so much of an issue for api applications. Csrf happens because the browser submits cookies in the request sometimes without the user’s knowledge. In the case of apis Csrf can only happen when there’s a misconfigured frontend or if the api leverages cookies (which is not typical)
@boppananaveeneee13662 ай бұрын
When the course will start....
@AppSecEngineer2 ай бұрын
Hey, this course is already available for Free on our KZbin channel. Check out the link here: kzbin.info/www/bejne/b5Owon6Vh7alnrM
@mnageh-bo1mm3 ай бұрын
you have no clue
@Mr_Yeah3 ай бұрын
How does using the latest version of your dependencies lead to INsecurities, assuming that hackers didn't compromise the supply chain?
@AppSecEngineer3 ай бұрын
It’s usually best to use the latest version of a software/library that’s been tested and is known to be secure. Assuming there’s an even more recent patch, it may be that that version has insecurities not yet discovered. As for what an attacker can do, they can release a software to the public registry with the same name but a higher version number, and that tricks the pkg manager to install that version.
@amitbhargav3 ай бұрын
Nice content! Consider reducing background music volume. A little distracting
@chloris22173 ай бұрын
Promo-SM
@abdulo89633 ай бұрын
Hi, this approach seems very interesting but different from what I have seen from KZbin. For example, you didn't mention any certification like Azure,AwS, etc. Can you please clarify this? Also, how long approximately does it take to complete the program on your platform? Thank you
@AppSecEngineer3 ай бұрын
Thanks for your question. It’s a good one. I am not against certs, but specifically I am not a huge fan of certs either. Specifically not a huge fan of certs that are largely MCQs and have no practical component to it (except Kubernetes) Our platform is a continuous learning platform. So there’s no real “finishing it” but to get a decent competence in each cloud env I feel it can be done in 16 hours
@PedanticAnswerSeeker4 ай бұрын
Hi Abhay! Fantastic video! This is great stuff, could we also have videos on how one can deploy commonly used apps insecurely on cloud and how we can make it more secure? What I mean is going through the security life journey of an app deployed on cloud on different spaces like Lambda functions, App runner, Ampplify or even some of the new stuff like AWS codestar. And showing how a backend-front end app that looks very secure can be easily exploited ( as web apps are the most common thing now)
@AppSecEngineer3 ай бұрын
Sure, we have these labs anyway. Will take this into account
@shrawankatuwal92924 ай бұрын
👍
@sanofamotivation4 ай бұрын
Could you please create vedio on other grant types aswell
@AppSecEngineer4 ай бұрын
Hey, we'll surely do that.
@sivaramakrishnanmugunthan36934 ай бұрын
I want to become cloud security engineering, but I lack a degree or IT background. Would it be beneficial for me to first pursue a role in cybersecurity engineering as a way to achieve cloud security engineer. I'd appreciate some guidance on the best path forward given my circumstances. Thank you for your help.
@AppSecEngineer4 ай бұрын
This is Abhay here. I am a commerce graduate and don’t have an IT degree. What I suggest to anyone (regardless of degree) is that you need to learn how to build some apps (nothing major), understand programming and learn how to deploy these apps. Once you go 2 out of 3 of these things, you can easily start scaling your learning of cloud. You can do it!
@sivaramakrishnanmugunthan36934 ай бұрын
@@AppSecEngineer thank you for your guidance, sir.
@abdulo89633 ай бұрын
@@AppSecEngineerHi Abhay, kindly explain what you meant by deploying apps. Thank you
@bilalgreen23385 ай бұрын
Awesome video. Bro how much preparing do you do for videos? Coding on the fly is sweet - also what plugins are you using to provide you that superb auto completed?
@AppSecEngineer5 ай бұрын
Thank you 😊 The only prep I did for this video was approx 5 mins just before making the video. Just to identify what features I need to build and write security tests for. I use GitHub copilot and cursor for autocomplete in most cases
@bilalgreen23384 ай бұрын
@@AppSecEngineer Thank you and that’s impressive but this ain’t the first time I’ve seen you cook things up on the fly. What’s a good way to chat with you more effectively?
@AppSecEngineer4 ай бұрын
Thanks 😊 LinkedIn or twitter messages are the easiest way to discuss with me. Please connect on LinkedIn and we can talk
@newuser24745 ай бұрын
How is it different from other csrf attacks?
