×

Remote Training (Dec 7-8) : DevSecOps Masterclass 2020 Discoverer Edition Register Now

NEWS & EVENTS

Stay Updated, Stay Smart!

New Client Win: AI Service Management Platform

It’s a big day! We’re so proud to announce that we’ve won a new client in the product service automation space! Our client is an AI-based service management platform that let you build extremely intuitive chat and automated support software to bolster customer support for your business.
 
Their specialty is in providing AI-powered service desk and virtual assistant solutions spanning IT, HR, Sale, Customer Service and more. 
 
We’re conducting a comprehensive security assessment on their completely cloud-native tech stack which heavily leverages Container and Kubernetes technology. Doing so will potentially uncover vulnerabilities that were previously putting customers’ personally identifiable information at risk of compromise. 
 
Working closely with their product engineering team, we’re aiming to close the gap between security and development in an effort to implement security in their automation pipelines.

Webinar : Fantastic Vulnerabilities and Where to Find Them - AppSec Edition

In today’s world of Web Applications and REST API, common vulnerabilities like SQL and Command Injection have been taken over by newer, more esoteric variants. As a result, organizations have to deal with vulnerabilities like Server-Side Template Injection, Authentication and Authorization Bypasses with JSON Web Tokens, Cryptographic Flaws, and Server-Side Request Forgeries.

The best way that we’ve seen to work with these flaws is to have a ‘Purple Team’ approach. In this 90-minute training session, we will train you to defend these attacks with an intrinsic understanding of how they work. We aim this approach at helping you understand attack patterns and defense mechanisms to thwart these flaws.

We’ve built state-of-the-art cyber ranges to give you a view from inside the vulnerable section of an application, to clearly understand the origination and the progression of an attack. We will subsequently move through this range to show you exactly how to defend an application against said attacks

When : Apr 23, 2020

Time : 11 AM (ET) / 8 AM (PT)

Register Now

Webinar : Attacking and Defending Kubernetes

We bring to you we45’s first webinar of 2020. This time, we’re kicking off with a topic that continues to create excitement and interest amongst product teams working on contemporary technology stacks – a purple-view snapshot of Kubernetes Security! Register Now

Press Release : we45 Announces the Release of Orchestron v5 with Advanced Correlation and OAugment

we45 announces the release of Orchestron v5, an application vulnerability correlation platform, with improved correlation capacity & OAugment framework. At the core of this update is Orchestron Risk Language (ORL) the extensive library of vulnerability data that is central to Orchestron’s advanced correlation capabilities. Know more here

Tools Showcase - ThreatPlaybook

When did it happen: Feb 27, 2019

What was it about: we45’s open source project, ThreatPlaybook, was showcased at OWASP Seasides, Goa. ThreatPlaybook is a unified DevSecOps Framework that allows you to go from iterative, collaborative Threat Modeling to Application Security Test Orchestration.

Where did it happen: OWASP Seasides 2019, Goa.

Attacking and Defending Containerized Apps and Serverless Tech

When did it happen: May 26-28, 2019

What was it about: Security continues to remain a key challenge that both Organizations and Security practitioners face with containerized and, serverless deployments. This training has been created with the objective of understanding both offensive and defensive security for container orchestrated and serverless deployments. 

Where did it happen: Global AppSec Tel Aviv 2019

DevSecOps Masterclass

When did it happen: May 26-28, 2019

What was it about: A phased approach to continuous delivery is not only preferable, but it’s also infinitely more manageable”. This quote by Maurice Kherlakian refers to DevOps, a movement that has seeped into organizations across the globe, resulting in Continuous delivery of apps. However, security remains a serious bottleneck for DevOps. Organizations struggle with including security in continuous delivery processes. This training was a comprehensive, focused and practical approach at implementing Security for your Continuous Delivery Pipeline delivered at AppSec Tel Aviv. 

Where did it happen:  Global AppSec Tel Aviv 2019

Attacking and Defending Containerized Apps and Serverless Tech

When did this happen: March 25-27, 2019

What was it about: This training was aimed at practitioners of emerging technologies like Containers, Kubernetes or Serverless. The training illustrated ways of attacking and defending containerised applications and Serverless tech.

Where did it happen: Shack 2019.

Container Security, Orchestration and Serverless Training

When did this happen: February 26-27, 2019

What was it about: This training was aimed at practitioners of emerging technologies like Containers, Kubernetes or Serverless. The training illustrated ways of attacking and defending containerised applications and serverless tech.

Where did it happen: DevSecCon Singapore, 2019

DevSecOps and AppSec Automation Masterclass

When was i: Aug 3-4, 2019

What was it about: This training was a comprehensive, focused and practical approach at implementing Security for your Continuous Delivery Pipeline presented at Black Hat USA 2019. The training was backed by a ton of hands-on labs, original research and real-world implementations of DevSecOps that work.

