SERVERLESS SECURITY BEST PRACTICES

View Show Notes and Transcript

Episode Description

What We Discuss with Abhay Bhargav:

  • What is DevSecOps?
  • What is a good maturity in the DevSecOps space?
  • What’s a free tool to get started today for developers?
  • Starting with Threat Modelling as a beginner?
  • Doing Application Security (AppSec) at scale, what does that look like?
  • How does Security change in a world of serverless
  • Can there be too many functions in serverless?
  • And much more…

THANKS, Abhay Bhargav!

If you enjoyed this session with Abhay Bhargav, let him know by clicking on the link below and sending him a quick shout out at Twitter:

Click here to thank Abhay Bhargav on Linkedin!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

Ashish Rajan: [00:00:00] Welcome to cloud security podcast today, my guest is a bay. He is the founder, RWE 45 for people who may not have heard of TBI 45, I’ve come across them quite a bit at Lorde training in black hat and OSTP AppSec day. But I’m not going to spoil his introduction and I’m going to let our PE introduce it. 


Introduce himself. Welcome away. Nice to have 


Abhay Bharghava: you here. Nice to be here. Thank you so much for having me. So for 


Ashish Rajan: people who don’t know of hae. W E 45. Well, how would you introduce yourself and the organization? 


Abhay Bharghava: So, yeah, I mean we, 45 has isn’t, it’s a focused application security company. So we do a lot of application security. 


We started off as purely an offensive applications, security house, but today we’ve kind of morphed that. Multiple things. So one is, of course we are one of the four runners in DevSecOps. We created the world’s first DevSecOps program is very popular. And like you said, been under her black hats and lot of conferences and private things as well. 


We also do a lot of cloud security containers, Kubernetes, anything that [00:01:00] is slightly. I think application security, you will see us do a lot of work, a lot of research, a lot of dudes that, so that’s on services side of the fence. We also have a video training practice. In fact, all of this month, through may, through June, we are running a full remote training. 


You know, we’re running a roster of remote training sessions on go security app. Containers and so on. So you should check it out on our website. The other thing that we also do as a product, so we have a very, very interesting one little gritty correlation product called orchestra, which helps you kind of handed and be duplicate vulnerabilities that come from different sources. 


DevSecOps of some start, you will probably have Uber’s arts coming in from different places like Jack Marks or blow, or what have you. Right. So this kind of centralizers correlates, aggregates all the tools and give you, gives you a singular unified are not going to get a perspective of all of those. 


Ashish Rajan: Oh, right. 


That’s an interesting, maybe we should talk about a bit more as they go into this. One of the first question that I’ve been asking a lot of my guests in, on my or regular audiences already aware of where does cloud security mean for you? 


Abhay Bharghava: So cloud security [00:02:00] is essentially for me it is something that an organization should try and achieve through a lot of one of course, in terms of understanding where you are responsibility starts and stops that itself is something, a lot of organizations that people don’t get about the. 


The second thing is Brianne achieved that it’s skin that is try and automate some of this, because obviously on the cloud, it is naturally oriented towards occupations. If you’re not leveraging that you’re missing out and tart, it gives you, I think, a ton of services to be able to build security. So you should try and leverage all of those services that they give you to do your security. 


They do a lot. So I think cloud security providers. Great opportunity to be more secure, but it takes you know, a little bit of time to get people to see that 


Ashish Rajan: right now that’s a great answer. And I think we definitely need to get into Beto challenges as well is one of the challenges that I’m going to quickly segue into is that a lot of people talk about multi-cloud and they have to deal with Azure. 


It could be cloud and other things as well. Do you see multicloud as a [00:03:00] thing coming up? 


Abhay Bharghava: Yeah, I mean, I think, I think that is definitely a case for art. There is definitely the presence of multicloud. I’ve seen this with large customers, especially, so we deal with some very large customers, either in publishing banking and charter. 