@AppSecEngineer5 ай бұрын
It’s not really different. The bigger thing to focus on here is how a Ruby on Rails app is rendered vulnerable to csrf and how it can be secured
@newuser24745 ай бұрын
@@AppSecEngineer got it 👌👍
@newuser24745 ай бұрын
I love this guy
@AppSecEngineer5 ай бұрын
Thanks 😊 we think he’s pretty awesome as well
@shalinisharma80815 ай бұрын
Is coding knowledge a prerequisite to become an expert cloud security architect?
@AppSecEngineer5 ай бұрын
Yes, I think being able to understand how systems work from the inside requires knowledge of code. The cloud itself is just a giant set of APIs, so your ability to navigate these APIs is a functional requirement and that requires you to understand code. You may not need to write code everyday or be a software engineer shipping (software) products everyday but you need to understand code, and you need to be able to understand how code is deployed and integrated with other services in the cloud
@bol19765 ай бұрын
Is there a video showing how to publish results to jira ?
@AppSecEngineer5 ай бұрын
It’s not there as a video, but you should probably check out their jira plug-in to publish these results to jira as another task plugins.jenkins.io/jira/issues/
@santyk92115 ай бұрын
Very informative
@AppSecEngineer5 ай бұрын
Thank you 😊
@Kavinnathcse5 ай бұрын
Great explanation. Expecting more videos around image security.
@AppSecEngineer5 ай бұрын
Sure. We’ll keep bringing them to you
@studytimewithjency5 ай бұрын
Girl! you are such an inspiration
@bikernation40985 ай бұрын
Will they give certificates after completing
@AppSecEngineer5 ай бұрын
Yes they send digital certificates
@ParasNarang.5 ай бұрын
Bro casually planting ideas in minds of hackers and thinking it's just a normal informative short.
@AppSecEngineer5 ай бұрын
😂
@saiaussie5 ай бұрын
Great content. Thanks! Here is a thing I don't get it. Isn't the private certificate another kind of persistent credentials? Whoever gets it, gets access to the AWS resources right? How is this more secure?
@RahulYadav-nk6wp5 ай бұрын
IPsec is a good example of using it both, in IKE-1 phase you have asymmetric keys, and in IKE-2 phase you use symmetric keys... Kinda like best of both worlds.
@AppSecEngineer5 ай бұрын
Yes, most key exchange based cryptographic implementation systems leverage multiple crypto concepts, ranging from asymmetric to symmetric to hashing and HMAC functions
@RahulYadav-nk6wp5 ай бұрын
We are using QUIC protocols in our zero trust architecture. And yes, tgeres no such things as zero trust, every component have a trust list kinda like ACLs but for components.
@AppSecEngineer5 ай бұрын
Precisely! Zero trust is low implicit trust. Explicitly defined through things like ACLs bound by strong identity params
@newuser24746 ай бұрын
Nice video
@poojabarui02016 ай бұрын
There's any difference betweek cloud security architect and cloud security engineer
@AppSecEngineer6 ай бұрын
Sure there is! Please check this video to learn about Cloud Security Architect - kzbin.info/www/bejne/oH3bZYlmo91qoqs
@AmmarAhmadKhanAfridi6 ай бұрын
Compare random inputs via brute forcing. You just need a good gpu and bam password stolen.
@foljs58586 ай бұрын
Not if the password is any good -- which "suggest password" in Chrome, or various password length/content rules like "add numeric digits, make it bigger than X chars" etc ensure. If the password has enough entropy and length (is not just "secret" or "john1998" or something stupid like that), it can't be brute forced if hashed with a good hash algorithm, as it would take millenia. And with hash + salt, you can't precompute the hashes of random inputs and check them against all the passwords you want to break, you need to recompute the hash and check all inputs for every individual password.
@AppSecEngineer6 ай бұрын
@@foljs5858 true!
@grimsas5 ай бұрын
That's where pass the hash comes to help hackers out:)
@huapingguo44676 ай бұрын
And there Realy strong 🧐🤨🤨🤨🤨
@huapingguo44676 ай бұрын
But in a another video posted on KZbin by chad wild cay they said that they were wearing scold masks
@rahulsays6 ай бұрын
The best use case is https where speed and integrity achieved with both.
@AppSecEngineer6 ай бұрын
That’s right. All crypto concepts like symmetric (for data encryption), key exchange and encryption (with asymmetric encryption) and integrity verification with hashing is used with HTTPS
@Kailash9069f6 ай бұрын
❤❤
@OscarPlaysBrookhavenRProblox6 ай бұрын
Does it ring a bell Scatterd Skull
@desaishubham126 ай бұрын
explain in simple way good one
@AppSecEngineer6 ай бұрын
Thanks!
