Podcasts about devsecops

Share on
Share on Facebook
Share on Twitter
Share on Reddit
Share on LinkedIn
Copy link to clipboard
  • 358PODCASTS
  • 2,776EPISODES
  • 48mAVG DURATION
  • 1DAILY NEW EPISODE
  • Jul 1, 2022LATEST

POPULARITY

20122013201420152016201720182019202020212022


Best podcasts about devsecops

Show all podcasts related to devsecops

Latest podcast episodes about devsecops

DevOps and Docker Talk
Infrastructure as Code, Patterns and Practices

DevOps and Docker Talk

Play Episode Listen Later Jul 1, 2022 47:57


Bret is joined by Rosemary Wang, a developer advocate at Hashi Corp. She recently finished a Manning book, titled Infrastructure as Code: Patterns and Practices. They discuss how infrastructure as code fits into DevOps and Gitops, and how you can get started with IaC and run over some important patterns, such as controlling versioning, IaC testing and managing costs.Rosemary worked at ThoughtWorks previously, and it was interesting to hear her experiences on learning from senior engineering, and how pairing and other types of mentorship can help. Streamed live on YouTube on April 28, 2022.Unedited live recording of this show on YouTube (Ep #168).★Topics★Infrastructure as Code: Patterns and Practices, with examples in Python and Terraform ★Rosemary Wang★Rosemary on Twitter ★Join my Community★Best coupons for my Docker and Kubernetes coursesChat with us on our Discord Server Vital DevOpsHomepage bretfisher.com★ Support this podcast on Patreon ★

Ship It! DevOps, Infra, Cloud Native
Postgres vs SQLite with Litestream

Ship It! DevOps, Infra, Cloud Native

Play Episode Listen Later Jun 29, 2022 73:27


Ben Johnson, the creator of Litestream, joined Fly.io a few weeks after we migrated changelog.com - episode 50 has all the details. That was pure coincidence. What was not a coincidence, is Gerhard jumping at the opportunity to talk to Ben about Postgres vs SQLite with Litestream. The prospect of running a cluster of our app instances spread across all regions, with local SQLite & Litestream replication, is mind boggling. Let's find out from Ben what will it take to get there. Thanks Kürt for kicking off this dream.

Getup Kubicast
#92 - Kubernetes 1.24 is out!

Getup Kubicast

Play Episode Listen Later Jun 23, 2022 41:13


O time de Operações da Getup abriu o microfone para entregar de bandeja os pontos mais importantes da versão 1.24 do Kubernetes. A primeira grande mudança foi a remoção do Dockershim. Agora, quem manda na parada é o CRI-O ou Containerd e a gente comenta o que isso impacta na vida dos administradores de Kubernetes. Também, falamos da chegada do namespaceSelector para fazer pod affinity e anti-podaffinity e do GatewayClass que estabelece uma padronização para utilização de Gateway e dos controllers do ingress dentro do Kubernetes.Ainda, passamos pelas features Storage Capacity e Volume Expansion, que agora são estáveis; a criação de tokens de curta duração para aumentar segurança das Service Accounts; as métricas de OOM que o  Kubelet está trazendo e o recurso opt-in para reservar um intervalo de atribuições de endereços IP estáticos aos serviços.Ouça a gente, mas também leia o release notes da nova versão para conferir se não falamos só bobagem!Nesse episódio, ao invés de RECOMENDAÇÕES, os Getupers comentaram qual deveria ser a próxima compra do tio Elon Musk. Adquirir o Sul do Brasil apareceu na lista. Comprar e unificar todas as clouds também! Os GETUPERS que participaram desse programa:Adonai Costa, pouco ativo nas redes sociais, mas conhecido de todos;Danilo Massaro, mais tímido que o Adonai;Gustavo Alexander, que estava meio gripado;Jandson Oliveira, fã do Adonai;Marcelo Melo, engenheiro DevOps com CREA e CKA;Mateus Caruccio, god of Kubernetes para América Latina; João Brito, seu host favorito do Kubicast!SOBRE O KUBICASTO Kubicast é uma produção da Getup, especialista em Kubernetes e apoiadora do projeto UnDistro, uma distribuição para gerenciar múltiplos clusters Kubernetes. Os episódios do podcast estão no site da Getup e nas principais plataformas de áudio digital. Alguns deles estão registrados no YT. #DevOps #Kubernetes #Containers  #CNCF #Kubernetes1.24 #Kubicast

Ship It! DevOps, Infra, Cloud Native
How to keep a secret

Ship It! DevOps, Infra, Cloud Native

Play Episode Listen Later Jun 22, 2022 73:12


Rob Barnes (a.k.a. Devops Rob) and Rosemary Wang (author of Infrastructure as Code - Patterns & Practices) are joining us today to talk about infrastructure secrets. What do Rosemary and Rob think about committing encrypted secrets into a repository? How do they suggest that we improve on storing secrets in LastPass? And if we were to choose HashiCorp Vault, what do we need to know? Thank you Thomas Eckert for the intro. Thank you Nabeel Sulieman (ep. 46) & Kelsey Hightower (ep. 44) for your gentle nudges towards improving our infra secrets management.

Changelog Master Feed
How to keep a secret (Ship It! #58)

Changelog Master Feed

Play Episode Listen Later Jun 22, 2022 73:12


Rob Barnes (a.k.a. Devops Rob) and Rosemary Wang (author of Infrastructure as Code - Patterns & Practices) are joining us today to talk about infrastructure secrets. What do Rosemary and Rob think about committing encrypted secrets into a repository? How do they suggest that we improve on storing secrets in LastPass? And if we were to choose HashiCorp Vault, what do we need to know? Thank you Thomas Eckert for the intro. Thank you Nabeel Sulieman (ep. 46) & Kelsey Hightower (ep. 44) for your gentle nudges towards improving our infra secrets management.

