DevSec For Scale Podcast

What challenges are there with observability in modern microservices environments? Yosef Arbiv, Engineering Group Leader at Epsagon (Acquired by Cisco), joins the podcast to discuss observability best practices as well as the Open Telemetry project and how observability impacts the overall security health of an organization.

In this episode of DevSec For Scale, we follow up our previous episode with some really great information about how the OWASP WrongSecrets project came about and how they manage everything, as well as how users can join and help with fixes, add challenges, and features. Jeroen also discusses the future of the project. To learn more, go to https://owasp.org/www-project-wrongsecrets/ or star the repo at https://github.com/commjoen/wrongsecrets/.

How do you approach E2E and Integration testing in the new and complex world of Kubernetes and multi-cloud environments? Arjun Iyer, CEO & Co-Founder of Signadot joins the podcast for a very interesting and informative episode on how testing needs to shift left as we rapidly grow our development environments to the latest and greatest in infrastructure orchestration and application security.

What is the importance of Secrets Management and how has it evolved to where it is now? In this episode of the DevSec For Scale podcast, Jeroen Willemsen, one of two project leads for the OWASP WrongSecrets project, gives us a short history of secrets management in the OWASP universe and goes into how he sees the future of secrets in the enterprise.

What's it like to go from a DevOps engineer in large organizations with expert security engineers, to a small startup that requires you to be the security engineer? In this episode, Gil Zellner, Infrastructure Lead at HourOne.ai talks about his personal experience being thrown into the deep end of security as a developer. He discusses some of the changes he had to make on his journey from companies like Oracle, AppsFlyer, and Wix to his current early stage employer. Gil also brings some interesting stories about things he has learned becoming a de facto security engineer.

How has threat modeling evolved and how can security help make it easier for developers to implement that practically into their code? In this episode, Maran Gunasekaran, Principal Security Consultant at Practical DevSecOps gives us a rundown of what threat modeling used to mean and how developers can translate threat models into actual threat modeling as code. He also offers real-world examples of how security and developers align on threat modeling when shipping code.

Why do security teams and developers clash, and how can we ensure there is better collaboration between them? In this episode, Ravid Circus, Co-Founder & CPO at Seemplicity talks about his experience with security teams and how their requests are handled by the development teams. He also gets into how security teams should track progress and handle backlogs based on priorities.

Why is there still friction between Dev and Sec? How can we bridge that gap better? In this episode, Duane Gran, Corporate Director of Information Security at Converge Technology Solutions dives into how he has seen developers and security butt heads and about his personal journey from dev to sec. Duane offers great advice on getting developer buy-in and making sure security and dev tasks are more aligned.

Is there a simple way to detect and manage ransomware attacks? In this episode, Greg Edwards, CEO of CryptoStopper introduces us to the evolution and basics of ransomware as well as how to get better at detecting sophisticated attacks, such as file-less ransomware, before they can damage your system. He also gives us insights into how developers can ensure they aren't the reason for a ransomware attack through vigilance and preparation.

If you've ever worked with containers, or specifically Kubernetes, you are probably familiar with the basics of cluster configuration. But are you ensuring your clusters are secured properly? In this episode, Rotem Refael, Director of Engineering at ARMO elaborates on a research study that the company did by scanning tens of thousands of repos to find out if the most obvious security configurations are being adhered to, as well as the more advanced ones. Interestingly enough, they found that 100% of the clusters had at least one misconfiguration. We dive into some of the most frequent misconfigurations Rotem has come by and discuss how this happens and how it can be prevented.

Are development environments important enough for us to even care about securing? The answer is a resounding yes. In this episode, Guy Flecther, CEO & Co-Founder of Cider Security goes in-depth into why security is not just a requirement for production, but also development environments. And development environment security also has an impact on the rest of the organization being that we're seeing most teams are using DevOps methodologies. Guy also talks about how to increase visibility into those environments and mitigate risk.

