Relating to DevSecOps
74 episodes - English - Latest episode: 30 days ago -A Podcast dedicated to forging iron clad relationships between developers, engineers, operations, and security practitioners by discussing hot topics in the world of DevSecOps. This podcast aims to air out some of the common gripes, misconceptions, and hardships that these teams face in the real world every day.
Homepage Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
Episode #069: Your SaaS is Grass
March 20, 2024 14:00 - 32 minutes - 22.4 MBIn this episode Mike and Ken dive into the wild world of SaaS products in DevSecOps. From vendors to security tooling hygiene they cover an often overlooked ecosystem of cloud and software services that may be rotting in the sky of your workloads. Join up for a listen on SaaS Security!
Episode #067: Data Breaches and DevSecOps
February 21, 2024 16:00 - 34 minutes - 23.6 MBWith pep and full youtube energy Ken and Mike discuss the findings of the IBM "Cost of a Data Breach" report and its implications for DevSecOps. They highlight the importance of integrating security into every phase of the software development life cycle and the positive impact it can have on reducing the cost of a data breach.
Episode #068: Data Breaches and DevSecOps
February 21, 2024 16:00 - 34 minutes - 23.6 MBWith pep and full youtube energy Ken and Mike discuss the findings of the IBM "Cost of a Data Breach" report and its implications for DevSecOps. They highlight the importance of integrating security into every phase of the software development life cycle and the positive impact it can have on reducing the cost of a data breach.
Episode #067: Welcome to 2024! AppSec Resolutions and A Smhoocon Recap
January 26, 2024 16:00 - 35 minutes - 24.4 MBKen and Mike discuss their new year's resolutions related to application security. They also reflect on the impact of AI and its adoption in the industry. The hosts share their experiences attending conferences and highlight interesting talks on topics such as zero-day vulnerabilities and fuzzing LLM models. They discuss the OWASP LLM Top 10 and the evolving perception of AI in the industry. The conversation concludes with a discussion on the definition of DevSecOps and how it has evolved ov...
Episode #066: Exploration of the Shifting Definition of Shifting Left
December 05, 2023 14:00 - 42 minutes - 29.3 MBWe are joined by incredible guests Mikhail Chechik and Marcus Hallberg as they help us define DevSecOps and emphasize the importance of a security mindset throughout the development process. These two incredible folks explore common misconceptions about shifting left and discuss the challenges of triaging and validating vulnerabilities early in the development lifecycle. We enter in the wild world of this wonderful shifting buzzword and how it applies to incident response, design, people, an...
Episode #065: LASCON 2023 Recap - AI, a Misunderstood Menace or Magic Bullet
November 10, 2023 23:00 - 33 minutes - 22.8 MBOn this episode of R2DSO Mike and Ken dive into their takeaways and experiences from LASCON 2023 in Austin, TX where AI was both a problem child and praised bringer of salvation in security. Vendors and companies alike are embracing AI with wide eyes and there was no shortage of talks, presentations, and hallway conversations about the topic. Beyond that security is fast accepting that they can't be the department of "No" a consistent theme here on the podcast. The team had a fantastic time ...
Episode #064: Don't Instigate, Mitigate!
September 25, 2023 23:00 - 31 minutes - 21.7 MBIn this episode Ken and Mike dive directly into the meat with solutioning and mitigation. All too often security professionals finding themselves falling into the trap of focusing on vulnerability counts, evangelizing findings, and playing the age old game of red, yellow, green. We jump straight into the why of this focus in the industry and offer some ideas on how to get out of it successfully. If you're interested in a conversation about solving problems rather than just identifying them, ...
Episode #063: Unscrambling CloudSecSoup with CSPM, Vuln Management, SIEMs, and Log Aggregators
September 05, 2023 16:00 - 37 minutes - 26.1 MBIn today's episode, we untangle the web of alphabet-soup technologies: CSPM, VM, SIEM, and Log Aggregators. We go beyond the buzzwords to give you a no-nonsense look at how these tools fit together, complement each other, or might even replace one another in specific use-cases. Selecting the right tool can be overwhelming, and we're here to guide you through the when, where, and how of leveraging these technologies effectively. Whether you're encountering overlapping features or unique chall...