Tech Transforms
Security Metrics: Measure Twice, Cut Once with Rick Stewart

Tech Transforms

Play Episode Listen Later Jun 22, 2022 45:30


Rick Stewart, Chief Software Technologist at DLT Solutions joins Tech Transforms to give insight on Open Source, Platform One, and DORA initiatives. Listen in as Carolyn and Mark learn about the importance of focusing on the right metrics when managing security bottlenecks. Episode Table of Contents[00:48] Old Ways of Doing Things [11:55] Security Metrics That Need Improvement [22:54] Deploying Security Metrics Using Scheduling Techniques [33:19] Continuous Authority to Operate Security Metrics Episode Links and Resourceshttps://www.linkedin.com/in/rick-stewart-09618015/ (Rick Stewart ) https://www.dlt.com/ (DLT Solutions) https://www.amazon.com/Beyond-Order-More-Rules-Life/dp/0593084640/ref=asc_df_0593084640/?tag=hyprod-20&linkCode=df0&hvadid=509494905560&hvpos=&hvnetw=g&hvrand=15582897620124099519&hvpone=&hvptwo=&hvqmt=&hvdev=c&hvdvcmdl=&hvlocint=&hvlocphy=9030451&hvtargid=pla-1065603015754&psc=1 (Beyond Order) Old Ways of Doing ThingsCarolyn: Today, we get to talk to https://www.linkedin.com/in/rick-stewart-09618015/ (Rick Stewart), a good friend. Rick Stewart is a Chief Software Technologist at DLT for more than 34 years. Do you really want me to tell people that Rick? That makes you sound super old? Rick: No, it has some relation to the old way of doing things, traditional ways. Carolyn: He knows the old stuff and the new stuff with 34 years of diverse experience in the IT industry. He's progressing through technical and leadership roles in telecommunications, mobile entertainment, the federal government, and the manufacturing industries. Today, Rick is joining us to talk about DevOps research and assessments, or DORA, a term that is new to me. He'll also talk about the four key metrics for increasing efficiency and delivering service. He will discuss how Platform One has advanced the cultural transformation to DevOps. Mark: Welcome Rick. By the way, Rick started this when he was six. Carolyn: That's right. I'm going, to be honest. I've been in the industry for a while, and I have never heard the term DORA. DevOps Research and Assessments make sense. I just haven't heard the acronym. They have four key metrics for increasing efficiency in delivering service. Those metrics are deployment frequency, lead time for changes, change failure rate, and time to restore to service. Will you unpack those for us? Rick: It's interesting that you say that because I attend several different events and conferences where we have, especially in the public sector, astute people that have lots of experience. Security Metrics As a First-Class CitizenRick: They're on this journey of DevOps or in the public sector. It's more DevSecOps, bringing security up as a first-class citizen. They were talking about the things that they capture, the journey that they're on, and their improvements. On one of these occasions, DORA was brought up. I think it may be a Q&A panel. It was surprising that a lot of them didn't know what this organization does, especially being so well versed in the cultural transformation, not knowing some of the things to focus on. I thought it was really important to shine a light on. Carolyn: Is it a federal organization? Rick: No, it's more of a community-based organization, an industry-based organization. We've got people like Jez Humble and Gene Kim and others that are involved with this. What they do is, they go out and they do surveys of not just the public sector, but the private sector, all organizations globally. They basically give them surveys and they talk about their experience, where they're at in the spectrum of their journey, and what they have discovered through this analysis. It's a really deep, long analysis. There's a book called Accelerate that was done by Nicole Ferguson. She has a PhD and took lots of painstaking analysis of these organizations and these teams and asked them a series of questions. What it boiled down to is

DevSecOps Podcast
#23 - SDL PT9 - Perform Static Analysis Security Testing (SAST)

DevSecOps Podcast

Play Episode Listen Later Jun 22, 2022 59:06


No nono episódio da série SDL, você acompanha sobre Static Application Security Testing SAST. O quê? Como? Onde? Quando? E principalmente, para quem? Vamos mergulhar no tema para te ajudar a desenvolver software seguro, da maneira certa.

The New Stack Podcast
Counting on Developers to Lead Vodafone's Transformation Journey

The New Stack Podcast

Play Episode Listen Later Jun 21, 2022 13:27


 British telecommunications provider, Vodafone, which owns and operates networks in over 20 countries and is on a journey to become a tech company focused around digital services, has plans to hire thousands of software engineers and developers that can help put the company on the cloud-native track and utilize their network through API's.In this episode of The New Stack Makers podcast at MongoDB World 2022 in New York City, Lloyd Woodroffe, Global Product Manager at Vodafone, shares how the company is working with MongoDB on the development of a Telco as a Service (TaaS) platform to help their engineers increase their software development velocity, and drive adoption of best-practice automation within DevSecOps pipelines. Alex Williams, Founder of The New Stack hosted this podcast.Vodafone has built a backbone to keep the business resilient and scalable. But one thing they are looking to do now is innovate and give their developers the freedom and flexibility to develop creatively. “The TaaS platform – which is the product we're building – is essentially a developer first framework that allows developers and Vodafone to build things that you think could help the business grow. But because we're an enterprise, we need security and financial assurance and TaaS is the framework that allows us to do it in a way that gives developers the tools they need but also the security we need,” said Woodroffe.The idea of reuse as part of an inner sourcing model is key as Vodafone's scales. The company's key initiative ‘one source' enables their developers to incorporate such a strategy, “We have a single repository across all our markets and teams where you can publish your code and other teams from other countries can take that code, reuse it, and implement it into their applications,” said Woodroffe. “In terms of outsourcing to the community, our engineers want to start productizing APIs and build new, innovative applications which we'll see in a bit,” he added.“The TaaS developer platform that we're building with MongoDB acts as our service registry for the platform. When you provision the tools for the developer, we register the organizations, the cost center and guardrails that we've set up from a security and finance perspective,” said Woodroffe. “Then we provision MongoDB for the developers to use as their database of choice.”“What we'll see ultimately, as the developer has access to these tools [TaaS] and products more, is they'll be able to build new innovations that can be utilized through our network via API's,” Woodroffe said.

Software Engineering Institute (SEI) Podcast Series

In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Hasan Yasar, technical director, Continuous Deployment of Capability at the SEI, and Jay Palat, interim director of AI for Mission in the SEI's AI Division, discuss how to engineer AI systems with DevSecOps and explore the relationship between MLOps and DevSecOps.

Cloud Security Today
MITRE + Cloud

Cloud Security Today

Play Episode Listen Later Jun 21, 2022 40:35


As the world of cloud security continues to progress at high speed, new challenges and threats arise and morph on a constant basis. The MITRE Corporation is a body tasked by the US government with solving some of the largest threats in cybersecurity and beyond, and we are very lucky to welcome Tracy Bannon to the podcast today, who is the Senior Principal and Software Architect & DevOps Advisor at MITRE. Tracy opens up about her career journey leading up to her current position, what drew her into the work at MITRE, and how the simplicity of the solutions-focused mission has embedded her loyalty and passion within the organization. The conversation also goes some way into exploring the potential and limitations of zero trust, and what it actually means to make progress towards safer environments. Along the way, our guest makes some interesting and quite unique arguments for why words matter, and why change is healthier through a philosophy centered on building. So to catch it all in this fascinating conversation, make sure to join us on Cloud Security Today!Key Points From This Episode:Tracy unpacks a brief history of FFRDCs and their role as objective technology advisors.The two main areas of Tracy's work at MITRE; digital transformation of software factories, and data centricity in data environments.Understanding MITRE's practical application and validation of the principles of zero trust theory. Weighing the validity of the negative reputation that developers have when it comes to security.Issues with the terms DevOps, DevSecOps, and SecDevOps, and the overloading and rushing that often happens on security teams. Why Tracy prioritizes 'culture building' over 'culture change' when thinking about progress. Leading teams, modeling behaviors, and realistic expectations for human error. Tools and safety nets in the cloud-native approach; Tracy's perspective on how much value to assign to these.Why the mission at MITRE initially piqued, and subsequently retained, Tracy's interest! Tweetables:“It's not a recipe. It's not five things you have to do. It's understanding the principles and then applying them, being able to audit them, and validate consistently that they're happening. MITRE does both sides of that.” — @TracyBannon [0:07:44]“Our job is not to land and expand. It's impact. At all costs, it's to make impact. If it's one person, or a half of that person, it's really defined by the ability to keep the US safe.” — @TracyBannon [0:09:39]Links Mentioned in Today's Episode:Tracy Bannon on LinkedInTracy Bannon on TwitterMITRE CorporationRevelationThe Kill ChainZero Trust SecurityThe Software Architect ElevatorPeople Before TechComprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.

