Відео

thanks!

Thank you ☺️

It’s very difficult to not use env-vars itself. The key is to ideally use env-vars sparingly. For example, you’ll have to probably configure a secrets management solution to handle app secrets, but the secret to access the secrets management solution will probably need to be an env-var. however, this is still lower risk because one can secure the secrets management solution with access control, audit trails etc Env-vars do have an inherent risk, but reducing the blast radius of the secret in the env-var is more important

Besides, rce will generally mean that the app env is completely compromised. Even if you had that secret in a config file, it would still be pwned

Thank you! We will!

hey, you can learn with our AI & LLM Security Collection on AppSecEngineer : www.appsecengineer.com/ai-llm-security-collection

CSRF is typically not so much of an issue for api applications. Csrf happens because the browser submits cookies in the request sometimes without the user’s knowledge. In the case of apis Csrf can only happen when there’s a misconfigured frontend or if the api leverages cookies (which is not typical)

Hey, this course is already available for Free on our UA-cam channel. Check out the link here: ua-cam.com/video/9bMqK_RQrhQ/v-deo.html

It’s usually best to use the latest version of a software/library that’s been tested and is known to be secure. Assuming there’s an even more recent patch, it may be that that version has insecurities not yet discovered. As for what an attacker can do, they can release a software to the public registry with the same name but a higher version number, and that tricks the pkg manager to install that version.

Thanks for your question. It’s a good one. I am not against certs, but specifically I am not a huge fan of certs either. Specifically not a huge fan of certs that are largely MCQs and have no practical component to it (except Kubernetes) Our platform is a continuous learning platform. So there’s no real “finishing it” but to get a decent competence in each cloud env I feel it can be done in 16 hours

Sure, we have these labs anyway. Will take this into account

Hey, we'll surely do that.

This is Abhay here. I am a commerce graduate and don’t have an IT degree. What I suggest to anyone (regardless of degree) is that you need to learn how to build some apps (nothing major), understand programming and learn how to deploy these apps. Once you go 2 out of 3 of these things, you can easily start scaling your learning of cloud. You can do it!

@@AppSecEngineer thank you for your guidance, sir.

​@@AppSecEngineerHi Abhay, kindly explain what you meant by deploying apps. Thank you

Thank you 😊 The only prep I did for this video was approx 5 mins just before making the video. Just to identify what features I need to build and write security tests for. I use GitHub copilot and cursor for autocomplete in most cases

@@AppSecEngineer Thank you and that’s impressive but this ain’t the first time I’ve seen you cook things up on the fly. What’s a good way to chat with you more effectively?

Thanks 😊 LinkedIn or twitter messages are the easiest way to discuss with me. Please connect on LinkedIn and we can talk

It’s not really different. The bigger thing to focus on here is how a Ruby on Rails app is rendered vulnerable to csrf and how it can be secured

@@AppSecEngineer got it 👌👍

Thanks 😊 we think he’s pretty awesome as well

Yes, I think being able to understand how systems work from the inside requires knowledge of code. The cloud itself is just a giant set of APIs, so your ability to navigate these APIs is a functional requirement and that requires you to understand code. You may not need to write code everyday or be a software engineer shipping (software) products everyday but you need to understand code, and you need to be able to understand how code is deployed and integrated with other services in the cloud

It’s not there as a video, but you should probably check out their jira plug-in to publish these results to jira as another task plugins.jenkins.io/jira/issues/

Thank you 😊

Sure. We’ll keep bringing them to you

Yes they send digital certificates

😂

Yes, most key exchange based cryptographic implementation systems leverage multiple crypto concepts, ranging from asymmetric to symmetric to hashing and HMAC functions

Precisely! Zero trust is low implicit trust. Explicitly defined through things like ACLs bound by strong identity params

Sure there is! Please check this video to learn about Cloud Security Architect - ua-cam.com/video/jLx4V0nx7lI/v-deo.html

Not if the password is any good -- which "suggest password" in Chrome, or various password length/content rules like "add numeric digits, make it bigger than X chars" etc ensure. If the password has enough entropy and length (is not just "secret" or "john1998" or something stupid like that), it can't be brute forced if hashed with a good hash algorithm, as it would take millenia. And with hash + salt, you can't precompute the hashes of random inputs and check them against all the passwords you want to break, you need to recompute the hash and check all inputs for every individual password.

@@foljs5858 true!

That's where pass the hash comes to help hackers out:)

That’s right. All crypto concepts like symmetric (for data encryption), key exchange and encryption (with asymmetric encryption) and integrity verification with hashing is used with HTTPS

Thanks!

Thanks for your question. I think cloud security engineer would be a natural fit for this for progression towards cloud security architect

Will do. Thanks for the constructive suggestions 👍

Hey, thanks so much for leaving a comment here. In my opinion, cloud security is a very hot topic right now and is only likely to get more in-demand in the coming years. However, it’s not an entry level role by any means, and would require some years of experience in the role of, say, a cloud engineer. It might make sense for you to pursue the cloud engineer role for a few years with an emphasis on security. Eventually you could transition completely into a cloud security role. If you want some more clarity on AppSec and Cloud careers, here’s 2 free ebooks we have on our website: AppSec Career Guide - www.appsecengineer.com/e-books/e-book-a-beginners-guide-to-careers-in-appsec Cloud Security Career - www.appsecengineer.com/e-books/cloud-security-careers-a-beginners-guide

hey, here's a UA-cam shorts by Abhay Bhargav that answers your question. Link - ua-cam.com/users/shortsg_ZWDXAYYeg We hope this helps!