They have essentially this presence of shadow, no glow is also because. You know an aspect of shadow ID. So in the sense that, so one thing might be very comfortable with data Ws. They might decide to disclose the NWS. They may be much more comfortable with agile. So decently in fact, a very interesting story. 


I was talking to this media, how is that? They started a very large across the globe at Porter in Europe. Now, when I was talking to the team, we were given partner center, the Malian Azure shop. But then when we finished the call, we realized that they have 75% in AWS shop and that 25%, because the people on the call itself or surprising their own security team. 


So it was like, oh, okay, this, this, this kind of new. Yeah, let’s just regroup and figure out what we added the first place. So yes, this is it. This is a thing. So there’s definitely a multicloud, but I see that most of the larger companies, and I also see the [00:04:00] trend of larger companies trying to centralize on one provider. 


So. Centralized, but there are instances where that is a lot of. 


Ashish Rajan: Right. Right. Okay. And to your point about, I guess that adds another challenge for security. And then I have to find out on the phone call that, oh, there is this whole environment that they had no idea about. 


Abhay Bharghava: Yes, yes, absolutely. No, that’s, that’s challenging because they would really got annoyed, which is, which is one thing that I keep talking to. 


In our cleanings, especially DevSecOps is you have to look at security as a part of the product engineering process, rather than a siloed, separate. Because if you do that, if you look at it as a siloed separately, there’s really no way you can get any kind of gains in whatever you’re trying to do with these products of care, product engineering thing. 


So that is something you have to, because we have to work towards that as security people. Right. 


Ashish Rajan: And is this an interesting segue into what does DevSecOps mean for people who probably are listening to this? I doubt people are listening to the term for the first time, but what is your definition of desktop? 


Abhay Bharghava: So my definition of DevSecOps [00:05:00] is really all about application delivery, right? So today we are in a position where the business wants applications to be delivered faster. And we have solved a lot of bottlenecks along the way in terms of application delivery. So we’ve gone to a more simple source management system through get we’re using continuous integration with stuff like decades, whatever you use for continuous integration with the cloud, where deployments are more automated, more. 


We’ve gone to frameworks that are simpler to deploy or release least faster. The only thing that is blocking us in many ways, it’s security. Right? And when you dev ops is essentially came about where dev ops as gore has started consuming everything else. So you have writing infrastructure stuff as you’re writing you know, pretty much policies as core. 


They start their mission as core. So pretty much every dev has started to eat up all of these things. The only thing are a few things that still remain as a security. So DevSecOps is really leaning into that and saying, look, let us do security as part of the continuous development. [00:06:00] Lifecycle on the SDL itself and do it continuously rather than doing it at the point in time where we could miss out and have a lot of security issues 


Ashish Rajan: talking about dev cycles. 


Where does, I guess, from your perspective, because dev is eating up into, into security, what does it look like from a maturity perspective? Like what, what’s a, what’s a good maturity in your perspective, in that space. 


Abhay Bharghava: One thing that I always suggest if we want to look at is first of all, understand the culture of the engineering team that is taking up. 


So, one thing that I’ve seen the circles projects work rather than not work, is when they are looking more decentralized rather than centralized. Now this idea of an extremely central DevSecOps implementation. Is is possible, but it’s tougher to do in my opinion. So because different engineering. So let’s say our companies making 10 products are that then apps and each app is being produced by different. 


Now that team’s going to have their own cadence, that they’re going to have their own processes of development delivery deployment itself. So the maturity has, or the application [00:07:00] of DevSecOps is different for different teams. So you might have do different things in different teams. You might have to use different tools for different things. 


So I would say the majority really starts from the processes that you are able to integrate into this team. So for instance, let’s say you’re able to do. As part of the spirit, that’s a measure of success for me, let’s say you’re ever to eliminate bugs, right? That. Limiter the developer’s ID. That’s another measure of success. 