Episode #062: Cyber Sentinels: Ken and Mike in the DevSecOps Labyrinth
August 07, 2023 14:00 - 40 minutes - 27.8 MBDive headfirst into AppSec and Terraform security with Ken and Mike in this electrifying podcast episode. They demystify complex security concepts, offer golden nuggets on Cybersecurity programs as a DevSecOps concept, and provide a rare glimpse into the high-octane training sessions they're delivering at BlackHat, Defcon, and Lascon. This episode is a view into building resilient security programs, tackling compliance challenges, and comparing bug bounty programs and pentests. Brimming wi...
Episode #061: Fossilized Code & Future Clouds: Contrasting Worlds of Balance in Legacy Applications
July 18, 2023 13:00 - 39 minutes - 26.9 MBKen and Mike dive into the exciting world of modern application and cloud security, with a keen focus on the challenges posed by legacy systems. They explore the hurdles faced when dealing with older applications written in stalwart languages like Java, .NET, Rails, and Python, and shed light on the complexities of addressing security issues in these systems. Join them as they discuss everything from slow performance and resistance to change to the intricate nature of large monolithic applic...
Episode #061: Episode 61: Fossilized Code & Future Clouds: Contrasting Worlds of Balance in Legacy Applications
July 18, 2023 13:00 - 39 minutes - 26.9 MBKen and Mike dive into the exciting world of modern application and cloud security, with a keen focus on the challenges posed by legacy systems. They explore the hurdles faced when dealing with older applications written in stalwart languages like Java, .NET, Rails, and Python, and shed light on the complexities of addressing security issues in these systems. Join them as they discuss everything from slow performance and resistance to change to the intricate nature of large monolithic applic...
Episode #060: Precise Angles for Automation in DevSecOps Adventures
June 22, 2023 17:00 - 56 minutes - 39.1 MBIn this captivating episode of R2DSO hosts Ken and Mike embark on an exploration of security automation in the realms of application and cloud security. With a a keen understanding of the pitfalls, they emphasize the need for precision, consistency, and repeatability. Stepping beyond the traditional confines of scanning, and automation techniques destined for failure, they offer insightful analogies and practical advice, empowering listeners to harness the true power of secure automation. Jo...
Episode #059: DevSecOps Pentesting, Possible or Preposturous?
June 08, 2023 13:00 - 43 minutes - 29.9 MBIn this action-packed episode, Ken, Mike, and Izzy (Ken's cat) dive headfirst into the wild world of DevSecOps Penetration Testing – is it possible or downright preposterous? Can we truly automate pentesting in this breakneck DevSecOps environment, or are we chasing a cybersecurity unicorn? Discover the vital distinction between red team operations and adversarial simulations within the DevSecOps landscape. We strip back to basics, defining penetration testing and its critical role in secur...
Episode #058: Merging Your Mergers without Git Merge
June 01, 2023 13:00 - 33 minutes - 23 MBMike and Ken dive into the exciting topic of Mergers and Acquisitions. Take a bit of time out of your day to join them in their explorations of how M&As have affected operations for clients, companies, and security teams. Today they discuss techniques, trials, tribulations, and methods for tackling the joining of two companies, organizations, and teams bringing real scenarios from their own experiences
Episode #057: Security Without Compromise!
May 19, 2023 17:00 - 30 minutes - 21.1 MBJoin Mike and Ken as they discuss collaborative security work and what working together looks like in enterprise and organizations. In an effort to help people make better security decisions, in this episode they cover avoiding silos, working effectively together, picking your battles, reframing the security conversation with engineers, and using security as an enabler. Now Available on YouTube: https://youtu.be/HDOWGqmaILc
Episode #56: Respond Well in Incident Response with DevSecOps
April 21, 2023 13:00 - 34 minutes - 23.9 MBJoin Mike and Ken in their discussion about Incident Response and how it fits into the DevSecOps world and arena. Incident Response, logging and monitoring are hard problems to solve and Mike has some strong opinions on how to leverage and use native tooling to prepare and respond to incidents in your environment. Understanding logs, what to do with them, and how to filter through all of the noise are all covered in this episode. Mike and Ken also mention some tools and techniques you can st...
