I think google pay from India doesn’t work. You can use a credit card or PayPal. Please write to us at help(@)appsecengineer(dot)com or the support widget on our website for any questions
@shivansh57 Can you please share more details like which plan or certification you are trying to purchase. You can also email us at help@appsecengineer.com
hey @supertren this video was to show a quick demo of our AWS Security course and how to use Amazon Inspector for vulnerability assessment. If you want to learn more about fixing these issues, then you might want to take a look at our AWS Security Collection, we offer an extensive set of courses with hands-on labs and AWS Cloudsandbox. Click here: www.appsecengineer.com/individuals/aws-security-collection
Thanks for sharing the video and appreciate your effort to build them. I would like to know about the diagram parsing area. Does the application consume the uploaded diagram and convert that into code to process further? If it's possible, could you suggest some resources to read about it?
I think, your remediation steps are incomplete somehow. Suppose, someone put all the blacklist item but how you are going to hide actual server ip here without using any proxy.
I have mentioned in the video that the remediation for SSRF regardless of rigor always has some potential for some gaps. However, I didn’t understand the question here. What server ip should I be trying to hide?
So am I the only one who's like concerned that I'm not getting calls about my automobile insurance for an automobile I do not own so maybe Putin told them you need to start working for me remember I let you do whatever the hell you want the entire world except for of course us here in Russia so what are they working on other than this scam
It’s very difficult to not use env-vars itself. The key is to ideally use env-vars sparingly. For example, you’ll have to probably configure a secrets management solution to handle app secrets, but the secret to access the secrets management solution will probably need to be an env-var. however, this is still lower risk because one can secure the secrets management solution with access control, audit trails etc Env-vars do have an inherent risk, but reducing the blast radius of the secret in the env-var is more important
2 things : 1. its going to be hard to pool all the attributes from various apps and 2nd like you said people will start asking some list, set operations on permissions data . ideally its outside the scope of auth engine but since it holds all relevant data clients will ask!
CSRF is typically not so much of an issue for api applications. Csrf happens because the browser submits cookies in the request sometimes without the user’s knowledge. In the case of apis Csrf can only happen when there’s a misconfigured frontend or if the api leverages cookies (which is not typical)
Hey, this course is already available for Free on our RU-vid channel. Check out the link here: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-9bMqK_RQrhQ.html
It’s usually best to use the latest version of a software/library that’s been tested and is known to be secure. Assuming there’s an even more recent patch, it may be that that version has insecurities not yet discovered. As for what an attacker can do, they can release a software to the public registry with the same name but a higher version number, and that tricks the pkg manager to install that version.
Hi, this approach seems very interesting but different from what I have seen from RU-vid. For example, you didn't mention any certification like Azure,AwS, etc. Can you please clarify this? Also, how long approximately does it take to complete the program on your platform? Thank you
Thanks for your question. It’s a good one. I am not against certs, but specifically I am not a huge fan of certs either. Specifically not a huge fan of certs that are largely MCQs and have no practical component to it (except Kubernetes) Our platform is a continuous learning platform. So there’s no real “finishing it” but to get a decent competence in each cloud env I feel it can be done in 16 hours
Hi Abhay! Fantastic video! This is great stuff, could we also have videos on how one can deploy commonly used apps insecurely on cloud and how we can make it more secure? What I mean is going through the security life journey of an app deployed on cloud on different spaces like Lambda functions, App runner, Ampplify or even some of the new stuff like AWS codestar. And showing how a backend-front end app that looks very secure can be easily exploited ( as web apps are the most common thing now)
I want to become cloud security engineering, but I lack a degree or IT background. Would it be beneficial for me to first pursue a role in cybersecurity engineering as a way to achieve cloud security engineer. I'd appreciate some guidance on the best path forward given my circumstances. Thank you for your help.
This is Abhay here. I am a commerce graduate and don’t have an IT degree. What I suggest to anyone (regardless of degree) is that you need to learn how to build some apps (nothing major), understand programming and learn how to deploy these apps. Once you go 2 out of 3 of these things, you can easily start scaling your learning of cloud. You can do it!
Awesome video. Bro how much preparing do you do for videos? Coding on the fly is sweet - also what plugins are you using to provide you that superb auto completed?
Thank you 😊 The only prep I did for this video was approx 5 mins just before making the video. Just to identify what features I need to build and write security tests for. I use GitHub copilot and cursor for autocomplete in most cases
@@AppSecEngineer Thank you and that’s impressive but this ain’t the first time I’ve seen you cook things up on the fly. What’s a good way to chat with you more effectively?
Yes, I think being able to understand how systems work from the inside requires knowledge of code. The cloud itself is just a giant set of APIs, so your ability to navigate these APIs is a functional requirement and that requires you to understand code. You may not need to write code everyday or be a software engineer shipping (software) products everyday but you need to understand code, and you need to be able to understand how code is deployed and integrated with other services in the cloud
It’s not there as a video, but you should probably check out their jira plug-in to publish these results to jira as another task plugins.jenkins.io/jira/issues/
Great content. Thanks! Here is a thing I don't get it. Isn't the private certificate another kind of persistent credentials? Whoever gets it, gets access to the AWS resources right? How is this more secure?
IPsec is a good example of using it both, in IKE-1 phase you have asymmetric keys, and in IKE-2 phase you use symmetric keys... Kinda like best of both worlds.
Yes, most key exchange based cryptographic implementation systems leverage multiple crypto concepts, ranging from asymmetric to symmetric to hashing and HMAC functions
We are using QUIC protocols in our zero trust architecture. And yes, tgeres no such things as zero trust, every component have a trust list kinda like ACLs but for components.
Not if the password is any good -- which "suggest password" in Chrome, or various password length/content rules like "add numeric digits, make it bigger than X chars" etc ensure. If the password has enough entropy and length (is not just "secret" or "john1998" or something stupid like that), it can't be brute forced if hashed with a good hash algorithm, as it would take millenia. And with hash + salt, you can't precompute the hashes of random inputs and check them against all the passwords you want to break, you need to recompute the hash and check all inputs for every individual password.
That’s right. All crypto concepts like symmetric (for data encryption), key exchange and encryption (with asymmetric encryption) and integrity verification with hashing is used with HTTPS