How do you ensure secure development while maintaining the release velocity of your applications? In this episode, Harshit Chitalia, CTO & Founder at Tromzo, talks with me about his recent research study where he asked over 400 developers about their biggest Application Security challenges. We get into some of the interesting findings of the report and also discuss how vulnerabilities are found and fixed as well as tooling developers can use to do just that. -- State of Modern Application Security: https://www.tromzo.com/resources/state-of-modern-application-security Voice of the Modern Developer Research: https://www.tromzo.com/resources/voice-of-the-modern-developer

Whether it's leaving a database on a public IP or waiting to put proper VPN access in place, there are many security issues startups can sometimes fall victim to. In this episode, Dan Yelovitch, Chief DevOps Architect at develeap, wows us with stories about actual clients he works with that have made mistakes that have been costly. We learn about the problem, fixes, and ways to ensure your small organization can install automation and cultural practices to stay more secure.

What are best practices for protecting your production pipeline? In this episode, we welcome Zan Markan, Senior Developer Advocate at CircleCI to talk about how he looks at basic security aspects related to continuous deployment as well as common configuration issues that come up. We also discuss code and dependency scanning as well as policy enforcement. --- Follow Zan at: https://twitter.com/zmarkan https://circleci.com https://twitter.com/circleci  

One of the absolute most important items on any security team's agenda is Secrets Management. Nobody knows this more than Conor Mancone, Lead App Security Engineer at Cimpress. Conor is a power user of Akeyless, as they are a customer, and in this episode he details how Cimpress came to understand their needs for credential management, with 13 subsidiaries, and what compelled them to find a centralized platform for managing secrets. Check out Conor's work at https://blog.cmancone.com/ where he shows his work creating and deploying credential-less infrastructure and applications.

We all know about Identity Providers today. But where did they come from and why are they so important to security? In this episode, Dan Moore, solutions architect and head of DevRel at FusionAuth, answers questions on a variety of auth related questions, and helps us understand the ways developers are impacted by things like IAM, SSO, and more. ----- https://www.w3.org/community/fed-id/ - W3C group mentioned https://martinfowler.com/articles/agile-threat-modelling.html - threat modelling https://owasp.org/www-project-top-ten/ - OWASP top ten

If you could create a cybersecurity advocacy position, what would it look like? In this latest episode of the DevSec for Scale Podcast, Ashish Rajan, CISO at PageUp People and host of the Cyber Security Podcast (cybersecuritypodcast.tv), talks with Jeremy about why cybersecurity needs advocates the way developers have. He also speaks about the how a cybersecurity and cloud security advocacy program could help the industry immensely.

Why choose open source tools and products over closed-source enterprise ones? In this episode, Liran Tal, Director of Developer Advocacy at Snyk and open source champion talks to us about the importance of OSS in the world. We get into specifics about things like supply chain security as well as how developers should think about the health of their code and packages.

How do you ensure authentication and authorization of users and machines in a microservices environment? And then add on the complexity of multi-tenancy architecture? In this episode, Yuval Yogev, Chief Architect at Sygnia, talks with me about the challenges he faces when dealing with migration of a single tenant to multi-tenant architecture and ensuring all authentication and authorization is handled in the most secure way possible.

Are you accounting for the human element of security in your business? In this very interesting episode, we have Cybersecurity Leader and Security Researcher, Nick DiPasquale talk with us about the human attack vector into any business. This applies to developers and non-developers. He recounts some of his own experience using open source intelligence (OSINT) to find gaps in security for his clients, how to do your best to stop bad actors, and other tips to harden your security.

Are DevOps engineers really thinking about security in their daily activities? In this episode, I talk with Hila Fish, Senior DevOps Engineer at Wix, about her experience with security-first DevOps and why it is such an important practice. She walks us through her philosophy on being a security-conscious engineer and how she manages teams to be more thoughtful when working on any project, not just for the organization, but for personal growth as well.