Let’s say an Amber to eliminate bugs before like three processes before the bigger deployment of any sorts. That’s a measure of success. So the earlier you’re able to catch most of your books and start to identify them and fix them in the release with a good amount of support from your product engineering team and not, you know, not making them do that itself is a huge market majority as part of that. 


Ooh, that’s 


Ashish Rajan: an interesting one because I think to your point, like if cause I, I, I’m pretty sure a lot of people listening to this have not have probably had never had an AppSec bus in the company. And they want to start into that promise security space and [00:08:00] want to know where do we start? What would your advice be on that? 


Like, this is a zooming day. They, you know, a lot of companies have security awareness training, the like, oh, okay. Of course security awareness training was like really code review or secure code training. But it’s like security awareness, like two different things. But I mean, that’s a whole different conversation for people who are starting today and realize that they have that gap or that gap insecurity for. 


What do you recommend as like low hanging fruits that they can take off today if, especially if they don’t have an absent person. 


Abhay Bharghava: So if they, if they don’t have an abstract person, I think you, whether you do or don’t have an abstract person, there are certain things that you have to do regardless. So, and I’m sick person is essentially, in my opinion, somebody who can just go into that process a lot, the abstract person should not have to bear the load of apps. 


When I come from. So for me, it would largely be that the engineering team themselves have a good amount of working knowledge of security floods. That is the first thing that I would think of working knowledge of security flaws and their [00:09:00] defenses. Of course, it’s not a device. You know, that’s something that would be very important as far as I’m concerned, especially for the stack that are, that extends to, if you have a separate ops team, People who are doing DevOps that would extend the demo as well because working knowledge of security for all these teams, working knowledge of technical security for that product would be very important. 


And second thing is doing things as early as possible. So if they have a working knowledge of security, they should look at optimizing their processes, just like the optimized for. And doing testing our unit testing. So just like the optimized for every other aspect of the workflow, they should optimize security, different workflows. 


So that’s really where I would start. And the good thing is you can do a lot of this for free today in the sense that you don’t need to start off with buying a crap ton of tools. Right. So you don’t really do. You don’t need to, in fact, you can do this fairly on a $0 budget. So 


Ashish Rajan: like if you were to go. 


Two point about teaching the devs about the, I guess, tread and how to defend against it. What’s a free tool in that space, I guess. 


Abhay Bharghava: So, I mean, I would say this start off with something [00:10:00] like the us cheat sheets to get started. Look at the web security testing. Look at the tools from 


Oh, you can get started with them. Yes. Obviously there are going to be limitations in terms of understanding, but today you’re seeing that a lot of people are releasing a lot of amazing content. So you shouldn’t be able to get started with this and then start to you know, maybe I know of course you can look at stuff from conferences and stuff. 


There’s a lot of YouTube videos of conferences regarding. 


Ashish Rajan: So that would help them, I guess, building an understanding of how to look at security and threat modeling with something that would help as well. Like I guess any person should be able to, it doesn’t have to your point about AppSec person doesn’t even need to take the whole workload, but any security person in the company, or even a developer, I guess, should be able to learn about the basics of cat modeling and apply that to their product. 


Abhay Bharghava: Yes, ideally. That’s what, in fact, that’s one of the things I teach, we teach a course called agile track modeling. And in that course, we essentially talk about the fact that look, that modeling gives you a massive benefit when it comes to finding our flyers, even before they become. [00:11:00] Right. So that’s where you should be. 


That’s where you should try to be as much as you can. So let’s say I have this feature I’m billing today. So let’s say this feature is for an online examination or to add I as a student to take an exam. So very simply, if you think about it, one of the possibilities of abuse of this feature is that I, as a student can also create my. 


Which is something you should not allow, which directly punch to authorization, which directly points to, Hey, you need to have permissions built into each and every action related to the examinations theme, and you should check for those permissions. So you see that modern starts as a basic abuse. What do you can make it we’re down to saying, Hey, a pen testing team, please test for authorization cases in this release because we have this feature being released. 