Episode #055: Engineering Empathy with Hecber Cordova
March 31, 2023 13:00 - 42 minutes - 28.9 MBWe dive back into bringing guests onto the show focusing on real problems with real people on the ground. In this episode, we are joined by Hecber Cordova, Director of Cloud Security at RBC. He shares insights around growth into DevSecOps, developing empathy with your engineering teams, creating cloud patterns, paved paths, and building secure architectures from the ground up. If you're interested in hearing from someone who has built strong security cultures in large institutions this is an...
Episode #54: ChatGPT's Cryptic Insights: AI in Security for Developers and Operations Teams
March 23, 2023 14:00 - 36 minutes - 25.2 MBIn this episode, Mike and Ken will dive deep into the world of ChatGPT and explore how it can be used to generate code for developers and operations teams. They'll discuss the benefits and drawbacks of relying on AI for security, and how it can be used to improve the security posture of your organization. But that's not all - Mike and Ken will also explore the challenges that come with scripting examples such as terraform, AWS, Azure, and python scripting for data structures. They'll share ...
Episode #053: DevSecOps on the Emerald Isle: Insights from Global OWASP AppSec Dublin, with a Side of Guinness and Frustrations with Application Security Vendors
March 08, 2023 15:00 - 41 minutes - 28.3 MBIn this episode, our hosts recap the Global OWASP AppSec Dublin conference and share insights into interesting talks about DevSecOps. They delve into the challenges and opportunities that come with securing modern applications in a dynamic and ever-changing landscape. The hosts also share their frustrations with application security vendors in the space and discuss potential solutions to overcome these challenges. Along the way, they also share their experiences in Dublin. Tune in for a cand...
Episode #052: Dude! Where's My Stuff? Application Inventory and Service Discovery
February 07, 2023 14:00 - 28 minutes - 19.8 MBToday's episode covers one of the most common problems for software development teams and their security partners. Application Inventory. App Inventory brings to mind different struggles and difficulties for teams and even Ken and Mike have a few different experiences in approach. The team breaks apart some differences between asset inventory, software constellations, service discovery, and api security. If you want to meet and greet, come see us in Ireland at OWASP Global Dublin 2023!
Episode #051: Hiring for DevSecOps in 2023!
January 14, 2023 17:00 - 50 minutes - 35 MBHappy New Year! Another year of DevSecOps fun as we head into an unpredictable and volatile security market, Ken and Mike talk hiring and the struggle between having a ton of talented passionate junior talent and a security mission that requires experienced individuals with a limited budget. Inadequate staffing, the reality of security vs engineering budgets, bridging the talent gap with internships and an all call to organizations to fund security programs are all hot topics in the first ep...
Episode #050: The Evolution of Data Security in DevSecOps
December 03, 2022 04:00 - 34 minutes - 24 MBWe hope all of the turkey comas have worn off! These holiday delays are almost over, and in the meantime here we are with the second part of how security verticals fit into the great sprawling world of DevSecOps! Mike and Ken discuss migration fro on prem to cloud and how this shift has had a tremendous effect on the perception of data security. It's become easier and easier to spin up data storage solutions in cloud and infrastructure as code, but it's lead to some common and repeated mista...
Episode #049: IAM! The Myers Briggs of DevSecOps
October 24, 2022 13:00 - 37 minutes - 26 MBIt's been tough getting together with the end of year madness, but we're back again after another unanticipated delay. In this episode, we take some time to cover how IAM fits into the greater idea and methodology of DevSecOps. We cover how we think of IAM in today's code driven world and go through some thoughts, opinions, and scenarios around IAM. In the next few episodes we'll be covering how other security verticals like data, incident response, and endpoint detection/response meet appli...
Episode #048: Threat Modeling doesn't need to feel like pain and sorrow
September 16, 2022 15:00 - 42 minutes - 28.9 MBWe are back from vacation! Pick up where you left off as we jump back into DevSecOps with threat modeling experiences, lessons, and perceptions we've seen in our day to day. After getting through a bit of a slow start, we revisit this topic all the way back from episode 3 where we got the hot takes on threat modeling from our resident devops and software engineering representatives Jamieson and Simon. Here we unpack a bit of how to get started in threat modeling, approaches we've seen that h...
