👋 Hi, I’m @hariohm
👀 I’m interested in penetration testing, threat hunting, and red teaming.
🌱 I’m currently learning bug bounty techniques and advanced security research.
💼 My expertise includes web app security, subdomain enumeration, vulnerability scanning, and manual exploitation.
🔧 Tools I use: Burp Suite, Nessus, OWASP Zap, Nuclei, httpx, ffuf, WPScan, Shodan, Retire.js, and more.
📊 I also work with Wappalyzer, SecLists, PayloadsAllTheThings, and build Nuclei dashboards for vulnerability tracking.
📫 How to reach me: [email protected] or via LinkedIn

My DevSecOps & Product Security Journey 🚀

As I started learning DevSecOps through various tutorials and blogs, I realized that a strong understanding of AWS is essential. You don't need to handle all DevOps tasks as a DevSecOps engineer, but you must understand how things work—just like visiting a restaurant and knowing how to cook your own dish.

1️⃣ AWS Security: Shared Responsibility Model & Hardening In most organizations, teams primarily use 15 to 20 AWS services, and security follows the shared responsibility model. Our focus is on securing AWS from our side, covering areas such as:

✅ CSPM Tools: Auditing AWS configurations (e.g., ScoutSuite, Prowler, AWS Security Hub). ✅ EC2 Hardening: Regular security updates, closing unnecessary ports, disabling root login. ✅ Network Security: Configuring VPC, Security Groups, NACLs, WAF, Shield. ✅ AWS Monitoring: CloudTrail, CloudWatch, GuardDuty, Security Hub for log analysis & anomaly detection. ✅ Least Privilege Access: IAM security, role-based access control, and zero trust principles.

By implementing these, AWS resource security is covered 100%.

2️⃣ DevSecOps: Security from Code to Deployment Security starts at the source code level, ensuring vulnerabilities are identified before production.

🔹 SCM Security (GitHub/GitLab/Bitbucket):

SAST (Static Application Security Testing) → SonarQube, Semgrep, Trivy, Snyk, OWASP Dependency-Check SCA (Software Composition Analysis) → Identify insecure open-source dependencies DAST (Dynamic Analysis Security Testing) → Burp Suite, OWASP ZAP, Nessus Container Scanning → Trivy, Aqua, Anchore Infrastructure Scanning → Terraform IaC Security (Checkov, tfsec) 💡 Question: Why should a security engineer learn SAST if it’s a developer’s job? ✔️ While DevOps can configure security tools, DevSecOps engineers ensure security rules are correctly enforced and help prioritize vulnerabilities.

3️⃣ Why Security Engineers Need Cloud, Containers & DevOps Knowledge? To configure security in pipelines, a basic understanding of DevOps, AWS, and containerization is required.

Code to Container Process: Developer pushes code to GitHub/GitLab GitLab CI/CD pipeline triggers security scans If tests pass, the image is built & pushed to a registry The image is deployed to the cloud (AWS, Kubernetes, etc.) Thus, a DevSecOps engineer must understand: ✔️ How code moves from GitHub to production ✔️ How AWS services interact in a DevOps pipeline ✔️ How to secure cloud workloads, containers, and APIs

4️⃣ Product Security & Application Security 🔹 What is Application Security (AppSec)? It focuses on securing software from development to deployment:

Secure coding practices (OWASP Top 10) Threat modeling Code review & secure SDLC Secure authentication & authorization (OAuth, JWT) 🔹 What is Product Security? Product Security goes beyond AppSec by ensuring end-to-end security of the product.

Web & API Security (DAST, API Pentesting) Mobile App Security (Android, iOS, OWASP MAS) Threat Modeling Secure software development lifecycle (SDLC) integration Incident Response & Security Posture Management 💡 My Weakness: I struggle with writing YAML from scratch, but I can modify existing files. This is an area I want to improve.

5️⃣ My Understanding So Far in DevSecOps & Product Security ✅ AWS Security & CSPM Tools (Security Hub, GuardDuty, IAM hardening) ✅ SCM Security & CI/CD Integration (SAST, DAST, SCA) ✅ Container & Infrastructure Security (Trivy, Checkov, Terraform Security) ✅ API Security & Web App Security ✅ Threat Modeling & Zero Trust Implementation 🟡 Needs Improvement: Writing YAML & Kubernetes security

💡 SAST vs. DAST: ✔️ SAST is mostly handled by developers, and security engineers only review rules & prioritization. ✔️ DAST is an area where security engineers actively test for vulnerabilities.

Conclusion 🔹 I have covered DevSecOps, AWS Security, and Product Security in depth. 🔹 I understand infrastructure, CI/CD security, and application security. 🔹 My focus now is improving API Security, Threat Modeling, and YAML writing.

💬 What else should I learn to improve as a DevSecOps or Product Security Engineer?