Relating to DevSecOps

Send us a textIn this must-listen episode of Relating to DevSecOps, Ken welcomes the ever-inspiring Tanya Janca, aka SheHacksPurple—author, AppSec expert, and champion of making security usable. Together, they dig into why so many application security policies fail, why developers ignore them, and how to make them actually work. Tanya shares real-world experiences from both dev and security perspectives, plus her journey from being ignored to lobbying governments for change.From communication failures and TL;DR policy pages to leveraging wikis and code reuse, this episode is a practical masterclass in creating impactful, developer-friendly security standards.

Send us a textIn this episode of Relating to DevSecOps, Ken Toler and Mike McCabe dive deep into Google's blockbuster acquisition of Wiz.io for a reported $32 billion. They explore the implications for cloud security, the consolidation of the DevSecOps tooling landscape, and how this move compares to Google's previous acquisitions like Mandiant and Chronicle. The duo debates the future of multi-cloud strategies, platform fatigue, and whether Wiz will remain the darling of the security community—or get lost in the labyrinth of Google Cloud products. With sharp insights and a dash of hot takes, they paint a picture of a cloud security ecosystem at a pivotal turning point

Send us a textWelcome to 2025! Ken and Mike kick off the new year with their security resolutions (or lack thereof) before diving into the bittersweet farewell to ShmooCon, one of the most beloved hacker conferences. Ken shares his experiences from the final event, including insights on hardware hacking, radio security, and the unique hacker culture that made ShmooCon special.They also unpack one of the most practical talks from the conference: a deep dive into open source security tools versus enterprise solutions, highlighting ways security teams can cut costs without sacrificing effectiveness. Speaking of open source, the hosts discuss the controversy surrounding Semgrep's licensing changes and the rise of OpenGrep, the latest community-driven fork in response to closed-source shifts—drawing parallels to the Terraform/OpenTofu saga.Finally, the duo explores cyber risk from an insurance perspective, breaking down how breaches translate into real-world financial costs (hint: mailing breach notifications alone could bankrupt you). Whether you're a security pro, an open source advocate, or just here for the ShmooBall nostalgia, this episode has something for you!

Send us a textIn this special holiday-themed episode of Relating to DevSecOps, hosts Ken and Mike channel their inner Dickens with a retrospective journey through the "Ghosts of DevSecOps Past, Present, and Future." From lessons learned about security awareness and collaboration challenges of the past, to the growing pains and contradictions of today's implementation of security basics, they explore it all. Wrapping up with a hopeful look at future innovations like policy-as-code and preemptive security measures, the hosts outline their visions for a more integrated and automated security future. Packed with insights, humor, and holiday spirit, this is a must-listen for those charting the path forward in DevSecOps.

Send us a textIn this episode of Relating to DevSecOps, hosts Ken and Mike tackle the complex challenges of managing security budgets in organizations of all sizes. From small, scrappy teams to sprawling enterprises, they explore how security leaders can navigate tight financial constraints while maintaining strong security postures. They share insights on integrating security into IT operations, leveraging open-source tools, and rethinking traditional budget allocations. Whether you're a CISO grappling with scaling or a developer looking to improve security outcomes, this discussion is packed with actionable strategies and thought-provoking debates on the future of security spendinghttps://www.youtube.com/watch?v=8U3QzJBCNZ0 

Send us a textIn this episode, Ken and Mike discuss the pressing issue of staffing security in the DevSecOps field. They explore the challenges of finding qualified application security professionals, the importance of diverse backgrounds in security roles, and the paradox of understaffed security teams despite a high demand for cybersecurity jobs. The conversation also delves into strategies for mitigating staffing issues, such as empowering security champions within organizations, leveraging automation and tooling, and avoiding bottlenecks in security processes. Throughout the discussion, they emphasize the need for a balanced approach to security that considers both technical and human factors.