Make sure you try and do that. I thought that reference or tax authorization attached plan bypass this. So you see that you’re actually adding context. Your security program modeling is not rocket science. It’s basically just taking our application by its features are by system. And then bringing that down. 


Ashish Rajan: That’s really [00:12:00] sweet. And yeah, it’s a great explanation as well. I think like I wouldn’t consider myself as an abstract person, but I’ve done tried modeling for platforms as well as products as well. And I think it was the far, most fun part was to not be the security person in the exercise and let others be the security people in the exercise and let them figure it out ways because they probably know the product better than you do. 


My launcher. 


Abhay Bharghava: For instance, we were doing a threat modeling for a large insurance company. So when we do pen tests, we do a lot of footprint test. So once we were doing a track monitor and we’re talking about, okay, you can do this injection. This was way before, before when I was wasteful productive. So we’re doing what we call the tech moderate. 


So we’re not involved. Business folks. We’re not in wild, the business analysts business folks. So the CFO wanted to sit in on the tech modeling meeting, which was interesting. And I was like, why does a CFO, what does a day? And then when we actually got threat modeling and we discussed all these different injections, possibly this CFO said, you know what? 


This is all great, but you may have forgotten one thing. One of the things that we considered extremely critical for this application is the formula [00:13:00] that we use to calculate. Some actuarial information about this insurance policy or these insurance plans, if that formula gets leaked and we have a huge problem, how have you adapted that third one? 


And we realized that we hadn’t a dog. And that was a huge eye-opening experience personally for me, because I was like, oh, okay. So yeah, maybe we should get business folks in water because they know the business risk and ultimately business risk, a security risk. So. 


Ashish Rajan: Yeah, you’re right. That’s because otherwise, I mean, we can assume technical risks, but at the end of the day, if it doesn’t map to a business risk, then it’s probably a look at degree. You should ignore it anyway. Yeah. Yeah. And I think to your point about, I guess, doing this at scale, that we spoke about people who are in the beginning of that AppSec of what about doing AppSec at scale? 


Like, and I think, you kind of mentioned being on the cutting edge earlier, we can touch upon a bit serverless as well. My assumption, like, I think. I guess, so of just being that other edge, or I guess cutting edge, for lack of a better word where Gord has become, like, you don’t have everybody about in the church, the court, which is driving everything. 


And AppSec has kind of like, that’s my assumption of apps, like at scale, like what does applicant scale mean [00:14:00] for you in class? 


Abhay Bharghava: Yeah, that’s a good question, actually. So AppSec at scale for me is first of all, again, there’s a little bit of a maturity cycle. It’s a little bit of an evolution. It’s not really one big thing. 


So for me it would be first of course, starting to do the hygiene. Right. Especially, let’s say you’re doing static code analysis. Let’s say open source, proper, there have been some water scanning doing their hygiene stuff. Well, as part of what our security activities you address, the SDL is the first stage of scaling it. 


The second stage of scaling it, I would say is look at constantly repeating patterns, right? Look at if you can eliminate whole classes of floods. For instance, let’s say you’re constantly seeing this pattern of. Injection is a very overused flub, and I’m going to use it nevertheless, because people understand it also very well. 


So let’s take sequel injection. Now let’s say you’re constantly seeing a pattern of sequel injection, so that points to do three things one, well, of course, developer awareness. It also points to the fact that, Hey, let’s say we started using the new item library, all of this. All of these patterns are just got this entire massive. 


What used to be a [00:15:00] huge injection problem? It’s just gone. Well, let’s say you have cross-site scripting as an issue. Let’s say you can eliminate all the classes of assets, scripting clouds by doing a good job of either I’ll put escaping CSP or using frameworks that do our auto escaping. That is again a huge classes of fly eliminated. 


So you should look at doing that over time and start to build that. Basically. And of course, so the idea is that over time you should only incrementally. Very specific glasses of floods. So over, I eliminate the possibility that even that, even that session you should get to, Hey, can this business logic feature be abused? 


