Episoder
-
Send us a text
In this episode, Ken and Mike discuss the pressing issue of staffing security in the DevSecOps field. They explore the challenges of finding qualified application security professionals, the importance of diverse backgrounds in security roles, and the paradox of understaffed security teams despite a high demand for cybersecurity jobs.
The conversation also delves into strategies for mitigating staffing issues, such as empowering security champions within organizations, leveraging automation and tooling, and avoiding bottlenecks in security processes. Throughout the discussion, they emphasize the need for a balanced approach to security that considers both technical and human factors. -
Send us a text
Ken and Mike dive deep into the world of metrics and measurement in the context of security and DevSecOps. They explore the critical role metrics play in driving security improvements, from tracking vulnerabilities to gauging the effectiveness of incident response. The hosts discuss what makes a good metric, the importance of aligning metrics with business goals, and the dangers of relying too heavily on numbers alone. They also tackle the challenges of quantifying "squishy" aspects like culture and training effectiveness. Whether you're a seasoned security professional or just getting started, this episode offers valuable insights into the art and science of measurement in security
Reference talk:https://www.youtube.com/watch?v=GXTvlQXVCOs&t=0s
-
Manglende episoder?
-
Send us a text
Ken and Mike discuss the importance of postmortems in incident response and security incidents. They explore the definition of postmortems, the value of reflection, the challenges of blame, and the significance of actionable outcomes. They also touch on the transparency of postmortems and the need for root cause analysis. The conversation concludes with a brief announcement about an upcoming conference series.
-
Send us a text
Ken and Mike discuss supply chain security, including software composition analysis (SCA) and software bill of materials (SBOM). They highlight the importance of understanding the components that make up your software and the risks associated with using third-party libraries. They also discuss recent supply chain failures, such as the XZ library hack and the SolarWinds attack. The hosts emphasize the need for organizations to stay up to date with software patches and to consider the security of commercial off-the-shelf software. They caution against placing too much focus on any one security tool or approach, including SBOM, and instead advocate for a well-rounded approach to security.
-
Send us a text
In this episode Mike and Ken dive into the wild world of SaaS products in DevSecOps. From vendors to security tooling hygiene they cover an often overlooked ecosystem of cloud and software services that may be rotting in the sky of your workloads. Join up for a listen on SaaS Security!
-
Send us a text
With pep and full youtube energy Ken and Mike discuss the findings of the IBM "Cost of a Data Breach" report and its implications for DevSecOps. They highlight the importance of integrating security into every phase of the software development life cycle and the positive impact it can have on reducing the cost of a data breach.
-
Send us a text
Ken and Mike discuss their new year's resolutions related to application security. They also reflect on the impact of AI and its adoption in the industry. The hosts share their experiences attending conferences and highlight interesting talks on topics such as zero-day vulnerabilities and fuzzing LLM models. They discuss the OWASP LLM Top 10 and the evolving perception of AI in the industry. The conversation concludes with a discussion on the definition of DevSecOps and how it has evolved over time, as well as their predictions for DevSecOps in 2024.
-
Send us a text
We are joined by incredible guests Mikhail Chechik and Marcus Hallberg as they help us define DevSecOps and emphasize the importance of a security mindset throughout the development process. These two incredible folks explore common misconceptions about shifting left and discuss the challenges of triaging and validating vulnerabilities early in the development lifecycle. We enter in the wild world of this wonderful shifting buzzword and how it applies to incident response, design, people, and the general development process.
-
Send us a text
On this episode of R2DSO Mike and Ken dive into their takeaways and experiences from LASCON 2023 in Austin, TX where AI was both a problem child and praised bringer of salvation in security. Vendors and companies alike are embracing AI with wide eyes and there was no shortage of talks, presentations, and hallway conversations about the topic. Beyond that security is fast accepting that they can't be the department of "No" a consistent theme here on the podcast. The team had a fantastic time at LASCON and we're happy to see where the industry is going!
-
Send us a text
In this episode Ken and Mike dive directly into the meat with solutioning and mitigation. All too often security professionals finding themselves falling into the trap of focusing on vulnerability counts, evangelizing findings, and playing the age old game of red, yellow, green. We jump straight into the why of this focus in the industry and offer some ideas on how to get out of it successfully. If you're interested in a conversation about solving problems rather than just identifying them, hop on in!
-
Send us a text
In today's episode, we untangle the web of alphabet-soup technologies: CSPM, VM, SIEM, and Log Aggregators. We go beyond the buzzwords to give you a no-nonsense look at how these tools fit together, complement each other, or might even replace one another in specific use-cases. Selecting the right tool can be overwhelming, and we're here to guide you through the when, where, and how of leveraging these technologies effectively. Whether you're encountering overlapping features or unique challenges, we'll help you make a savvy, informed choice for your workloads. Tune in for a practical guide to navigating the complex landscape of cybersecurity tools.