Send us a Text Message.Ken and Mike dive deep into the world of metrics and measurement in the context of security and DevSecOps. They explore the critical role metrics play in driving security improvements, from tracking vulnerabilities to gauging the effectiveness of incident response. The hosts discuss what makes a good metric, the importance of aligning metrics with business goals, and the dangers of relying too heavily on numbers alone. They also tackle the challenges of quantifying "squishy" aspects like culture and training effectiveness. Whether you're a seasoned security professional or just getting started, this episode offers valuable insights into the art and science of measurement in securityReference talk: https://www.youtube.com/watch?v=GXTvlQXVCOs&t=0s

Ken and Mike discuss the importance of postmortems in incident response and security incidents. They explore the definition of postmortems, the value of reflection, the challenges of blame, and the significance of actionable outcomes. They also touch on the transparency of postmortems and the need for root cause analysis. The conversation concludes with a brief announcement about an upcoming conference series.

Ken and Mike discuss supply chain security, including software composition analysis (SCA) and software bill of materials (SBOM). They highlight the importance of understanding the components that make up your software and the risks associated with using third-party libraries. They also discuss recent supply chain failures, such as the XZ library hack and the SolarWinds attack. The hosts emphasize the need for organizations to stay up to date with software patches and to consider the security of commercial off-the-shelf software. They caution against placing too much focus on any one security tool or approach, including SBOM, and instead advocate for a well-rounded approach to security.

In this episode Mike and Ken dive into the wild world of SaaS products in DevSecOps. From vendors to security tooling hygiene they cover an often overlooked ecosystem of cloud and software services that may be rotting in the sky of your workloads. Join up for a listen on SaaS Security!

With pep and full youtube energy Ken and Mike discuss the findings of the IBM "Cost of a Data Breach" report and its implications for DevSecOps. They highlight the importance of integrating security into every phase of the software development life cycle and the positive impact it can have on reducing the cost of a data breach.

Ken and Mike discuss their new year's resolutions related to application security. They also reflect on the impact of AI and its adoption in the industry. The hosts share their experiences attending conferences and highlight interesting talks on topics such as zero-day vulnerabilities and fuzzing LLM models. They discuss the OWASP LLM Top 10 and the evolving perception of AI in the industry. The conversation concludes with a discussion on the definition of DevSecOps and how it has evolved over time, as well as their predictions for DevSecOps in 2024.

We are joined by incredible guests Mikhail Chechik and Marcus Hallberg as they help us define DevSecOps and emphasize the importance of a security mindset throughout the development process. These two incredible folks explore common misconceptions about shifting left and discuss the challenges of triaging and validating vulnerabilities early in the development lifecycle. We enter in the wild world of this wonderful shifting buzzword and how it applies to incident response, design, people, and the general development process.

On this episode of R2DSO Mike and Ken dive into their takeaways and experiences from LASCON 2023 in Austin, TX where AI was both a problem child and praised bringer of salvation in security. Vendors and companies alike are embracing AI with wide eyes and there was no shortage of talks, presentations, and hallway conversations about the topic. Beyond that security is fast accepting that they can't be the department of "No" a consistent theme here on the podcast. The team had a fantastic time at LASCON and we're happy to see where the industry is going!

In this episode Ken and Mike dive directly into the meat with solutioning and mitigation. All too often security professionals finding themselves falling into the trap of focusing on vulnerability counts, evangelizing findings, and playing the age old game of red, yellow, green. We jump straight into the why of this focus in the industry and offer some ideas on how to get out of it successfully. If you're interested in a conversation about solving problems rather than just identifying them, hop on in!

In today's episode, we untangle the web of alphabet-soup technologies: CSPM, VM, SIEM, and Log Aggregators. We go beyond the buzzwords to give you a no-nonsense look at how these tools fit together, complement each other, or might even replace one another in specific use-cases. Selecting the right tool can be overwhelming, and we're here to guide you through the when, where, and how of leveraging these technologies effectively. Whether you're encountering overlapping features or unique challenges, we'll help you make a savvy, informed choice for your workloads. Tune in for a practical guide to navigating the complex landscape of cybersecurity tools.