TFIR: Open Source & Emerging Technologies
Jetstack Helps Enterprises Secure The Software Supply Chain | Matthew Bates

TFIR: Open Source & Emerging Technologies

Play Episode Listen Later Jun 20, 2022 13:31


Jetstack helps businesses to build and operate cloud-native infrastructure with Kubernetes. The company was formed back in 2015, just a year after the Kubernetes open source project was started. Matthew Bates, CTO of Jetstack, sits down with Swapnil Bhartiya in this episode of Let's Talk from KubeCon + CloudNativeCon EU to introduce the company and its mission. Jetstack recently released a comprehensive toolkit to help development and security teams secure the software supply chain. Bates feels that this is something we need to take seriously and people need to be made aware of the sophistication of the risks in the attacks they are seeing. He discusses what Jetstack is doing to provide a digestible means to better understand this topic. On discussing why he thought Kubernetes was such a game changer when it was first released, Bates says, “We felt that this presented a really interesting opportunity to be able to build those systems, and also for enterprises to rethink the way that they develop, build and ship software as well. We thought it was the start of a real shift.” Besides the opportunities Kubernetes brings, Bates gives some insights into the challenges enterprises face as they try to navigate Kubernetes and cloud-native technologies. One of those challenges, security, continues to be a critical factor to handle. However, Bates feels that security is increasingly being made a priority earlier in the life cycle. Key highlights from this video interview are: Bates describes what motivated him to form Jetstack and how the introduction of Kubernetes presented many opportunities for building complex, potentially stateful systems. He discusses what challenges enterprises faced as they looked to understand and embrace the new technology and how Jetstack has been helping. Bates explains that Jetstack is an advisory and a product company. He goes into depth about the customers they are helping, particularly with very large banks and how Jetstack is helping them understand the challenges and the breadth of the tools in The Cloud Native Computing Foundation (CNCF) to help address them. The cloud-native ecosystem is evolving, which compared to traditional IT is considerably more complex. Bates discusses the evolution over time they have seen in people consuming Kubernetes and how the ecosystem is maturing. Security continues to be a critical consideration for cloud with zero-trust remaining complicated to implement. Bates feels that DevSecOps is prioritizing security rather than it being an afterthought. He explains the benefits Kubernetes brings for having the ability to have security built into the platform.

Platform One (P1) Pod
Platform One (P1) Pod – Ep.3 – Organizing Around Value

Platform One (P1) Pod

Play Episode Listen Later Jun 17, 2022


Austen plays solo host in this episode while Drew Belk sits in the guest seat along with Erica Westendorf, a DevSecOps Product Manager at Platform One as they discuss how P1 worked to organize around value. They explore the notion of remaining centered on value delivery while scaling an organization. They also discuss how an organization can move past functional silos so everyone has ownership in solving the bigger problem and not just their small ”functional” part of it.

Changelog Master Feed
What do oranges & flame graphs have in common? (Ship It! #57)

Changelog Master Feed

Play Episode Listen Later Jun 17, 2022 64:38


Today we are talking with Frederic Branczyk, founder of Polar Signals & Prometheus maintainer. You may remember Frederic from episode 33 when we introduced Parca.dev. This time, we talk about a database built for observability: FrostDB, formerly known as ArcticDB. eBPF generates a lot of high cardinality data, which requires a new approach to writing, persisting & then reading back this state. TL;DR FrostDB is sub zero cool & well worthy of its name.

Ship It! DevOps, Infra, Cloud Native
What do oranges & flame graphs have in common?

Ship It! DevOps, Infra, Cloud Native

Play Episode Listen Later Jun 17, 2022 64:38


Today we are talking with Frederic Branczyk, founder of Polar Signals & Prometheus maintainer. You may remember Frederic from episode 33 when we introduced Parca.dev. This time, we talk about a database built for observability: FrostDB, formerly known as ArcticDB. eBPF generates a lot of high cardinality data, which requires a new approach to writing, persisting & then reading back this state. TL;DR FrostDB is sub zero cool & well worthy of its name.

DevOps and Docker Talk
Applications-as-Code with Shipa

DevOps and Docker Talk

Play Episode Listen Later Jun 17, 2022 57:39


Bret is joined by Ravi Lachhman, Field CTO at Shipa, to discuss the basics of Shipa application and policy management, and show off the developer experience that Shipa brings to apps running on IaC and GitOps tools like ArgoCD,  Crossplane, Terraform, Kubernetes, and more.Shipa is focused on the layer above the infrastructure where application developers can avoid other Kubernetes manifest tools like Helm or Kustomize, and create a cleaner contract between what their application needs are and how the infrastructure provides them.If you've done Kubernetes YAML long enough, you know that it can get quite complex and verbose, and it requires both infrastructure and developer roles or knowledge to fully configure it. So you kind of got to know both worlds. But Shipa wants to fit in the middle somewhere, not replacing the infrastructure tools like Terraform or Crossplane, but rather working on top of them, providing an easier way to describe your apps from a dev's point of view and how they work on top of your infrastructure. It focuses on the application requirements, not necessarily how those requirements are implemented. Streamed live on YouTube on April 14, 2022.Unedited live recording of this show on YouTube (Ep #166). Includes demos.★Topics★Shipa website Shipa exampleDevOps Days Atlanta★Ravi Lachhman★Ravi on Twitter★Join my Community★Best coupons for my Docker and Kubernetes coursesChat with us on our Discord Server Vital DevOpsHomepage bretfisher.com★ Support this podcast on Patreon ★

Cyber Security Headlines
June 17, 2022

Cyber Security Headlines

Play Episode Listen Later Jun 17, 2022 7:39


House Armed Services chair calls national security software, systems 'too vulnerable' Microsoft Office 365 AutoSave can assist cloud ransomware attacks OMIGOD! There's more to OMIGOD Thanks to today's episode sponsor, Datadog Watch Datadog's on-demand webinar for a 30-minute discussion on driving DevSecOps best practices in the enterprise with CTO Cormac Brady. Over the course of his 20+ year career at Thomson Reuters, Cormac consistently built bridges between technical teams—and in the process helped teams achieve superior results and earned himself senior leadership positions. Cormac shares stories and leadership lessons that are applicable to any enterprise technical leader looking to help their firm build and operate services in an increasingly competitive and treacherous digital economy. Watch now at datadoghq.com/ciso/ For the stories behind the headlines, head to CISOseries.com.

RSA Conference
What is DevSecOps and why is it important?