-
Send us a text
Dive headfirst into AppSec and Terraform security with Ken and Mike in this electrifying podcast episode. They demystify complex security concepts, offer golden nuggets on Cybersecurity programs as a DevSecOps concept, and provide a rare glimpse into the high-octane training sessions they're delivering at BlackHat, Defcon, and Lascon. This episode is a view into building resilient security programs, tackling compliance challenges, and comparing bug bounty programs and pentests. Brimming with empathy and passion, it’s a captivating blend of strategic insights and practical advice for navigating modern cybersecurity landscapes. Tune in, soak up the armchair hot takes!
-
Send us a text
Ken and Mike dive into the exciting world of modern application and cloud security, with a keen focus on the challenges posed by legacy systems. They explore the hurdles faced when dealing with older applications written in stalwart languages like Java, .NET, Rails, and Python, and shed light on the complexities of addressing security issues in these systems. Join them as they discuss everything from slow performance and resistance to change to the intricate nature of large monolithic applications.
In addition, they tackle the concept of security absolutism and highlight the significance of finding a balance between security and functionality in business operations. They explore the idea that security may sometimes be viewed as a revenue protection function, emphasizing the importance of long-term strategies and the holistic consideration of financial implications as a helpful factor when evaluating risks -
Send us a text
In this captivating episode of R2DSO hosts Ken and Mike embark on an exploration of security automation in the realms of application and cloud security. With a a keen understanding of the pitfalls, they emphasize the need for precision, consistency, and repeatability. Stepping beyond the traditional confines of scanning, and automation techniques destined for failure, they offer insightful analogies and practical advice, empowering listeners to harness the true power of secure automation. Join this engaging conversation tailored for technical application security enthusiasts and discover the keys to unlock a new era of efficiency and effectiveness.
-
Send us a text
In this action-packed episode, Ken, Mike, and Izzy (Ken's cat) dive headfirst into the wild world of DevSecOps Penetration Testing – is it possible or downright preposterous? Can we truly automate pentesting in this breakneck DevSecOps environment, or are we chasing a cybersecurity unicorn?
Discover the vital distinction between red team operations and adversarial simulations within the DevSecOps landscape. We strip back to basics, defining penetration testing and its critical role in security programs we're talking practical, actionable insights into building robust pentesting into your CI/CD pipelines and vulnerability management by leaning on these concepts of DevSecOps for your red teams.
-
Send us a text
Mike and Ken dive into the exciting topic of Mergers and Acquisitions. Take a bit of time out of your day to join them in their explorations of how M&As have affected operations for clients, companies, and security teams. Today they discuss techniques, trials, tribulations, and methods for tackling the joining of two companies, organizations, and teams bringing real scenarios from their own experiences
-
Send us a text
Join Mike and Ken as they discuss collaborative security work and what working together looks like in enterprise and organizations. In an effort to help people make better security decisions, in this episode they cover avoiding silos, working effectively together, picking your battles, reframing the security conversation with engineers, and using security as an enabler.
Now Available on YouTube:
https://youtu.be/HDOWGqmaILc -
Send us a text
Join Mike and Ken in their discussion about Incident Response and how it fits into the DevSecOps world and arena. Incident Response, logging and monitoring are hard problems to solve and Mike has some strong opinions on how to leverage and use native tooling to prepare and respond to incidents in your environment. Understanding logs, what to do with them, and how to filter through all of the noise are all covered in this episode. Mike and Ken also mention some tools and techniques you can start using for free today. Apologies for the Canine background, both dogs joined us for the episode
Some links from this episode:
OWASP Cloud Top 10:
https://owasp.org/www-pdf-archive/OWASP_Cloud_Top_10.pdf
Electric Eye:
https://github.com/jonrau1/ElectricEye -
Send us a text
We dive back into bringing guests onto the show focusing on real problems with real people on the ground. In this episode, we are joined by Hecber Cordova, Director of Cloud Security at RBC. He shares insights around growth into DevSecOps, developing empathy with your engineering teams, creating cloud patterns, paved paths, and building secure architectures from the ground up. If you're interested in hearing from someone who has built strong security cultures in large institutions this is an episode to listen to!
Links mentioned on the show:
https://cloudseclist.com/
https://cloudsecurityforum.slack.com -
Send us a text
In this episode, Mike and Ken will dive deep into the world of ChatGPT and explore how it can be used to generate code for developers and operations teams. They'll discuss the benefits and drawbacks of relying on AI for security, and how it can be used to improve the security posture of your organization.
But that's not all - Mike and Ken will also explore the challenges that come with scripting examples such as terraform, AWS, Azure, and python scripting for data structures. They'll share their experiences and insights into how you can overcome these challenges and succeed in your secure development and operations journey.
So, buckle up and get ready for a high-energy, fast-paced episode that digs into how you might lean on ChatGPT for your DevSecOps Workloads... or maybe not!
- Vis mere