That is where you should be getting. So that’s really solving it for me. 


Ashish Rajan: Oh, right. Okay. So sort of more in terms of like, you have so many tools where it’s more like how big a risk you’re solving, how quickly you’re solving that. 


Abhay Bharghava: The right way to put it. It’s it’s the speed. It’s the risk. And of course it is the, elimination of said risk in a meaningful way. 


Right. So that’s, that’s really what you’ve done. Elimination, at least bringing down the, 


Ashish Rajan: but it’s right. And how does this transfer to say [00:16:00] people who are, I guess, companies, I’m thinking of an example, like. Website. I think they claim that they completely on serverless. Everything that they do is serverless. 


I’m sure there are other organizations as well at that, and this is even better. So if you guys are serverless as well, what does security look like for you then? Like, what are you, where do you guys focus on from a security perspective? Serverless obviously means you guys are on cloud as well. Then where does hardest security change in a serverless? 


Abhay Bharghava: That’s an interesting question because serverless has kind of taken the world by storm. If you’re looking at some of the fact that you’ve seen a serverless, because stock offers this niche thing that, Hey, you know what only some hobbies are doing to now becoming, Hey, in order to running law’s hardware store in the U S which fuel charter and stuff. 


So, you know, different companies. So the, for me actually serverless. Has been a big security plus in our alleyway. One, the idea of serverless itself is that you don’t need to manage an infrastructure per se. You’re not running it on the server. I mean, of course you have cloud providers running into the server, but that’s not the problem. 


You’re not really responsible [00:17:00] for managing some of the infrastructure, right. That itself is a pretty big win as far as I’m concerned. And look, we let’s say on a smart email, you’re always going to be strapped for resources. You’re not going to be able to regroup massive CIS admins or DevOps folks to be able to sit and do all of this re-engineering work. 


So for me, the adoption of serverless was initially that I don’t have to sit in one second in serverless, you are able to get very granular with your control definition. So let’s say you have a function that does. Okay, let’s take a function. So everything is broken down on the function of the service. So you have functions. 


One function just takes input from a user and adds that user information to that database is simple. No, what you can do, and what serverless gives you the opportunity to do from a security perspective is modular that granular level. So you can only track monitor that one function other than tech modeling, a system that. 


The first benefit. Second, you can restrict privileges based on that one function. So our user, the function needs to just be able to create records at the database. You don’t need to give a delete privileges. You don’t need to give it even [00:18:00] access to the religious of any sort. You just need to give her privileges and that’s it. 


So the ability to go very granular from a security perspective. Is very heightened, serverless. Other people don’t do it that way. A lot of people like this give you willingly all permissions and they just go ahead. But I’m saying that when you understand serverless, there are some specific benefits that it has, but there are some downsides as well. 


One downside is if you are not disciplined in your product delivery in a settler environment or typical server like environment, serverless is not. Let me put it this way. Let us say, you’re not doing, let me put it in a slightly more easy to understand way. Let’s say you’re not doing logging and monitoring. 


Let’s say an aren’t doing a good job of logging, especially security logging in a server like serverless is going to kill you because there is no access to a box at checkout what’s happening. So you need to rely on logs. You need to rely on the odd events working, right. And that needs to produce some kind of hidden. 


So, if you have not discipline before, this is only going to amplify your lack of discipline. So that’s one thing I’ve seen with tablets. I laundered the hardware, I’ve breached soulless app. So I know that [00:19:00] it’s a bit doing this traceability, observability and serverless is a huge challenge. And of course there are, there are companies that are solving this challenge. 


There are technologies that help you solve this challenge, but if you’re not disciplined, then you’re not going to be this. Second thing with a list, is that an attack, especially certain types, certain classes of attacks like finops attacks and serverless can literally bankrupt you it’s it’s really straightforward. 


So for instance, there’s a whole class of regular expression, denial of service attacks. Now, when you are running denial of service on a server, yes. It’s one thing. It just brings down the, so what in serverless, every time you have a denial of service attack, you are spending. I just spending money. So let’s say I can scale a denial of service attack on the serverless function on a serverless app. 