RSA Conference

Play Episode Listen Later Jun 17, 2022 18:23


Integrating security into the development lifecycle can be a challenge, especially for those who don't understand why security matters to development and operations. What's the ROI of DevSecOps? What are the key KPIs? Join us for an insightful conversation that explains why DevSecOps is important while shining a spotlight on some DevSecOps bloopers to avoid. Our guests will also expose the cost of bad DevSecOps and offer suggestions for how to measure developers on security. Speakers: Keenan Skelly, CEO, Shadowbyte Stephanie Simpson, Vice President of Product, SCYTHE

Security Voices
The Compliance Episode - History, Theater & Industry-Reshaping Impact

Security Voices

Play Episode Listen Later Jun 16, 2022 67:31


First, a confession: this is the last episode we would have envisioned when we started Security Voices. Compliance was as mundane as it is mandatory– where's the fun in that? Where's the untold, fascinating story of the person who summited the tallest mountain? Rose from ashes to improbable success? In the short years that have passed since we started in early 2019, the world has changed dramatically. And so has compliance. From driving cyberinsurance premiums to becoming the security baseline for even startups to achieve in their early days, compliance is now an undeniable juggernaut. While SOC2 defines the scope of many companies' security gameplans, GDPR and its kin drives how we respond to breaches whereas industry specific mandates influence what data we have, how we defend it and even where we store it. In this episode, Jack and Dave welcome both Abby Kearns and Shrav Mehta to demystify exactly what's happening in the world of compliance from 2 unique perspectives. Abby speaks from her work on software assurance as CTO at Puppet (and beyond) whereas Shrav's angle is that of a compliance startup CEO. Plainly stated: code on one side, standards and certifications on the other. Both increasingly important and horribly complex.This 4 person dialogue traces the roots of compliance back to the early days of security and the inception of PCI DSS, one of the first widely impactful compliance initiatives to hit the industry. We chart the course of compliance to today and unpack where it has had meaningful impact… and where it is mere box-checking theater we could do without. In a similar fashion, we examine the path to software compliance today and the inevitability of automation given the dramatic changes in release speed and frequency. Abby provides a sober take on where we are today including a dialogue on what it means for response to threats such as Log4shell.If you're a longtime listener, this episode connects back to so many of our past interviews, from Carey Nachenberg (supply chain security) to Andy Ellis (compliance perspective) and Nand Mulchandani who recently became CTO of the CIA. We hope you appreciate the references if you already heard this episodes, and if you haven't, consider giving them a listen as they're some of our favorites and pass the test of time with flying colors.

The Stack Overflow Podcast
Privacy is a moving target. Here's how engineering teams can stay on track.

The Stack Overflow Podcast

Play Episode Listen Later Jun 16, 2022 26:52


 Ever since personal information started flowing into applications on the web, securing that information has become more and more important. General security and privacy frameworks like ISO-27001 and PCI provide guidance in securing systems. Now the law has gotten involved with the European Union's GDPR and California's CPRA. More laws are on the way, and these laws (and the frameworks) are changing as they meet legal challenges. With the legal landscape for privacy shifting so much, every engineer must ask: How do I keep my application in compliance?On this sponsored episode of the podcast, we talk with Rob Picard and Matt Cooper of Vanta, who get that question every day. Their company makes security monitoring software that helps companies get into compliance quickly. We spoke about the shifting sands of privacy rules and regulations, tracking data flows through systems and across corporate borders, and how security automation can put up guardrails instead of gates. Many security frameworks are undergoing modernization to reflect the way that distributed applications function today. And more countries and US states are passing their own privacy regulations. The privacy space is surprisingly dynamic, forcing companies to keep track of these frequent changes to stay current and compliant. Not everyone has in-house legal experts to follow the daily developments and communicate those to the engineering team. For an engineering team just trying to understand the effort involved, it may be helpful to start figuring out where your data flows. Tracking it between internal services may be overkill; instead, track it across corporate boundaries, from one database, cloud provider, SaaS system, and dependency. Each of those should have their own data privacy agreement—plug into your procurement process to see what each piece of your stack promises on a privacy level. Your DevOps and DevSecOps teams will probably want to automate much of the security engineering process as possible. Unfortunately, automating security is hard. The best path may not be to automate the defenses on your system; it might be better to instead automate the context that you provide to engineers. If someone wants to add a dependency, pop up a reminder that these dependencies can be fickle. Automate the boring stuff—context, reminders, to-dos—and let humans do the complex problem solving we're so good at. If you're looking to add an in-house security expert as a service, check out Vanta.com. Their platform monitors connects to your systems and helps you prep for compliance with one or more security frameworks. If those frameworks change, you don't need to do anything. Vanta changes for you. 

Cyber Security Headlines
June 15, 2022

Cyber Security Headlines

Play Episode Listen Later Jun 15, 2022 6:25


US defense contractor discusses takeover of NSO spyware DoJ will no longer prosecute ethical hackers Attack on Kaiser Permanente exposes data of thousands of customers Thanks to today's episode sponsor, Datadog Watch Datadog's on-demand webinar for a 30-minute discussion on driving DevSecOps best practices in the enterprise with CTO Cormac Brady. Over the course of his 20+ year career at Thomson Reuters, Cormac consistently built bridges between technical teams—and in the process helped teams achieve superior results and earned himself senior leadership positions. Cormac shares stories and leadership lessons that are applicable to any enterprise technical leader looking to help their firm build and operate services in an increasingly competitive and treacherous digital economy. Watch now at datadoghq.com/ciso/ For the stories behind the headlines, head to CISOseries.com

Advancing Financial Markets. Together.
The Art of Possible in DevSecOps

Advancing Financial Markets. Together.

Play Episode Listen Later Jun 14, 2022 5:16


5 minutes with DTCC's Marc Masri.In just 5 minutes, we'll explore the world of post-trade financial services by way of new ideas, insight snippets, emerging trends, and thought-provoking questions. In this episode, tune in to hear Marc Masri, DTCC Executive Director, IT Product Management, share our IT DevSecOps journey and how we're looking toward the future by dreaming of "the art of possible." Episode Details:Head to our podcast page to learn more and subscribe today via email or on all major podcast streaming platforms.Copyright 2022 - DTCC. All rights reserved. DTCC, DTCC (Stylized), TAKE 5, and the Interlocker Graphic are registered and unregistered trademarks of The Depository Trust & Clearing Corporation.The information and views contained herein are provided for informational purposes only and should not be relied on for any other reason. This material is not intended to be relied upon as a forecast, research, legal or investment advice and is not a recommendation, offer or solicitation to buy or sell any securities or to adopt an investment strategy. The information and views expressed are current as at the date of this document, but subject to change and do not necessarily reflect the views of DTCC and no assurances are made as to their accuracy. Any reliance upon information in this material is at the sole risk of the recipient. Where the information contained in this material is from third party sources, this information is from sources believed to be reliable, but DTCC has not independently verified any of the information contained herein and does not assume any liability for it nor any obligation to modify or update it. This Service is governed by applicable Rules, Procedures, and Services Guide for each DTCC subsidiary, which contain the full terms, conditions, and limitations applicable to this Service.