Dive headfirst into AppSec and Terraform security with  Ken and Mike in this electrifying podcast episode. They demystify complex security concepts, offer golden nuggets on Cybersecurity programs as a DevSecOps concept, and provide a rare glimpse into the high-octane training sessions they're delivering at BlackHat, Defcon, and Lascon. This episode is a view into  building resilient security programs, tackling compliance challenges, and comparing bug bounty programs and pentests. Brimming with empathy and passion, it's a captivating blend of strategic insights and practical advice for navigating modern cybersecurity landscapes. Tune in, soak up the armchair hot takes!

Ken and Mike dive into the exciting world of modern application and cloud security, with a keen focus on the challenges posed by legacy systems. They explore the hurdles faced when dealing with older applications written in stalwart languages like Java, .NET, Rails, and Python, and shed light on the complexities of addressing security issues in these systems. Join them as they discuss everything from slow performance and resistance to change to the intricate nature of large monolithic applications.In addition, they tackle the concept of security absolutism and highlight the significance of finding a balance between security and functionality in business operations. They explore the idea that security may sometimes be viewed as a revenue protection function, emphasizing the importance of long-term strategies and the holistic consideration of financial implications as a helpful factor when evaluating risks

In this captivating episode of R2DSO hosts Ken and Mike embark on an exploration of security automation in the realms of application and cloud security. With a a keen understanding of the pitfalls, they emphasize the need for precision, consistency, and repeatability. Stepping beyond the traditional confines of scanning, and automation techniques destined for failure, they offer insightful analogies and practical advice, empowering listeners to harness the true power of secure automation. Join this engaging conversation tailored for technical application security enthusiasts and discover the keys to unlock a new era of efficiency and effectiveness.

In this action-packed episode, Ken, Mike, and Izzy (Ken's cat) dive headfirst into the wild world of DevSecOps Penetration Testing – is it possible or downright preposterous? Can we truly automate pentesting in this breakneck DevSecOps environment, or are we chasing a cybersecurity unicorn?Discover the vital distinction between red team operations and adversarial simulations within the DevSecOps landscape. We strip back to basics, defining penetration testing and its critical role in security programs we're talking practical, actionable insights into building robust pentesting into your CI/CD pipelines and vulnerability management by leaning on these concepts of DevSecOps for your red teams.

Mike and Ken dive into the exciting topic of Mergers and Acquisitions. Take a bit of time out of your day to join them in their explorations of how M&As have affected operations for clients, companies, and security teams. Today they discuss techniques, trials, tribulations, and methods for tackling the joining of two companies, organizations, and teams bringing real scenarios from their own experiences

Join Mike and Ken as they discuss collaborative security work and what working together looks like in enterprise and organizations. In an effort to help people make better security decisions, in this episode they cover avoiding silos, working effectively together, picking your battles, reframing the security conversation with engineers, and using security as an enabler.Now Available on YouTube:https://youtu.be/HDOWGqmaILc

Join Mike and Ken in their discussion about Incident Response and how it fits into the DevSecOps world and arena. Incident Response, logging and monitoring are hard problems to solve and Mike has some strong opinions on how to leverage and use native tooling to prepare and respond to incidents in your environment. Understanding logs, what to do with them, and how to filter through all of the noise are all covered in this episode. Mike and Ken also mention some tools and techniques you can start using for free today. Apologies for the Canine background, both dogs joined us for the episodeSome links from this episode:OWASP Cloud Top 10:https://owasp.org/www-pdf-archive/OWASP_Cloud_Top_10.pdfElectric Eye:https://github.com/jonrau1/ElectricEye

We dive back into bringing guests onto the show focusing on real problems with real people on the ground. In this episode, we are joined by Hecber Cordova, Director of Cloud Security at RBC. He shares insights around growth into DevSecOps, developing empathy with your engineering teams, creating cloud patterns, paved paths, and building secure architectures from the ground up. If you're interested in hearing from someone who has built strong security cultures in large institutions this is an episode to listen to!Links mentioned on the show:https://cloudseclist.com/https://cloudsecurityforum.slack.com