Episode #47: Geese aren't the only things migrating in the cloud, but we're more secure at least
August 08, 2022 14:00 - 37 minutes - 26 MBOne thing Mike and Ken have talked about at length at conferences, in board rooms, and in team chats is migrating workloads to the cloud security. Join them as they discuss the migrating patterns, how they vary between your favorite cloud service providers, and just where security fits into the whole mess. From on prem, refactoring, lift and shifted, native cloud workloads, or just someone else's computer, we have enough buzzwords to knock your socks off this time around
Episode #046: Security Spiderwebs with Kubernetes and how Cloud helps (and hurts)
July 11, 2022 13:00 - 36 minutes - 25.4 MBWe are BACK! after a hiatus of vacations, illness, and family gatherings, but while we may have been absent we are at no shortage of words to say and hope you enjoy our conversation about Kubernetes and the variety of flavors cloud service providers have to offer. From EKS through GKE and AKS we cover security concerns and challenges we've seen in the last few months. We talk about why teams choose to implement one of the other and how you might think about locking down your own Kubernetes i...
Episode #045: What is DevSecOps in 2022 an R2DSO anniversary redux
June 10, 2022 00:00 - 35 minutes - 24.2 MBMike and Ken take it back to the roots with a special anniversary episode on what is DevSecOps. Since we started this podcast we've had a lot of topics that fit the overall DevSecOps buzzsord, but in this episode we talk about some of the evolution DevSecOps has gone through, how it's perceived in the industry and market today and some hot takes on what's changed. The good, the bad, and the ugly. We leave it to you to decide, has DevSecOps lost it's marketing shine and buzzword status?
Episode #044: Multiball Pinball with Multicloud Hot Takes and Infrastructure as Code
May 21, 2022 02:00 - 37 minutes - 25.7 MBMike and Ken are BACK after a small hiatus and they jump into hot takes on multi-cloud. What does multi-cloud even mean? How does it differ from hybrid cloud, private cloud, or even just the status quo data center. The hosts discuss integration of products and projects into a multicloud deployment, security concerns associated with the approach, and how it differs from the horrors and challenges in private cloud and hybrid cloud. The team talks resources, talent, hiring, and what challenges...
Episode #043: Security leaves the cave to go to Miami with the Blockchain People and this episode happened
April 20, 2022 22:00 - 34 minutes - 23.4 MBKen had a chance to attend a blockchain conference for Solana out in Miami and Mike hops into the interviewer seat. We talk about some differences between the approach. With a heavy builder community we chat through the build it on site mentality of Solana devs and the driving market that is new and novel blockchain ecosystems. From new projects, industry verticals, and everything from gaming to sports betting. We give you some hot takes and first looks at Solana Miami.
Episode #042: Perscription Lenses or Sunglasses for Eyes on Code
March 31, 2022 12:00 - 34 minutes - 23.5 MBIn this Episode we talk about the differences in code review depending on role and how you can be a better code reviewer on the "blue" side. Sometimes security tends to think in breaks and hacks, but we talk about how to think and act like a secure developer. Continuing the theme of systemic fixes, we discuss how difficult it can be to review small segments of code without context, how code reviews change when you move internal, and what you can do about it.
Episode #041: Holistic Cloud Medicing in the Face of the Modularization of Cloud Components Affects Applications
March 16, 2022 23:00 - 31 minutes - 21.5 MBA continuing trend in cloud and application security has been the modularization of application functions that offloads the developer responsibility for security and even some development! We cover how these cloud legos affect secure architectures, how the assessment paradigm shifts to configuration, how traditional silos such as #cloudsec, #netsec, and #appsec change. Mike brings a real world scenario and provoking thoughts around how we can possibly call something secure if we don't unde...
Episode #041: Holistic Cloud Medicine in the Face of the Modularization of Cloud Components Affects Applications
March 16, 2022 23:00 - 31 minutes - 21.5 MBA continuing trend in cloud and application security has been the modularization of application functions that offloads the developer responsibility for security and even some development! We cover how these cloud legos affect secure architectures, how the assessment paradigm shifts to configuration, how traditional silos such as #cloudsec, #netsec, and #appsec change. Mike brings a real world scenario and provoking thoughts around how we can possibly call something secure if we don't unde...
Episode #040: Over the hill with blockchain and DevSecOps with digital money
February 25, 2022 22:00 - 36 minutes - 24.8 MBIn this episode we introduce the general concepts of security in cryptocurrency in blockchain, what we see in our day to day with regard to application security and devsecops. We cover developer personas, cloud, centralized organizations, the difference in transparency, compliance, and frustrations as Mike grills Ken and teases out a tangent or two.
