Claim OwnershipRelating to DevSecOps
Subscribed: 18Played: 184
Subscribe
© 2024 Relating to DevSecOps
Description
A Podcast dedicated to forging iron clad relationships between developers, engineers, operations, and security practitioners by discussing hot topics in the world of DevSecOps. This podcast aims to air out some of the common gripes, misconceptions, and hardships that these teams face in the real world every day.
70 Episodes
Reverse
In this episode Mike and Ken dive into the wild world of SaaS products in DevSecOps. From vendors to security tooling hygiene they cover an often overlooked ecosystem of cloud and software services that may be rotting in the sky of your workloads. Join up for a listen on SaaS Security!
With pep and full youtube energy Ken and Mike discuss the findings of the IBM "Cost of a Data Breach" report and its implications for DevSecOps. They highlight the importance of integrating security into every phase of the software development life cycle and the positive impact it can have on reducing the cost of a data breach.
Ken and Mike discuss their new year's resolutions related to application security. They also reflect on the impact of AI and its adoption in the industry. The hosts share their experiences attending conferences and highlight interesting talks on topics such as zero-day vulnerabilities and fuzzing LLM models. They discuss the OWASP LLM Top 10 and the evolving perception of AI in the industry. The conversation concludes with a discussion on the definition of DevSecOps and how it has evolved over time, as well as their predictions for DevSecOps in 2024.
We are joined by incredible guests Mikhail Chechik and Marcus Hallberg as they help us define DevSecOps and emphasize the importance of a security mindset throughout the development process. These two incredible folks explore common misconceptions about shifting left and discuss the challenges of triaging and validating vulnerabilities early in the development lifecycle. We enter in the wild world of this wonderful shifting buzzword and how it applies to incident response, design, people, and the general development process.
On this episode of R2DSO Mike and Ken dive into their takeaways and experiences from LASCON 2023 in Austin, TX where AI was both a problem child and praised bringer of salvation in security. Vendors and companies alike are embracing AI with wide eyes and there was no shortage of talks, presentations, and hallway conversations about the topic. Beyond that security is fast accepting that they can't be the department of "No" a consistent theme here on the podcast. The team had a fantastic time at LASCON and we're happy to see where the industry is going!
In this episode Ken and Mike dive directly into the meat with solutioning and mitigation. All too often security professionals finding themselves falling into the trap of focusing on vulnerability counts, evangelizing findings, and playing the age old game of red, yellow, green. We jump straight into the why of this focus in the industry and offer some ideas on how to get out of it successfully. If you're interested in a conversation about solving problems rather than just identifying them, hop on in!
In today's episode, we untangle the web of alphabet-soup technologies: CSPM, VM, SIEM, and Log Aggregators. We go beyond the buzzwords to give you a no-nonsense look at how these tools fit together, complement each other, or might even replace one another in specific use-cases. Selecting the right tool can be overwhelming, and we're here to guide you through the when, where, and how of leveraging these technologies effectively. Whether you're encountering overlapping features or unique challenges, we'll help you make a savvy, informed choice for your workloads. Tune in for a practical guide to navigating the complex landscape of cybersecurity tools.
Dive headfirst into AppSec and Terraform security with Ken and Mike in this electrifying podcast episode. They demystify complex security concepts, offer golden nuggets on Cybersecurity programs as a DevSecOps concept, and provide a rare glimpse into the high-octane training sessions they're delivering at BlackHat, Defcon, and Lascon. This episode is a view into building resilient security programs, tackling compliance challenges, and comparing bug bounty programs and pentests. Brimming with empathy and passion, it’s a captivating blend of strategic insights and practical advice for navigating modern cybersecurity landscapes. Tune in, soak up the armchair hot takes!
Ken and Mike dive into the exciting world of modern application and cloud security, with a keen focus on the challenges posed by legacy systems. They explore the hurdles faced when dealing with older applications written in stalwart languages like Java, .NET, Rails, and Python, and shed light on the complexities of addressing security issues in these systems. Join them as they discuss everything from slow performance and resistance to change to the intricate nature of large monolithic applications.In addition, they tackle the concept of security absolutism and highlight the significance of finding a balance between security and functionality in business operations. They explore the idea that security may sometimes be viewed as a revenue protection function, emphasizing the importance of long-term strategies and the holistic consideration of financial implications as a helpful factor when evaluating risks
In this captivating episode of R2DSO hosts Ken and Mike embark on an exploration of security automation in the realms of application and cloud security. With a a keen understanding of the pitfalls, they emphasize the need for precision, consistency, and repeatability. Stepping beyond the traditional confines of scanning, and automation techniques destined for failure, they offer insightful analogies and practical advice, empowering listeners to harness the true power of secure automation. Join this engaging conversation tailored for technical application security enthusiasts and discover the keys to unlock a new era of efficiency and effectiveness.