In this episode, Mike and Ken will dive deep into the world of ChatGPT and explore how it can be used to generate code for developers and operations teams. They'll discuss the benefits and drawbacks of relying on AI for security, and how it can be used to improve the security posture of your organization.But that's not all - Mike and Ken will also explore the challenges that come with scripting examples such as terraform, AWS, Azure, and python scripting for data structures. They'll share their experiences and insights into how you can overcome these challenges and succeed in your secure development and operations journey.So, buckle up and get ready for a high-energy, fast-paced episode that digs into how you might lean on ChatGPT for your DevSecOps Workloads... or maybe not!

In this episode, our hosts recap the Global OWASP AppSec Dublin conference and share insights into interesting talks about DevSecOps. They delve into the challenges and opportunities that come with securing modern applications in a dynamic and ever-changing landscape. The hosts also share their frustrations with application security vendors in the space and discuss potential solutions to overcome these challenges. Along the way, they also share their experiences in Dublin. Tune in for a candid and engaging conversation about DevSecOps, the future of application security, and the Irish experience.To view the talks from Global OWASP AppSec Dublin check out their playlist here:https://youtube.com/playlist?list=PLpr-xdpM8wG8479ud_l4W93WU5MP2bg78&si=EnSIkaIECMiOmarE 

Today's episode covers one of the most common problems for software development teams and their security partners. Application Inventory. App Inventory brings to mind different struggles and difficulties for teams and even Ken and Mike have a few different experiences in approach. The team breaks apart some differences between asset inventory, software constellations, service discovery, and api security.If you want to meet and greet, come see us in Ireland at OWASP Global Dublin 2023!

Happy New Year! Another year of DevSecOps fun as we head into an unpredictable and volatile security market, Ken and Mike talk hiring and the struggle between having a ton of talented passionate junior talent and a security mission that requires experienced individuals with a limited budget. Inadequate staffing, the reality of security vs engineering budgets, bridging the talent gap with internships and an all call to organizations to fund security programs are all hot topics in the first episode of the new year.If you're looking to think about some new approaches to hiring, or you're just curious about how to hire security staff without security staff to begin with, give us a listen

We hope all of the turkey comas have worn off! These holiday delays are almost over, and in the meantime here we are with the second part of how security verticals fit into the great sprawling world of DevSecOps! Mike and Ken discuss migration fro on prem to cloud and how this shift has had a tremendous effect on the perception of data security. It's become easier and easier to spin up data storage solutions in cloud and infrastructure as code, but it's lead to some common and repeated mistakes that rear their ugly heads. Now the responsibility of spinning up servers, managing credentials, encrypting data at rest and in transit falls on software engineering shoulders, and with that we're learning that some of those lessons DBAs learned ages ago are back with a vengeance. 

It's been tough getting together with the end of year madness, but we're back again after another unanticipated delay. In this episode, we take some time to cover how IAM fits into the greater idea and methodology of DevSecOps. We cover how we think of IAM in today's code driven world and go through some thoughts, opinions, and scenarios around IAM. In the next few episodes we'll be covering how other security verticals like data, incident response, and endpoint detection/response meet application and cloud security horizontals.Videos are coming before end of year! Keep an eye on our youtube channel for live exercisesDon't judge Ken on his choice of Almond Joy as a superior Halloween candy

We are back from vacation! Pick up where you left off as we jump back into DevSecOps with threat modeling experiences, lessons, and perceptions we've seen in our day to day. After getting through a bit of a slow start, we revisit this topic all the way back from episode 3 where we got the hot takes on threat modeling from our resident devops and software engineering representatives Jamieson and Simon. Here we unpack a bit of how to get started in threat modeling, approaches we've seen that have worked and failed, and some general guidance on getting started. We had a blast getting back in the saddle and hope you enjoy the listen

One thing Mike and Ken have talked about at length at conferences, in board rooms, and in team chats is migrating workloads to the cloud security. Join them as they discuss the migrating patterns, how they vary between your favorite cloud service providers, and just where security fits into the whole mess. From on prem, refactoring, lift and shifted, native cloud workloads, or just someone else's computer, we have enough buzzwords to knock your socks off this time around

We are BACK! after a hiatus of vacations, illness, and family gatherings, but while we may have been absent we are at no shortage of words to say and hope you enjoy our conversation about Kubernetes and the variety of flavors cloud service providers have to offer. From EKS through GKE and AKS we cover security concerns and challenges we've seen in the last few months. We talk about why teams choose to implement one of the other and how you might think about locking down your own Kubernetes instances. Through that we try to keep the humor alive and our listeners engaged!