Application Paranoia
S3EP5 - AI Trends and Agile best practices with Rick Regueira

Application Paranoia

Play Episode Listen Later Jun 13, 2022 59:54


Colin Bell, Rob Cuddy and Kris Duer from HCL Software bring you another application paranoia session.In this weeks episode the team meet with special guest  Rick Regueira.  Rick is a seasoned Enterprise & Executive Agile Coach & Trainer, Consultant, Project Manager, and IT professional. He is vastly experienced in leading and mentoring successful Organizational Agile transformations of several fortune 500 companies. If you would like to personally connect with Rick, you can find him on LinkedIn at https://www.linkedin.com/in/rickregueira/.If you are interested in connecting with other agile professionals or learning more about agile, visit Transformation Experts at https://www.teculture.com/ and see their events section. Finally, if you would like to attend the next Agile International Conference March 16-17 2023, visit https://www.agileinternational.org/aic-2023

Cyber Security Headlines
June 13, 2022

Cyber Security Headlines

Play Episode Listen Later Jun 13, 2022 7:35


Amazon's chat app has a child sex abuse problem Ransomware decryptors now for sale on gaming platform China's biggest online influencers go dark Thanks to today's episode sponsor, Datadog Watch Datadog's on-demand webinar for a 30-minute discussion on driving DevSecOps best practices in the enterprise with CTO Cormac Brady. Over the course of his 20+ year career at Thomson Reuters, Cormac consistently built bridges between technical teams—and in the process helped teams achieve superior results and earned himself senior leadership positions. Cormac shares stories and leadership lessons that are applicable to any enterprise technical leader looking to help their firm build and operate services in an increasingly competitive and treacherous digital economy. Watch now at datadoghq.com/ciso/ For the stories behind the headlines, head to CISOseries.com

Relating to DevSecOps
Episode #045: What is DevSecOps in 2022 an R2DSO anniversary redux

Relating to DevSecOps

Play Episode Listen Later Jun 10, 2022 35:09


Mike and Ken take it back to the roots with a special anniversary episode on what is DevSecOps. Since we started this podcast we've had a lot of topics that fit the overall DevSecOps buzzsord, but in this episode we talk about some of the evolution DevSecOps has gone through, how it's perceived in the industry and market today and some hot takes on what's changed. The good, the bad, and the ugly. We leave it to you to decide, has DevSecOps lost it's marketing shine and buzzword status?

Civic Tech Chat
77 Human Centered Devsecops

Civic Tech Chat

Play Episode Listen Later Jun 9, 2022 38:24


We are joined by Aidan Feldman(https://twitter.com/aidanfeldman), freelance technologist and former Technology Director at Technology Transformation Services at GSA(https://twitter.com/GSA_TTS) to dive into a conversation about the space where human centered concepts meet with devsecops. Resources and shoutouts: - https://99percentinvisible.org/episode/curb-cuts/ - https://blog.thepete.net/blog/2019/10/04/hello-production/ - https://www.youtube.com/watch?v=0wIvXfhWpx0

WebSupport
Začíname s Pythonom (Richard Kellner)

WebSupport

Play Episode Listen Later Jun 9, 2022 51:46


Obľúbili si ho ľudia na pozícii Data scientist, našiel si miesto v IoT a je doma aj v strojovom učení (machine learning). Reč je o jazku Python. Predstaví nám ho Richard Kellner, ktorý pôsobí ako Hlavný projektant informačných systémov dohľadu v Národnej banke Slovenka a tiež je zakladateľom a predsedom SPy o.z. (Slovak Python User Group). Richard je DevSecOps inžinier, zameriava sa na programovanie webových aplikácií v Pythone a správu Linux serverov. Ako programátor má bohaté skúsenosti s vývojom rôznych typov aplikácií, ale aj integrácií medzi rôznymi systémami. Vo voľnom čase organizuje Python meetupy v Bratislave a tiež najväčšiu slovenskú Python konferenciu PyCon. V diskusii s Richardom sa dozviete: - Čím je Python špecifický a aké má vlastnosti? - Prečo Python podporuje produktivitu programátorov? - Ako a kde sa Python naučiť? - Čo sú to balíčky? - Ako vyzerá slovenská komunita okolo tohto jazyka a aké má aktivity? Diskusiu moderuje Fero Volár, ktorý je Head of Server products vo Websupporte a píše blog alian.info. Websupport Tech Talks sú diskusie s expertmi o témach ako cloud, vývoj aplikácií a webov, backend, DevOps, bezpečnosť, vzdelávanie v tímoch a open-source.

Changelog Master Feed
DevOps teams with shared responsibilities (Ship It! #56)

Changelog Master Feed

Play Episode Listen Later Jun 8, 2022 58:16


Today we are talking with Maikel Vlasman, technical lead for a large Dutch machine construction company, and a cloud engineer by heart. We cover self-updating GitLab & ArgoCD, Maikel's thinking behind dev environment setup and a Kubernetes workshop that he is preparing for his team. The goal is to function as a true DevOps team with shared responsibilities. This conversation started as a thread in our community Slack - link in the show notes. Thank you Maikel for being a long-time Changelog listener and for reaching out to us - we enjoyed telling this story.

Ship It! DevOps, Infra, Cloud Native
DevOps teams with shared responsibilities

Ship It! DevOps, Infra, Cloud Native

Play Episode Listen Later Jun 8, 2022 58:16


Today we are talking with Maikel Vlasman, technical lead for a large Dutch machine construction company, and a cloud engineer by heart. We cover self-updating GitLab & ArgoCD, Maikel's thinking behind dev environment setup and a Kubernetes workshop that he is preparing for his team. The goal is to function as a true DevOps team with shared responsibilities. This conversation started as a thread in our community Slack - link in the show notes. Thank you Maikel for being a long-time Changelog listener and for reaching out to us - we enjoyed telling this story.

The Cyber Ranch Podcast
DevSecOps w/ Chris Hughes

The Cyber Ranch Podcast

Play Episode Listen Later Jun 8, 2022 28:31


Allan is joined by Chris Hughes, CISO & Co-founder at Aquia and adjunct professor at UMGC, to talk about all things DevSecOps (Development, Security and Operations). They explore the DevSecOps phrase itself, as well as why security should be treated as an integral component and not a separate entity. In this episode, Allan and Chris take a deep dive into the subject and bring clarity to questions, such as:     -What roles help achieve security in DevOps?     -What are the cultural barriers to implementing secure DevOps?     -What are some common mistakes as well as best tips? Sponsor Links:  Thank you to our sponsor Axonius for bringing this episode to life! Life is complex. But it's not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone Guest Bio: Chris Hughes is a proven Cloud/Cybersecurity leader with nearly 20 years of experience in both the Federal and commercial industries. Chris has a dynamic skill set, with a blend of IT, Cyber/Cloud Security and DevSecOps experience. He enjoys working across interdisciplinary teams to solve complex organizational and industry-wide problems to achieve technological transformation securely.  Additional Resources: Google SLSA framework: https://slsa.dev/ CSCRM – NIST Appendix F : https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdfOpen SSF – OSS Mobilization Plan: https://8112310.fs1.hubspotusercontent-na1.net/hubfs/8112310/OpenSSF/White%20House%20OSS%20Mobilization%20Plan.pdf?hsCtaTracking=3b79d59d-e8d3-4c69-a67b-6b87b325313c%7C7a1a8b01-65ae-4bac-b97c-071dac09a2d8 Sounil/Andy Debate: https://www.securityweek.com/video-civil-discourse-sboms Links: Stay in touch with Chris Hughes on LinkedIn Follow Allan Alford on LinkedIn and Twitter Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store  Continue this conversation on our Discord Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Screaming in the Cloud
Connecting Cybersecurity to the Whole Organization with Alyssa Miller