Episode #039: Cloud Metal Detectors with Monitoring and Logging
February 16, 2022 21:00 - 32 minutes - 22.2 MBIn this episode we cover another security perspective on logging and monitoring in the cloud as opposed to web applications specifically. We dive into Mike's view on how logs and software defined infrastructure evolve in the world of incident response and detection today. With the propagation of infinitely scalable cloud environments, we dive into ways to wrangle logs and make sense of the information these environments generate. Whether it's automation or filtering, we get this conversation...
Episode #038: Layers of the DevSecOps Onion, are we reversing time?
February 02, 2022 00:00 - 35 minutes - 24.6 MBIn this episode Mike and Ken talk about the magic of software defined things and how skill crossover is becoming a thing of the future. Maybe history is repeating itself. Whether it's endpoint detection and response, physical security, disaster recovery, networks, or a firewall, it seems like everything has a software defined equivalent. Developers and Application Security engineers are being called on more and more to know things they didn't have to even 5 years ago. The team digs into th...
Episode #037: New Year, New Security what can you do to level up?
January 19, 2022 21:00 - 35 minutes - 24.3 MBHappy New Year from R2DSO as we head into 2022. In this Episode we bring back Michael McCabe for a more permanent role on the show! Super exciting for us and hopefully for you. We talk about our plans for the future of the show including interactive components, video, and expansion on the existing repository. We also take some time to talk about trends in security skills that organizations are looking for and what types of programming languages are hot in the industry right now. Join us for ...
Episode #036: Trending Topics from Terraform to Testing
December 07, 2021 18:00 - 38 minutes - 26.2 MBIn this alliterative episode we bring back Mike McCabe to wrap up a security year in consulting with common trends and successes in security. On the back of Ken and Mike's talk at LASCON 2021, these two break down some of the common security themes from clients and scenarios that highlight just how we've progressed in an almost fully remote year of work. AppSec programs, maturity, compliance, transferring risk, and infrastructure as code are just a few of the topics we chat through We know i...
Happy Holidays from R2DSO!
November 24, 2021 18:00 - 1 minute - 1.4 MBWe've had a bit of an end of year rush so just wanted to give listeners a preview of what's to come in the next few episodes. We're laying down the tracks now and should have something out the door early December. Thanks for all of your support and feedback. We're looking forward to getting back into the studio!
Episode #035: Successful Unit Testing Through Collaboration with Your Unit
November 02, 2021 02:00 - 41 minutes - 28.6 MBWe know, we know! It's been too long between episodes, but we had some speaking engagements, conferences, and general life going into November and here we are. In this episode we cover unit testing, what it means to security vs what it means to engineers and some learning along the way as we dig into what makes a good unit test. All to often security engineers are telling development teams they need to write security unit tests, but they don't say how or what to write. We go through definit...
Episode #034: Attack of the Git PR through K8s
October 11, 2021 21:00 - 42 minutes - 29.1 MBIn this episode we squeeze one more git topic out with an attack through a PR. Based on a recent article posted on https://cloudseclist.com/ we thought it fit the series pretty well and put a nice capstone on everything. You can read the article we reference yourself at https://goteleport.com/blog/hack-via-pull-request/ This episode is full of hot takes and rambling, but we thought we ended in a good place even if we went through a few roundabout analogies to get there. Learn more about h...
Episode #033: Getting out of git by branching out with branching strategies
September 21, 2021 20:00 - 32 minutes - 22.4 MBBad puns end this series with branching strategies and git. We start with Simon's preferred approach from a product engineering strategy for branching and why it works for him. Then we talk about some of the common issues that occur due to strategies that are not optimized for the organization running them. Some of these include over engineering, cultural frustrations, re-work, and security bugs! Join us for the capstone of the git series in 2021, hope you enjoy the listen
Episode #32: Hooks, Kits, and Git - putting security into your git pipeline
September 07, 2021 15:00 - 39 minutes - 27.3 MBIn this episode we cover a few technical topics, but primarily how to get started with getting security into your git pipeline through git hooks, pre-commit strategies, secrets analysis, and scan automation. We also cover some best practices that help engineers and developers stay security minded throughout their time in the repository. We hope you have as much fun listening as we did recording!