Mike and Ken take it back to the roots with a special anniversary episode on what is DevSecOps. Since we started this podcast we've had a lot of topics that fit the overall DevSecOps buzzsord, but in this episode we talk about some of the evolution DevSecOps has gone through, how it's perceived in the industry and market today and some hot takes on what's changed. The good, the bad, and the ugly. We leave it to you to decide, has DevSecOps lost it's marketing shine and buzzword status?

Mike and Ken are BACK after a small hiatus and they jump into hot takes on multi-cloud. What does multi-cloud even mean? How does it differ from hybrid cloud, private cloud, or even just the status quo data center. The hosts discuss integration of products and projects into a multicloud deployment, security concerns associated with the approach, and how it differs from  the horrors and challenges in private cloud and hybrid cloud. The team talks resources, talent, hiring, and what challenges they've faced over time shifting organizations into cloud deploymentsAs the passion increases, hot takes on hot takes manifest and a discussion of cloud unicorns ensues. We hope you enjoy!

Ken had a chance to attend a blockchain conference for Solana out in Miami and Mike hops into the interviewer seat.  We talk about some differences between the approach. With a heavy builder community we chat through the build it on site mentality of Solana devs and the driving market that is new and novel blockchain ecosystems. From new projects, industry verticals, and everything from gaming to sports betting. We give you some hot takes and first looks at Solana Miami.

In this Episode we talk about the differences in code review depending on role and how you can be a better code reviewer on the "blue" side. Sometimes security tends to think in breaks and hacks, but we talk about how to think and act like a secure developer. Continuing the theme of systemic fixes, we discuss how difficult it can be to review small segments of code without context, how code reviews change when you move internal, and what you can do about it.

A continuing trend in cloud and application security has been the modularization of application functions that offloads the developer responsibility for security and even some development! We cover how these cloud legos affect secure architectures, how the assessment paradigm shifts to configuration, how traditional silos such as #cloudsec, #netsec, and #appsec change. Mike brings a real world scenario and provoking thoughts around how we can possibly call something secure if we don't understand all the cards and players. In this episode Mike coins the phrase of holistic medicine in cloud. As long as we can beat Whole Foods to the punch.

In this episode we introduce the general concepts of security in cryptocurrency in blockchain, what we see in our day to day with regard to application security and devsecops. We cover developer personas, cloud, centralized organizations, the difference in transparency, compliance, and frustrations as Mike grills Ken and teases out a tangent or two.

In this episode we cover another security perspective on logging and monitoring in the cloud as opposed to web applications specifically. We dive into Mike's view on how logs and software defined infrastructure evolve in the world of incident response and detection today. With the propagation of infinitely scalable cloud environments, we dive into ways to wrangle logs and make sense of the information these environments generate. Whether it's automation or filtering, we get this conversation started with the cloud side of DevSecOps

In this episode Mike and Ken talk about the magic of software defined things and how skill crossover is becoming a thing of the future. Maybe history is repeating itself. Whether it's endpoint detection and response, physical security, disaster recovery, networks, or a firewall, it seems like everything has a software defined equivalent. Developers and Application Security engineers are being called on more and more to know things they didn't have to even 5 years ago. The team digs into this topic by looking at it through two lenses, what skills engineers need, and how software deals its own set of pros and cons in cloud and modern infrastructure.