@ram_bam6 ай бұрын
What do you think would be the best role to come up as if one is looking to be a cloud security architect? Cloud security analyst or cloud security engineer? Thank you, and Merry Christmas.
@AppSecEngineer6 ай бұрын
Thanks for your question. I think cloud security engineer would be a natural fit for this for progression towards cloud security architect
@tharas-merch-llc6 ай бұрын
Thanks. Great job. One advice: slow down, add visual words. Do you need to be in the video? It's distrating. Maybe you should appear at intro and at the end. Have visual information with words and designs related to the message. Great niche.❤
@AppSecEngineer6 ай бұрын
Will do. Thanks for the constructive suggestions 👍
@joannjones5447 ай бұрын
Thank you for sharing this information however, we have to be careful what we share even when we're trying to protect our people... My Facebook account was hact and I know what a mess that can lead to... They can actually act as if they were you and do all sorts of misrepresentation of behavior. They basically take over your identity Doing whatever they please. I now have Facebook back to a degree but I'm not trusting of it. All of this technology is wonderful however... Sometimes it certainly seems the old way was better, less penetratable. If you want to cripple something this is certainly the way you would start you attack their bottom line... This certainly has a Domino effect🥵 Perhaps a better way would be fingerprinting... That would be harder to duplicate... Voice wouldn't work because it's too easy to copy these days. Well I'm sure all of the geniuses will figure it out🤔 Hopefully sooner than later😊 I am really so sorry that this has happened ... And I pray that they can correct it.🙏❤
@iyiempire46677 ай бұрын
I have interest in cyber security but somehow I got a job as a junior cloud engineer. the question is I want to build my career in security also I was done two internship of 6 month in security analyst in last year I have total 1 year of experience after my graduation in B.E. so is it helpful for my future to work in this field (junior cloud engineer)or should I skip this job after getting a job in security field. I am really confused can you please help me I will be thankful for your guidance.
@AppSecEngineer6 ай бұрын
Hey, thanks so much for leaving a comment here. In my opinion, cloud security is a very hot topic right now and is only likely to get more in-demand in the coming years. However, it’s not an entry level role by any means, and would require some years of experience in the role of, say, a cloud engineer. It might make sense for you to pursue the cloud engineer role for a few years with an emphasis on security. Eventually you could transition completely into a cloud security role. If you want some more clarity on AppSec and Cloud careers, here’s 2 free ebooks we have on our website: AppSec Career Guide - www.appsecengineer.com/e-books/e-book-a-beginners-guide-to-careers-in-appsec Cloud Security Career - www.appsecengineer.com/e-books/cloud-security-careers-a-beginners-guide
@haasinhussain-hd3gc7 ай бұрын
Bro explained it in clash of clans terms
@sandeepgharde72097 ай бұрын
Do I need to have programming and coding knowledge to become a App Sec Engineer?
@AppSecEngineer7 ай бұрын
hey, here's a KZbin shorts by Abhay Bhargav that answers your question. Link - kzbin.infog_ZWDXAYYeg We hope this helps!
@PranjaliPatil-ys5nt7 ай бұрын
Online class?
@padmaja34067 ай бұрын
Please create a video on how to perform sast testing using fortify please create a video
@AppSecEngineer7 ай бұрын
sure! we'll add that to our list!
@padmaja34064 ай бұрын
Can you please upload the video bro pls
@padmaja34067 ай бұрын
Can you please create a video on how to perform sast testing.
@AppSecEngineer6 ай бұрын
Sure! Keep an eye out for our Live code sessions!
@padmaja34064 ай бұрын
How can I get a link for a live session
@AppSecEngineer4 ай бұрын
@@padmaja3406 hey, you can follow us on Twitter and LinkedIn. We always post about our live events. Twitter - twitter.com/AppSecEngineer Linkedin - www.linkedin.com/company/appsecengineer
@G0DL3V3L8 ай бұрын
Good one.
@veenusnishad24538 ай бұрын
Really Good information
@fabiojourdan65198 ай бұрын
Finally someone who definetely explained very clean envelope encryption end did a REAL HANDS ON GREAT!!!!!!!!!!!!!
@AppSecEngineer8 ай бұрын
Glad you enjoyed it. We’re all about hands on learning and not just theory 👍