You’re spending money to run their denial of service. So, there was in fact I demonstrated this an app sec, the last year when I was talking about cyber listening, there was one request that I ran, which takes about which the entire app would be about $5 a month. If you ran it normally, but let’s say there’s another service one little bit in one of those apps, the [00:20:00] CMF would cost you a hundred thousand bucks. 


So same thing. So that was an interesting, 


Ashish Rajan: yeah. Wow. That’s like, that’s insane, man. The same $5 app, just to spiking up to a hundred. And I think it just kind of goes into how finance also has to work closely with you. If you’re in the cloud space. Needs X spikes or sorry, the cost spike that you get, you can’t wait for for the end of the month to figure it out that, oh, suddenly my bed is high. 


I wonder why what happened like three weeks ago? That’s too late by then already, like, oh yeah. I think it’s really interesting that you mentioned that. I think so. It’s really interesting to hear about the change of security from a serverless perspective. Do you find that. Because there is no server for lack of a better word. 


Does that mean, oh, it forces everyone to be security and I guess app security is going to become even more important. Is there like software composition and SCSD and like the, are these things still relevant in serverless space and static code analysis? 


Abhay Bharghava: Yeah, it’s still the same app in the sense that it’s not this one big monolithic app. 


You’re just dealing with a bunch of fun. That would otherwise make up a, the gap. So yes, you [00:21:00] still find that static analysis or whatever that analysis is still going to be equally important. So establishing an analysis is going to be equally important with serverless. So establishing becomes a little bit more important because it tell us you also have the possibility of. 


Layers and stuff of that. So in fact, it’s over let’s, let’s say you want to use a particular labor the, all the time you can install it as a layer. And that layer kind of runs as a, a bus, as an add on kind of a thing to that did that serverless stack. And if the layers were a little bit, you can see that the attacker can leverage that layer as well. 


So it still applies good things about abstracts still apply black bad things. Also still look like the same attacks. Except that there are certain cases in which the, the effect or the impact of that attack is either more amplified or less, depending on the 


Ashish Rajan: right. Right. Okay. And I think too is there too, is there a thing I read this somewhere? 


Get kinky. No, European, is there a thing called too many functions? Too many funds as a lie when you have, they know too, but cause you can have too many microservices. Everything is a microservice. Then you have this microservice overload. Is that a same challenge with serverless [00:22:00] as well? 


Abhay Bharghava: Not the at least I have not come across it, but yes. 


I mean it did. I can see that becoming a bit of a problem for some folks for some kind of use cases. See with some, unless you have to understand. Again, it’s broken down at the function. So the way you build out these functions become very important is I don’t think it’s a question of do many functions. 


In fact, I would say that it’s a much easier to manage large function applications with serverless and either run with something like Microsoft or Microsoft. Jews. And they’re dealing with a lot of data being exchanged over multiple channels, which becomes a bit of a challenge. But with serverless, especially if you’re doing it on a mature cloud provider like AWS or an Azure, you’re dealing with a good amount of services that can help you manage this problem rather than a standard microservices. 


Ashish Rajan: All right. And I think to your point another layer to that is also. Cloud services would always keep updating the language versions as well. They will stop supporting the older language versions, which forces you to upgrade your cord as well, which is another security problem sorted, I guess. 


Abhay Bharghava: Yeah. I mean, one thing that all of these people are very concerned about and I think they’re doing a good [00:23:00] job off is that they, they secure, especially the cloud providers. 


Again, I think all cloud providers, these, the three big ones are treating security as a first-class citizen. You know, they’re not, they’re not treating security as, okay. This is a nice to have, but maybe we should have it. They realize that security is a major. Hindrance in the way they sell and market their solution. 