Screaming in the Cloud

Play Episode Listen Later Jun 7, 2022 35:27


About AlyssaAlyssa Miller, Business Information Security Officer (BISO) for S&P Global, is the global executive leader for cyber security across the Ratings division, connecting corporate security objectives to business initiatives. She blends a unique mix of technical expertise and executive presence to bridge the gap that can often form between security practitioners and business leaders. Her goal is to change how security professionals of all levels work with our non-security partners throughout the business.A life-long hacker, Alyssa has a passion for technology and security. She bought her first computer herself at age 12 and quickly learned techniques for hacking modem communications and software. Her serendipitous career journey began as a software developer which enabled her to pivot into security roles. Beginning as a penetration tester, her last 16 years have seen her grow as a security leader with experience across a variety of organizations. She regularly advocates for improved security practices and shares her research with business leaders and industry audiences through her international public speaking engagements, online content, and other media appearances.Links Referenced: Cybersecurity Career Guide: https://alyssa.link/book A-L-Y-S-S-A dot link—L-I-N-K slash book: https://alyssa.link/book Twitter: https://twitter.com/AlyssaM_InfoSec alyssasec.com: https://alyssasec.com TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is sponsored in part by our friends at Vultr. Optimized cloud compute plans have landed at Vultr to deliver lightning-fast processing power, courtesy of third-gen AMD EPYC processors without the IO or hardware limitations of a traditional multi-tenant cloud server. Starting at just 28 bucks a month, users can deploy general-purpose, CPU, memory, or storage optimized cloud instances in more than 20 locations across five continents. Without looking, I know that once again, Antarctica has gotten the short end of the stick. Launch your Vultr optimized compute instance in 60 seconds or less on your choice of included operating systems, or bring your own. It's time to ditch convoluted and unpredictable giant tech company billing practices and say goodbye to noisy neighbors and egregious egress forever. Vultr delivers the power of the cloud with none of the bloat. Screaming in the Cloud listeners can try Vultr for free today with a $150 in credit when they visit getvultr.com/screaming. That's G-E-T-V-U-L-T-R dot com slash screaming. My thanks to them for sponsoring this ridiculous podcast.Corey: This episode is sponsored in part by Honeycomb. When production is running slow, it's hard to know where problems originate. Is it your application code, users, or the underlying systems? I've got five bucks on DNS, personally. Why scroll through endless dashboards while dealing with alert floods, going from tool to tool to tool that you employ, guessing at which puzzle pieces matter? Context switching and tool sprawl are slowly killing both your team and your business. You should care more about one of those than the other; which one is up to you. Drop the separate pillars and enter a world of getting one unified understanding of the one thing driving your business: production. With Honeycomb, you guess less and know more. Try it for free at honeycomb.io/screaminginthecloud. Observability: it's more than just hipster monitoring.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. One of the problems that many folks experience in the course of their career, regardless of what direction they're in, is the curse of high expectations. And there's no escaping for that. Think about CISOs for example, the C-I-S-O, the Chief Information Security Officer.It's generally a C-level role. Well, what's better than a C in the academic world? That's right, a B. My guest today is breaking that mold. Alyssa Miller is the BISO—B-I-S-O—at S&P Global. Alyssa, thank you for joining me to suffer my slings and arrows—Alyssa: [laugh].Corey: —as we go through a conversation that is certain to be no less ridiculous than it has begun to be already.Alyssa: I mean, I'm good with ridiculous, but thanks for having me on. This is awesome. I'm really excited to be here.Corey: Great. What the heck's BISO?Alyssa: [laugh]. I never get that question. So, this is—Corey: “No one's ever asked me that before.” [crosstalk 00:03:38]—Alyssa: Right?Corey: —the same thing as, “Do you know you're really tall?” “No, you're kidding.” Same type of story. But I wasn't clear. That means I'm really the only person left wondering.Alyssa: Exactly. I mean, I wrote a whole blog on it the day I got the job, right? So, Business Information Security Officer, Basically what it means is I am like the CISO but for my division, the Ratings Division at S&P Global. So, I lead our cyber security efforts within that division, work closely with our information security teams, our corporate IT teams, whatever, but I don't report to them; I report into the business line.I'm in the divisional CTO's org structure. And so, I'm the one bridging that gap between that business side where hey, we make all the money and that corporate InfoSec side where hey, we're trying to protect all the things, and there's usually that little bit of a gap where they don't always connect. That's me building the bridge across that.Corey: Someone who speaks both security and business is honestly in a bit of rare supply these days. I mean, when I started my Thursday newsletter podcast nonsense Last Week in AWS: Security, the problem I kept smacking into was everything I saw was on one side of that divide or the other. There was the folks who have the word security in their job title, and there tends to be this hidden language of corporate speak. It's a dialect I don't fully understand. And then you have the community side of actual security practitioners who are doing amazing work, but also have a cultural problem that more or less distills down to being an awful lot of shitheads in them there waters.And I wanted something that was neither of those and also wasn't vendor captured, which is why I decided to start storytelling in that space. But increasingly, I'm seeing that there's a significant problem with people who are able to contextualize security in the context of business. Because if you're secure enough, you can stop all work from ever happening, whereas if you're pure business side and only care about feature velocity and the rest, like, “Well, what happens if we get breached?” It's, “Oh, don't worry, I have my resume up to date.” Not the most reassuring answer to give people. You have to be able to figure out where that line lies. And it seems like that figuring out where that line is, is more or less your entire stock-in-trade.Alyssa: Oh absolutely, yeah. I mean, I can remember my earliest days as a developer, my cynical attitude towards security myself was, you know, their Utopia would be an impenetrable room full of servers that have no connections to anything, right? Like that would be wildly secure, yet completely useless. And so yeah, then I got into security and now I was one of them. And, you know, it's one of those things, you sit in, say a board meeting sometime and you listen to a CISO, a typical CISO talk to the board, and they just don't get it.Like, there's so much, “Hey, we're implementing this technology and we're doing this thing, and here's our vulnerability counts, and here's how many are overdue.” And none of that means anything. I mean, I actually had a board member ask me once, “What is a CISO?” I kid you not. Like, that's where they're at.Like, so don't tell them what you're doing, but tell them why connected back to, like, “Hey, the business needs this and this, and in order to do it, we've got to make sure it's secure, so we're going to implement these couple of things. And here's the roadmap of how we get from where we are right now to where we need to be so they can launch that new service or product,” or whatever the hell it is that they're going to do.Corey: It feels like security is right up there with accounting, in the sense of fields of endeavor where you don't want someone with too much personality involved. Because if the CISO's sitting there talking to the board, it's like, “So, what do you do here, exactly?” And the answer is the honest, “Hey, remember last month how we were in The New York Times for that giant data breach?” And they do a split take, “No, no, I don't.” “Exactly. You're welcome.” On some level, it is kind of honest, but it also does not instill confidence when you're that cavalier with the description of what it is you do here.Alyssa: Oh there's—Corey: At least there's some corners. I prefer—Alyssa: —there's so much—Corey: —places where that goes over well, but that's me.Alyssa: Yeah. But there's so much of that too, right? Like, here's the one I love. “Well, you know, it's not if you get breached, it's when. Oh, by the way, give me millions and millions