In this action-packed episode, Ken, Mike, and Izzy (Ken's cat) dive headfirst into the wild world of DevSecOps Penetration Testing – is it possible or downright preposterous? Can we truly automate pentesting in this breakneck DevSecOps environment, or are we chasing a cybersecurity unicorn?Discover the vital distinction between red team operations and adversarial simulations within the DevSecOps landscape. We strip back to basics, defining penetration testing and its critical role in security programs we're talking practical, actionable insights into building robust pentesting into your CI/CD pipelines and vulnerability management by leaning on these concepts of DevSecOps for your red teams.
Mike and Ken dive into the exciting topic of Mergers and Acquisitions. Take a bit of time out of your day to join them in their explorations of how M&As have affected operations for clients, companies, and security teams. Today they discuss techniques, trials, tribulations, and methods for tackling the joining of two companies, organizations, and teams bringing real scenarios from their own experiences
Join Mike and Ken as they discuss collaborative security work and what working together looks like in enterprise and organizations. In an effort to help people make better security decisions, in this episode they cover avoiding silos, working effectively together, picking your battles, reframing the security conversation with engineers, and using security as an enabler.Now Available on YouTube:https://youtu.be/HDOWGqmaILc
Join Mike and Ken in their discussion about Incident Response and how it fits into the DevSecOps world and arena. Incident Response, logging and monitoring are hard problems to solve and Mike has some strong opinions on how to leverage and use native tooling to prepare and respond to incidents in your environment. Understanding logs, what to do with them, and how to filter through all of the noise are all covered in this episode. Mike and Ken also mention some tools and techniques you can start using for free today. Apologies for the Canine background, both dogs joined us for the episodeSome links from this episode:OWASP Cloud Top 10:https://owasp.org/www-pdf-archive/OWASP_Cloud_Top_10.pdfElectric Eye:https://github.com/jonrau1/ElectricEye
We dive back into bringing guests onto the show focusing on real problems with real people on the ground. In this episode, we are joined by Hecber Cordova, Director of Cloud Security at RBC. He shares insights around growth into DevSecOps, developing empathy with your engineering teams, creating cloud patterns, paved paths, and building secure architectures from the ground up. If you're interested in hearing from someone who has built strong security cultures in large institutions this is an episode to listen to!Links mentioned on the show:https://cloudseclist.com/https://cloudsecurityforum.slack.com
In this episode, Mike and Ken will dive deep into the world of ChatGPT and explore how it can be used to generate code for developers and operations teams. They'll discuss the benefits and drawbacks of relying on AI for security, and how it can be used to improve the security posture of your organization.But that's not all - Mike and Ken will also explore the challenges that come with scripting examples such as terraform, AWS, Azure, and python scripting for data structures. They'll share their experiences and insights into how you can overcome these challenges and succeed in your secure development and operations journey.So, buckle up and get ready for a high-energy, fast-paced episode that digs into how you might lean on ChatGPT for your DevSecOps Workloads... or maybe not!
In this episode, our hosts recap the Global OWASP AppSec Dublin conference and share insights into interesting talks about DevSecOps. They delve into the challenges and opportunities that come with securing modern applications in a dynamic and ever-changing landscape. The hosts also share their frustrations with application security vendors in the space and discuss potential solutions to overcome these challenges. Along the way, they also share their experiences in Dublin. Tune in for a candid and engaging conversation about DevSecOps, the future of application security, and the Irish experience.To view the talks from Global OWASP AppSec Dublin check out their playlist here:https://youtube.com/playlist?list=PLpr-xdpM8wG8479ud_l4W93WU5MP2bg78&si=EnSIkaIECMiOmarE
Today's episode covers one of the most common problems for software development teams and their security partners. Application Inventory. App Inventory brings to mind different struggles and difficulties for teams and even Ken and Mike have a few different experiences in approach. The team breaks apart some differences between asset inventory, software constellations, service discovery, and api security.If you want to meet and greet, come see us in Ireland at OWASP Global Dublin 2023!
Happy New Year! Another year of DevSecOps fun as we head into an unpredictable and volatile security market, Ken and Mike talk hiring and the struggle between having a ton of talented passionate junior talent and a security mission that requires experienced individuals with a limited budget. Inadequate staffing, the reality of security vs engineering budgets, bridging the talent gap with internships and an all call to organizations to fund security programs are all hot topics in the first episode of the new year.If you're looking to think about some new approaches to hiring, or you're just curious about how to hire security staff without security staff to begin with, give us a listen
We hope all of the turkey comas have worn off! These holiday delays are almost over, and in the meantime here we are with the second part of how security verticals fit into the great sprawling world of DevSecOps! Mike and Ken discuss migration fro on prem to cloud and how this shift has had a tremendous effect on the perception of data security. It's become easier and easier to spin up data storage solutions in cloud and infrastructure as code, but it's lead to some common and repeated mistakes that rear their ugly heads. Now the responsibility of spinning up servers, managing credentials, encrypting data at rest and in transit falls on software engineering shoulders, and with that we're learning that some of those lessons DBAs learned ages ago are back with a vengeance.
Comments
Download from Google Play
Download from App Store
United States