So if they make it easier to market and sell their solution, security has to be great. So I think they realize that and they’re doing so for instance, last year at capital one happened, in Ws pretty much very quickly. It was able to respond with that DC to, IMDs we two solution where the metadata is not directly exposed to. 


So that is I think these folks are. Taking stock of that. And that’s a very real problem is 


Ashish Rajan: sounds good. And I think it’s a good way to move into our next section, which is called myths. MythBusters. Is there any what’s the most common cloud security or maybe in this context, let’s just go app security. 


What’s the most common app security myth or misconception you’ve heard in, in class. Yeah. So in the 


Abhay Bharghava: cloud, the first, I think the first [00:24:00] misconception is that, Hey, once you host on the cloud, it’s secure, 


once you host on the cloud, it’s their problem. Again, not, not by a long shot 


Ashish Rajan: again. So yeah. Security in the cloud though. 


Abhay Bharghava: Again, I would ask security in the cloud. I would take the same set of misconceptions in the sense of. Hey, once you load that up on the Columbia, more secure, let’s approve. You got an app is still your app and your copy and your written all kinds of insecure port, then, you know, it’s going to come and bite you. 


So I would say it’s an extension of the same 


Ashish Rajan: misconception. Perfect, perfect answer. And what I, not people talking enough about in say the cloud security or apps security space that you feel people should talk more about 


Abhay Bharghava: defense defense. That would be, yeah. So let’s put it this way, right? That is, that is an 18 progression testing, which has its place. 


Of course, that has always been the glamorous side of the security profession. Then of course there is the other side, which is incident response. That is your post event investigation, et cetera, et cetera, which is also has a great place. I’m not denying that, but I’m saying that there’s this huge section in the [00:25:00] middle, which is essentially a lot of boring defense or at least what is otherwise considered boring, but things that need to be done as a regular process, that seemed to be not spoken off so much are not given that much attention. 


Ah, this is, this is something we were supposed to do anyway, is one perspective, but that’s not really solved. A lot of us don’t do it. Right. That’s that’s what we’ve seen. So there needs to be a lot more focus given to proactive defense, proactive threat modeling. Of course, I’ve also found a part of proactive defense, and I think that’s very important to talk about. 


That’s not nearly as discussed as let’s say latest. Something that is, you know, that is gaining a lot of traction in terms of exploitation, not somebody compromised. 


Ashish Rajan: Yeah. I think I’m glad that leaves you. And I spoke about this when you mentioned AWS responded quite well to the capital one issue earlier. 


So I’m glad we, at least we covered that part. That how defense can be really good as well. Sometimes. Yeah, absolutely. I was going to, so I’ve got another section that I’ve added recently. It’s all about COVID-19 and how it’s affecting people. I’m assuming you guys are in lockdown as well as [00:26:00] him or the rest of the world and working from home. 


How has this changed your, I guess your approach to security and completed? 


Abhay Bharghava: So we would always say many of the more, friendly organization in the sense that people work from home all the time. And I, myself from traveling a lot. So I’m working generally from, wherever home hotel, pretty much all the time. 


I think certain things, certain decisions that we’ve made early on this one. You know, Bernie glam and Bernie 12, when we were a very young company has started to see a lot of value. So when we started building a lot of our apps and then so a lot of our stuff is centrally hosted that’s on the cloud. 


It’s we don’t ever rely on hosting our own staff in our own laptops, or even catting did not own laptops. So that’s one thing. So the second. That we see a lot of is, of course when people work, we, again work with a lot of standardized technologies that are again, cloud hosted. So we leverage a lot of fostered services again and well known hosted services. 


So, so we leveraged a [00:27:00] lot of these services to ensure. We don’t really have an availability issue at any given point at them. Also the child’s other security challenges. So we were always the March. So this luckily has not seen us suddenly change our entire way of working. So I’m sure some organizations have had to literally abandon all past funds or control or security control. 


You’ll be able to generate, you know, VPNs and stuff like that for people. We have always been a little more like, Hey, you know what, we need this to work from anywhere because all of us traveling all of us, you know, we want the freedom to be able to work from anywhere. So now that’s kind of been our go-to thing. 