of dollars, so I can make sure we don't get breached.”But wait, you just told me we're going to get breached no matter what we do. [laugh]. We do that in security. Like, and then you wonder why they don't give you funding for the initiative. Like, “Hello?” You know?And that's the thing that gets me it's like, can we just sit back and understand, like, how do you message to these people? Yeah I mean, you bring up the accounting thing; the funny thing is, at least all of them understand some level of accounting because most of them have MBAs and business degrees where they had to do some accounting. They didn't go through cyber security in their MBA program.So, one of my favorite questions on Twitter once was somebody asked me, you know, if I want to get into cyber security leadership, what is the one thing that I should focus on or what skills should I study? I said, “Go study MBA concepts.” Like, forget all the cyber security stuff. You probably have plenty of that technolog—go understand what they learn in MBA programs. And if you can start to speak that language, that's going to pay dividends for bridging that gap.Corey: So, you don't look like the traditional slovenly computer geek showing up at those meetings who does not know how to sound as if they belong in the room. Like, it's unfair, on some level, and I used to have bitter angst about that. Like, “Why should how I dress matter how people perceive me?” Yeah, in an absolute sense you're absolutely right, however, I can talk about the way the world is or the way I wish it were and there has to be a bit of a divide there.Alyssa: Oh, for sure. Yeah. I mean, you can't deny that you have to be prepared for the audience you're walking into. Now, I work in big conservative financial services on Wall Street. You know, and I had this conversation with a prominent member of our community when I started the job.I'm like, “Boy, I guess I can't really put stickers on my laptop. I'm going to have to get, you know, a protector or something to put stickers on.” Because the last thing I want to do is go into a boardroom with my laptop and whip out a bunch of hacker stickers on the backside of my laptop. Like, in a lot of spaces that will work, but you can't really do that when you're, you know, at, you know, the executive level and you're in a conservative, financial [unintelligible 00:10:16]. It just, I would love to say they should deal with that, I should be able to have pink hair, and you know, face tattoos and everything else, but the reality is, yeah, I can do all that, but these are still human beings who are going to react to that.And it's the same when talking about cyber security, then. Like, I have to understand as a security practitioner that all they know about cyber security is it's big and scary. It's the thing that keeps them up at night. I've had board members tell me exactly that. And so, how do I make it a little less scary, or at least get them to have some confidence in me that I'll, like, carry the shield in front of them and protect them. Like, that's my job. That's why I'm there.Corey: When I was starting my consultancy five years ago, I was trying to make a choice between something in the security cloud direction or the cost cloud direction. And one of the things that absolutely tipped the balance for me was the fact that the AWS bill is very much a business-hours-only problem. No one calls me at two in the morning screaming their head off. Usually. But there's a lot of alignment between those two directions in that you can spend all your time and energy fixing security issues and/or reducing the bill, but past a certain point, knock it off and go do the thing that your company is actually there to do.And you want to be responsible to a point on those things, but you don't want it to be the end-all-be-all because the logical outcome of all of that, if you keep going, is your company runs out of money and dies because you're not going to either cost optimize or security optimize your business to its next milestone. And weighing those things is challenging. Now, too many people hear that and think, “See, I don't have to worry about those things at all.” It's, “Oh, you will sooner or later. I promise.”Alyssa: So, here's the fallacy in that. There is this assumption that everything we do in security is going to hamper the business in some way and so we have to temper that, right? Like, you're not wrong. And we talked about before, right? You know, security in a traditional sense, like, we could do all of the puristic things and end up just, like, screeching the world to a halt.But the reality is, we can do security in a way that actually grows the business, that actually creates revenue, or I should say enables the creation of revenue in that, you know, we can empower the business to do more things and to be more innovative by how we approach security in the organization. And that's the big thing that we miss in security is, like, look, yes, we will always be a quote-unquote, “Cost center,” right? I mean, we in security don't—unless you work for a security organization—we're not getting revenue attributed to us, we're not creating revenue. But we are enabling those people who can if we approach it right.Corey: Well, the Red Team might if they go a little off-script, but that's neither here nor there.Alyssa: I—yeah, I mean, I've had that question. “Like, couldn't we just sell resell our Red Team services?” No. No. That's not our core [crosstalk 00:13:14]Corey: Oh, I was going the other direction. Like, oh, we're just going to start extorting other businesses because we got bored this week. I'm kidding. I'm kidding. Please don't do an investigation, any law enforcement—Alyssa: I was going to say, I think my [crosstalk 00:13:22]—Corey: —folks that happen to be listening to this.Alyssa: [crosstalk 00:13:24] is calling me right now. They're want to know what I'm [laugh] talking about. But no—Corey: They have some inquiries they would like you to assist them with and they're not really asking.Alyssa: Yeah, yeah, they're good at that. No, I love them, though. They're great. [laugh]. But no, seriously, like, I mean, we always think about it that way because—and then we wonder why do we have the reputation of, you know, the Department of No.Well, because we kind of look at it that way ourselves; we don't really look at, like how can we be a part of the answer? Like, when we look at, like, DevSecOps, for instance. Okay, I want to bring security into my pipeline. So, what do we say? “Oh, shared responsibility. That's a DevOps thing.” So, that means security is everybody's responsibility. Full stop.Corey: Right. It's a—Alyssa: Well—Corey: And there, I agree with you wholeheartedly. Cost is—Alyssa: But—Corey: —aligned with this. It has to be easier to do it the right way than to just go off half-baked and do it yourself off the blessed path. And that—Alyssa: So there—Corey: —means there's that you cannot make it harder to do the right thing; you have to make it easier because you will not win against human psychology. Depending on someone when they're done with an experiment to manually go in and turn things off. It will not happen. And my argument has been that security and cost are aligned constantly because the best way to secure something and save money on at the same time is to turn that shit off. You wouldn't think it would be that simple, but yet here we are.Alyssa: But see, here's the thing. This is what kills me. It's so arrogant of security people to look at it and say that right? Because shared responsibility means shared. Okay, that means we have responsibilities we're going to share. Everybody is responsible for security, yes.Our developers have responsibilities now that we have to take a share in as well, which is get that shit to production fast. Period. That is their goal. How fast can I pop user stories off the backlog and get them to deployment? My SRE is on the ops side. They're, like, “We just got to keep that stuff running. That's all we that's our primary focus.”So, the whole point of DevOps and DevSecOps was everybody's responsible for every part of that, so if I'm bringing security into that message, I, as security, have to be responsible for site's stability; I, in security, have to be responsible for efficient deployment and the speed of that pipeline. And that's the part that we miss.Corey: This episode is sponsored in parts by our friend EnterpriseDB. EnterpriseDB has been powering enterprise applications with PostgreSQL for 15 years. And now EnterpriseDB has you covered wherever you deploy PostgreSQL on-premises, private cloud, and they just announced a fully-managed service on AWS and Azure called BigAnimal, all one word. Don't leave managing your database to your cloud vendor because they're too busy launching another half-dozen managed databases to focus on any one of them that they didn't build themselves. Instead, work with the experts over at EnterpriseDB. They can save you time and money, they can even help you migrate