How do companies secure themselves against supply chain attacks as well as internal pipelines? In this episode, Ant Weiss, self-described Software Delivery Futurist and Founder of Otomato Software, a DevOps consultancy, talks to us about what he believes is the biggest supply chain threat when it comes to shipping code. He also gives us some of his personal experiences with the internal workings of DevOps pipeline security from a supply chain perspective, and we get into dealing with open source packages as well.

Why is access so difficult to secure? This and many other questions are answered by our guest, Yoav Turgeman Levi, Senior DevOps at a startup called Harmonya. Yoav was the first DevOps engineer at the company and brought on to build the processes from the beginning. He talks to me about his experience dealing with developer access and security at large organizations and applying it to the startup he is currently working at.

It seems like security is mostly a passive game as developers usually think about fixing issues rather than building security into their applications and development lifecycles. In this episode, I talk to Josh Grossman, CTO at Bounce Security and OWASP Israel Board Member about the Top 10 Proactive Controls project by OWASP (The Open Web Application Security Project). Josh walks us through how to think about security risks as well as understand what controls need to be put in place to ensure your applications are secure from day one. ----- Ways you can reach out to Josh: Twitter: https://twitter.com/JoshCGrossman Email: josh(at)bouncesecurity.com The training mentioned about tool processes: https://twitter.com/JoshCGrossman/sta... OWASP Links: Main page: https://owasp.org/ Upcoming events: https://owasp.org/events/ OWASP Top Ten Proactive controls project: https://owasp.org/www-project-proacti... (Credit to Katy Anton, Jim Bird and Jim Manico who are the project leaders)

What is Policy-as-Code and why is it important to developer security? In this episode, we talk with Eran Bibi, CPO and Co-Founder at Firefly (gofirefly.io) about how policy-as-code enhances business velocity and scale and how early stage companies can utilize policy-as-code to better automate their decisions to give developers more independence as well as ensure security.

Why are startups different from a security perspective? Join Moshe Ferber, Chairman of the Israel Chapter of the Cloud Security Alliance to learn about how startups can ensure their security is up to par based on your startup phase. Moshe also focuses on application security by discussing how startups generally make the highest percentage of their mistakes from the application layer. We also get into the SDLC and CI/CD pipelines and how to make sure security is top of mind throughout.

We all know the importance of solid product security. But startups aren't always equipped to deal with implementation of the various requirements. So how do you get product security right when you're a young company? And how do you mature without breaking product security? In this episode, Neatsun Ziv, Co-Founder and CEO at Ox Security brings his wealth of experience from large organizations, such as Checkpoint, to share how we can all implement better product security without cannibalizing developers' time.

What is code integrity and how does it affect the software supply chain? Have you heard about Log4j? In this episode, I talk with Barak Brudo, Developer Relations Advocast at Scribe Security about the Software Bill of Materials (SBOM) that helps to ensure all your code and packages are secure, down to the file level. By utilizing automated SBOMs, both companies and users can better understand what packages are being used, what dependencies, what file versions, and more are in your software. All this makes dealing with supply chain problems much easier by ensuring the integrity of all the packages and files being utilized.

Is your startup or small business doing everything to ensure security basics are in place? Minimum Viable Security is not a new concept, but it has become more prolific as companies have seen record numbers of ransomware, supply chain, and other attacks in the past few years. We had the pleasure of talking with David Melamed, CTO & Co-Founder of Jit.io to discuss how small companies need to ensure a minimal level of security as part of a "born left" philosophy, more than the regular shift left story.

What is the top security issue small businesses face today? Dr. Chase Cunningham, also known as Dr. Zero Trust, is a leading cybersecurity expert and originator of Forrester's ZTX Zero Trust Extended Framework. In this episode, I interview Chase about best practices that startups and small companies should be implementing when building their product. Chase also gives us some tips for making security an integral part of your pipelines without adding additional operational burden on developers.