We are actually doing a lot more work now in zero trust, both from a client perspective, as well as our own perspective. So we can kind of neither one of those detail on dog food company. So we kind of, playing bridge stuff ourselves that we use ourselves that we can always. 


Ashish Rajan: Oh, sweet. That’s pretty good. 


I think it sounds like theaters should be another topic as well, but I’m going to switch to our last section, which is a fun section. It’s going to be non-technical. So I’ve got a bunch of questions. Here are three [00:28:00] questions, not too many. First one being, how do you spend also, where do you spend your most time on when you’re not working on. 


Abhay Bharghava: Right now it’s with my doctor. So most of my time is spent you know, hanging out with her, taking her to a park, which is here. Of course, keeping it 


Ashish Rajan: engaged during lockdown. 


Yeah. 


Abhay Bharghava: Yeah, it is she’s still, she’s, she’s extremely active. She wants to explore the world. But you know what, it’s hard to keep saying that. And it’s, you can’t explain to her that there’s something called social distancing, that isolation and all of that stuff. So that’s definitely something that’s very important. 


I like cooking a lot. Cooking has always been something that I 


Ashish Rajan: haven’t. Right. It’s funny because I’ve got a question on that as well. So I we’ll get to it when we get to that one. What is something that you’re proud of, but it’s not on your social media? 


Abhay Bharghava: I think the theme I think we’ve built something very enduring and create 3 45. Especially the beam that Gartner routes to all of the stuff we do, which is our entire team. Really. I think all of us realize different ebbs and flows when things happen, especially, especially now with the COVID. 


I [00:29:00] really thought there would be some cracks, but I’ve been pleasantly surprised with the team that really stepped up and done some amazing things. They continue to do some amazing things. So yeah, that’s something. But that’s not on social media perhaps, but yeah, 


Ashish Rajan: that’s a good, that’s a great answer, man. 


Final question. And what’s your favorite cuisine or restaurant that you can share now? You mentioned cooking. So I’m assuming you’re probably is your own cooking, your own favorite food? 


Abhay Bharghava: Yeah, I mean, it’s all the more satisfying when you make something. So even though it might, it may not taste optimal made, so you literally have the most, I’m, I’m vegetating and I’m mostly vegan for the most part, but for me, the options of that is extremely limited. 


So I always like Indian cuisine, but I really Italian cuisine, if I can get creative, Lebanese cuisine has always been something that’s been falafels and stuff. Yeah. Falafel the homeless. I have a couple of friends in Melbourne. They took me to this, Lebanese place. I mean, I’m not sure if it was Lebanese or gender limit at least. 


And, when they saw some homeless and falafel, that was really good. But I don’t remember. Oh, 


Ashish Rajan: maybe you can send me a message later. Cause I think being in Melbourne, I probably should explore that. Well, after load log down, I don’t know if it’s even [00:30:00] open right now, I guess. Probably not yet. Yeah. But dude, this was really awesome, man. 


That’s that’s pretty much what we had the time for. Thank you so much for taking the time. 


Abhay Bharghava: Hey, it was great. Thanks. Yeah. I mean, ideally like chatting as well, questions with the 


Ashish Rajan: next. Oh, awesome. And for anyone who’s listening in and want to reach out, where can they find you on social media? What do you handle? 


Abhay Bharghava: So it’s at a biotic gov on Twitter, of course, on LinkedIn. I’m there as well. So I know my bad go on Twitter is probably the easiest that’s something that I’m most addicted to. So that’s something people you can reach out to me on agri 45 is the company handled. So I fit into sort of the company and see what they’re doing. 


Check on 45 and tick 


Ashish Rajan: off, and the show notes. There’s lots of people that can be charter, but thank you so much for your time, man. Really appreciate that. Thanks for coming on. 


Abhay Bharghav: Thanks so much. Have a good time. Thank you.