Where: Black Hat USA 2019

Attacking and Defending Containerized Apps and Serverless Tech

When did this happen: January 22-23, 2019

What was it about: This training was aimed at practitioners of emerging technologies like Containers, Kubernetes or Serverless. The training illustrated ways of attacking and defending containerised applications and serverless tech.

Where did it happen: AppSec Cali 2019, USA

Hands on DevSecOps and AppSec Automation Training

When did it happen: October 15 & 16, 2018

What was it: Two full days of intensive, hands-on learning that enabled attendees incorporate robust and resilient application security practices within a continuous delivery pipeline. 

Where did it happen: OWASP AppSecDay 2018, Melbourne Australia.

Unique ways to Hack into a Python Web Service

When was it: October 17, 2018

What was it about: Informative talk that aimed to provide a holistic perspective on finding and fixing some uncommon flaws in Python Web Applications.

Where: DJANGOCON 2018, San Diego.

Threat Model-as-Code: A Framework to go from Codified Threat Modeling to Automated Application Security Testing

When: October 22, 2018

What: Talk centred on the importance of Threat Modeling and how best to integrate it to the Software Development Life Cycle(SDLC).

Where: SANS Secure DevOps Summit & Training 2018, Denver. 

Container Security, Serverless and Orchestration Training

When did this happen: March 25-27, 2019

What was it about: This training was aimed at practitioners of emerging technologies like Containers, Kubernetes or Serverless. The training illustrated ways of attacking and defending containerised applications and Serverless tech.


Where did it happen:
Shack 2019.

Threat Modeling-as-Code & Automation for DevSecOps wins

When: October 19, 2018


From the Speaker : Talk Overview

Threat Models, although critical for Product Security Engineering, is often relegated to the status of a Best Practice document that is good to have. I believe that Threat Models are playbooks of Product Security Engineering. The best way to do threat modeling is to integrate it into the Software Development Lifecycle (SDL). They should produce actionable outputs that can be acted up on by various teams within an organization.

To address this divide, I have developed ‘ThreatPlaybook’, an open source ‘Threat Modeling as Code’ framework that allows product teams to capture User Stories, Abuse Stories, Threat Models and Security Test Cases in YAML Files (like Ansible) and with the help of Test Automation Frameworks (in this case, Robot Framework). ‘ThreatPlaybook’ allows product engineering and penetration testing teams to not only capture Threat Models as code, but also trigger specific security test cases.

Where: AppSec Australia, Melbourne

Application Security Essentials Training

When Did This Happen: October 17 & 18, 2018

What Was Discussed: Two full days of intensive, hands-on learning to best equip attendees with platform and technology agnostic remediation strategies against application security vulnerabilities.

The course focused on core application security principles aimed at the engineering community such as developers, architects and quality assurance testers. 

 

Where: AppSecDay Melbourne, Australia.

Attacking and Defending Containerized Apps and Serverless Tech

When did it happen : October 29 & 30, 2018 What was it about: This training was aimed at practitioners of emerging technologies like Containers, Kubernetes or Serverless. The training illustrated ways of attacking and defending containerised applications and serverless tech.
Where was it : Code Blue 2018, Japan.

Hands-On DevSecOps and AppSec Automation Masterclass

When was it : October 29 & 30, 2018

What was it about : Two full days of intensive, hands-on learning that enabled attendees incorporate robust and resilient application security practices within a continuous delivery pipeline. 

Where did it happen : Code Blue 2018, Japan.

Container Security, Serverless and Orchestration Training

When did this happen: October 9-10,2018

 
What was it about: This training was aimed at practitioners of emerging technologies like Containers, Kubernetes or Serverless. The training illustrated ways of attacking and defending containerised applications and serverless tech.

 
Where did it happen: OWASP AppSec USA, San Jose.

Threat Playbook - Black Hat USA 2018

When Did This Happen: August 8, 2018

 
What was it about: 
The key benefits of ThreatPlaybook is that you can: 
* Codifying Threat Models for Iterative Threat Modeling 
* Using Threat Models and Security Test Cases to launch targeted application security automation that can be used in a CI/CD environment or by pen testers who want to automate several tasks in their “Pentest Pipeline”
* Auto-generating Process Flow Diagrams from Codified Threat Models
* Capturing Security Test Cases linked to Threat Modeling
* Generating reports correlating Threat Models to Vulnerabilities, Security Test Cases and so on.


The session was presented by Abhay Bhargav, CTO and Sharath Kumar, Lead Solutions Engineer at we45.
we45