Episode 031: Git Security Done with Git
August 17, 2021 04:00 - 37 minutes - 26.1 MBWe head into an unknown number of episodes around git. In this episode we introduce git and common security concerns to folks who may be unfamiliar with either. Git is an essential skill for security practitioners and engineers and sometimes we're just winging it when it comes to doing things right (or at least our opinion of right). We cover differences between rebase and merge, common commands that become problems down the road, and some problems we've face in our careers with using, evalu...
Episode #030: Blueprints, Reference Architectures, and Plans - Building Apps Securely
July 26, 2021 18:00 - 34 minutes - 23.9 MBIn this episode we chat blueprints, security patterns, reference architectures, and plans. Basically what we've seen in terms of the left hand side of the SDLC in establishing requirements early. This topic came about after reading the recent AWS Security reference architecture and grappling with implementation. We get pretty metaphor and analogy heavy in this one with some examples that may or may not make sense. Ultimately, these things work! We've seen them in the real world in a variety ...
Episode #029: Does anyone REALLY do DevSecOps, and succeed?
July 06, 2021 22:00 - 30 minutes - 21.1 MBIn this somewhat makeshift, low-power episode recorded during the NYC power grid strain we do our best at getting inventive with recording techniques. Topic of the day is does DevSecOps really work? We discuss some of our failures, frustrations, and successes with DevSecOps. We also cover things you can do to succeed with DevSecOps techniques. While it may seem like fighting an uphill battle in security automation and all of these fancy modern security practices, we share some stories and ...
Episode #028: Non-technical management and Email as your IDE
June 22, 2021 17:00 - 57 minutes - 39.5 MBEpisode number 28 moves us back to a more people focused topic as we dive into technical vs non-technical management, leadership, management styles, how we've approached managers and management in our careers, and general hot takes on leadership and management in the DevSecOps world. Opinion heavy in this one and while this isn't management advice, hopefully it sparks some ideas and avenues of thought for our listeners. Referenced in this episode: Extreme Ownership: https://echelonfront.com...
Episode #027: Hot Takes on Blogs: Part I - Are QA, BA, and DBAs Dead?
June 03, 2021 02:00 - 34 minutes - 23.7 MBIn this react video of a podcast we have a look at a recent blog post on whether the QA, DBA, and BA jobs are going away in favor of more consolidated roles in development such as the full stack engineer and cloud services like abstracted databases. Simon baits Ken into a reaction since security is excluded, but eventually conclusions and comparisons are drawn to the security industry and just how important these role functions are in today's modern workloads. Thanks to Simon for bringing...
Episode #026: Starting right by shifting left - what to do at build time
May 21, 2021 18:00 - 33 minutes - 22.9 MBAfter such a fun conversation last week, we bring Mike back in to discuss applying security at build time and what we can do with infrastructure as code through linting and early analysis. We break down the difference between Linting, Policy as Code, and SaaS and talk about how each of these might fit into your workloads. Plus! As a security practitioner, what you can do to move the ball forward in automated testing and security in your CI/CD pipelines. We got it back down to 30-ish minutes ...
Episode #025: Warm blankets around your cloud with CSPM and Michael McCabe
May 11, 2021 17:00 - 56 minutes - 38.9 MBEpisode 25 is all about CSPM and our good friend Michael McCabe. Mike has a ton of experience securing application and cloud workloads and we break down how CSPM fits into the larger landscape of DevSecOps. Whether you look at it as the first step, last step, catch all, or waste of money, we break down ways a CSPM can be a valuable part of your cloud strategy and DevSecOps. In the worlds of buzzwords, hot air, and the security hype train, Mike has all kinds tips and tricks around navigatin...
Episode #024: The first line of defense for MicroServices - AUTH
April 26, 2021 18:00 - 39 minutes - 27.2 MBAnd that means authentication and authorization. Once you start splitting up the monolithic apps and iterating faster and faster, how does your mindset on security change? Simon and I have our own opinions, but we're starting with authentication and authorization on this episode as well as some ideas that come to mind when organizations take their first microservices steps. It's only one part of the mystery, but an important consideration! Hoping you all get something out of this. In episod...