Happy New Year from R2DSO as we head into 2022. In this Episode we bring back Michael McCabe for a more permanent role on the show! Super exciting for us and hopefully for you. We talk about our plans for the future of the show including interactive components, video, and expansion on the existing repository. We also take some time to talk about trends in security skills that organizations are looking for and what types of programming languages are hot in the industry right now. Join us for a light-hearted come back as we jump into talent, technical skills, and predictions for 2022

In this alliterative episode we bring back Mike McCabe to wrap up a security year in consulting with common trends and successes in security. On the back of Ken and Mike's talk at LASCON 2021, these two break down some of the common security themes from clients and scenarios that highlight just how we've progressed in an almost fully remote year of work. AppSec programs, maturity, compliance, transferring risk, and infrastructure as code are just a few of the topics we chat through We know it's been a while since we've laid down some content, but we are excited to bring Mike on for more and more as we get into 2022 content.

We've had a bit of an end of year rush so just wanted to give listeners a preview of what's to come in the next few episodes. We're laying down the tracks now and should have something out the door early December. Thanks for all of your support and feedback. We're looking forward to getting back into the studio!

We know, we know! It's been too long between episodes, but we had some speaking engagements, conferences, and general life going into November and here we are.In this episode we cover unit testing, what it means to security vs what it means to engineers and some learning along the way as we dig into what makes a good unit test. All to often security engineers are telling development teams they need to write security unit tests, but they don't say how or what to write. We go through definitions, potential examples, and a bit of debate on this riveting nerd out of an episode of R2DSO.

In this episode we squeeze one more git topic out with an attack through a PR. Based on a recent article posted on https://cloudseclist.com/ we thought it fit the series pretty well and put a nice capstone on everything.  You can read the article we reference yourself at https://goteleport.com/blog/hack-via-pull-request/ This episode is full of hot takes and rambling, but we thought we ended in a good place even if we went through a few roundabout analogies to get there. Learn more about how security relates to building a house, robbing a bank, and fixing your kitchen sink.

Bad puns end this series with branching strategies and git. We start with Simon's preferred approach from a product engineering strategy for branching and why it works for him. Then we talk about some of the common issues that occur due to strategies that are not optimized for the organization running them. Some of these include over engineering, cultural frustrations, re-work, and security bugs! Join us for the capstone of the git series in 2021, hope you enjoy the listen

In this episode we cover a few technical topics, but primarily how to get started with getting security into your git pipeline through git hooks, pre-commit strategies, secrets analysis, and scan automation. We also cover some best practices that help engineers and developers stay security minded throughout their time in the repository. We hope you have as much fun listening as we did recording!

We head into an unknown number of episodes around git. In this episode we introduce git and common security concerns to folks who may be unfamiliar with either. Git is an essential skill for security practitioners and engineers and sometimes we're just winging it when it comes to doing things right (or at least our opinion of right). We cover differences between rebase and merge, common commands that become problems down the road, and some problems we've face in our careers with using, evaluating, and analyzing code in a repo.

In this episode we chat blueprints, security patterns, reference architectures, and plans. Basically what we've seen in terms of the left hand side of the SDLC in establishing requirements early. This topic came about after reading the recent AWS Security reference architecture and grappling with implementation. We get pretty metaphor and analogy heavy in this one with some examples that may or may not make sense. Ultimately, these things work! We've seen them in the real world in a variety of samples, and hopefully you'll use them tooAWS Security Reference Architecturehttps://aws.amazon.com/blogs/security/aws-security-reference-architecture-a-guide-to-designing-with-aws-security-services/Developer Take on Using Reference Architectureshttps://ab-lumos.medium.com/embedding-security-into-sdlc-using-reference-architectures-for-developers-29403c00fb3d

In this somewhat makeshift, low-power episode recorded during the NYC power grid strain we do our best at getting inventive with recording techniques. Topic of the day is does DevSecOps really work? We discuss some of our failures, frustrations, and successes with DevSecOps. We also cover things you can do to succeed with DevSecOps techniques. While it may seem like fighting an uphill battle in security automation and all of these fancy modern security practices, we share some stories and methods to make sure these things stick.