legacy applications—including Oracle—to the cloud. To learn more, try BigAnimal for free. Go to biganimal.com/snark, and tell them Corey sent you.Corey: I think you might be the first person I've ever spoken to that has that particular take on the shared responsibility model. Normally, when I hear it, it's on stage from an AWS employee doing a 45-minute song-and-dance about what the secured responsibility model is, and generally, that is interpreted as, “If you get breached, it's your fault, not ours.”Alyssa: [laugh].Corey: Now, you can't necessarily say it that directly to someone who has just suffered a security incident, which is why it takes 45 minutes and slides and diagrams and excel sheets and the rest. But that is what it fundamentally distills down to, and then you wind up pointing out security things that they've had that [unintelligible 00:17:11] security researchers have pointed out and they are very tight-lipped about those things. And it's, “Oh, it's not that you're otherworldly good at security; it's that you're great at getting people to shut up.” You know, not me, for whatever reason because I'm noisy and obnoxious, but most people who actually care about not getting fired from their jobs, generally don't want to go out there making big cloud companies look bad. Meanwhile, that's kind of my entire brand.Alyssa: I mean, it's all about lines of liability, right?Corey: Oh yeah.Alyssa: I mean, where am I liable, where am I not? And yeah, well, if I tell you you're responsible for security on all these things, and I can point to any part of that was part of the breach, well, hey, then it's out of my hands. I'm not liable. I did what I said I would; you didn't secure your stuff. Yeah, it's—and I mean, and some of that is to be fair.Like, I mean, okay, I'm going to host my stuff on your computer—the whole cloud is just somebody else's computer model is still ultimately true—but, yeah, I mean, I'm expecting you to provide me a stable and secure environment and then I'm going to deploy stuff on it, and you are expecting me to deploy things that are stable and secure as well. And so, when they say shared model or shared responsibility model, but it—really if you listen to that message, it's the exact opposite. They're telling you why it's a separate responsibility model. Here's our responsibilities; here's yours. Boom. It's not about shared; it's about separated.Corey: One of the most formative, I guess, contributors to my worldview was 13 years ago, I went on a date and met someone lovely. We got married. We've been together ever since, and she's an attorney. And it is been life-changing to understand a lot of that perspective, where it turns out when you're dealing with legal, they are not—and everyone says, “Oh, and the lawyers insisted on these things.”No, they didn't. A lawyer's entire role in a company is to identify risk, and then it is up to the business to make a decision around what is acceptable and what is not. If your lawyers ever insist on something, what that actually means in my experience is, you have said something profoundly ignorant that is one of those, like—that is—they're doing the legal equivalent of slapping the gun out of the toddler's hand of, “No, you cannot go and tweet that because you'll go to prison,” level of ridiculous nonsense where it is, “That will violate the law.” Everything else is different shades of the same answer: it depends. Here's what to consider.Alyssa: Yes.Corey: And then you choose—and the business chooses its own direction. So, when you have companies doing what appeared to be ridiculous things, like Oracle, for example, loves to begin every keynote with a disclaimer about how nothing they're about to say is true, the lawyers didn't insist on that—though they are the world's largest law firm, Kirkland Ellison. But instead, it's this entire story of given the risk and everything that we know about how we say things onstage and people gunning for us, yeah, we are going to [unintelligible 00:20:16] this disclaimer first. Most other tech companies do not do that exact thing, which I've got to say when you're sitting in the audience ready to see the new hotness that's about to get rolled out and it starts with a disclaimer, that is more or less corporate-speak for, “You are about to hear some bullshit,” in my experience.Alyssa: [laugh]. Yes. I mean and that's the thing, like, [clear throat], you know, we do deride legal teams a lot. And you know, I can find you plenty of security people who hate the fact that when you're breached, who's the first call you make? Well, it's your legal team.Why? Because they're the ones who are going to do everything in their power to limit the amount that you can get sued on the back-end for anything that got exposed, that you know, didn't meet service levels, whatever the heck else. And that all starts with legal privilege.Corey: They're reporting responsibilities. Guess who keeps up on what those regulatory requirements are? Spoiler, it's probably not you, whoever's listening to this, unless you're an attorney because that is their entire job.Alyssa: Yes, exactly. And, you know, work in a highly regulated environment—like mine—and you realize just how critical that is. Like, how do I know—I mean, there are times there's this whole discussion of how do you determine if something is a material impact or not? I don't want to be the one making that, and I'm glad I don't have to make that decision. Like, I'll tell you all the information, but yes, you lawyers, you compliance people, I want you to make the decision of if it's a material impact or not because as much as I understand about the business, y'all know way more about that stuff than I do.I can't say. I can only say, “Look, this is what it impacted. This is the data that was impacted. These are the potential exposures that occurred here. Please take that information now and figure out what that means, and is there any materiality to that that now we have to report that to the street.”Corey: Right, right. You can take my guesses on this or you can get it take an attorney's. I am a loud, confident-sounding white guy. Attorneys are regulated professionals who carry malpractice insurance. If they give wrong advice that is wrong enough in these scenarios, they can be sanctioned for it; they can lose their license to practice law.And there are challenges with the legal profession and how much of a gatekeeper the Bar Association is and the rest, but this is what it is [done 00:22:49] for itself. That is a regulated industry where they have continuing education requirements they need to certify in a test that certain things are true when they say it, whereas it turns out that I don't usually get people even following up on a tweet that didn't come true very often. There's a different level of scrutiny, there's a different level of professional bar it raises to, and it turns out that if you're going to be legally held to account for things you say, yeah, turns out a lot of your answers to are going to be flavors of, “It depends.”Alyssa: [laugh].Corey: Imagine that.Alyssa: Don't we do that all the time? I mean, “How critical is this?” “Well, you know, it depends on what kind of data, it depends on who the attacker is. It depends.” Yeah, I mean, that's our favorite word because no one wants to commit to an absolute, and nor should we, I mean, if we're speaking in hyperbole and absolutes, boy, we're doing all the things wrong in cyber.We got to understand, like, hey, there is nuance here. That's how you run—no business runs on absolutes and hyperbole. Well, maybe marketing sometimes, but that's a whole other story.Corey: Depends on if it's done well or terribly.Alyssa: [laugh]. Right. Exactly. “Hey, you can be unhackable. You can be breached-proof.” Oh, God.Corey: Like, what's your market strategy? We're going to paint a big freaking target in the front of the building. Like, I still don't know how Target the company was ever surprised by a data breach that they had when they have a frickin' bullseye as their logo.Alyssa: “Come get us.”Corey: It's, like, talk about poking the bear. But there we are.Alyssa: [unintelligible 00:24:21] no. I mean, hey, [unintelligible 00:24:23] like that was so long ago.Corey: It still casts a shadow.Alyssa: I know.Corey: People point to that as a great example of, like, “Well, what's going to happen if we get breached?” It's like, well look at Target because they wound up—like, their stock price a year later was above where it had been before and it seemed to have no lasting impact. Yeah, but they effectively replaced all of the execs, so you know, let's have some self-interest going on here by named officers of the company. It's, “Yeah, the company will be fine. Would you like to still be here what it is?”Alyssa: And how many lawsuits do you think happened that you never heard about because they got settled before they were filed?Corey: Oh, yes. There's a whole world of that.Alyssa: That's what's really interesting when people talk about, like, the cost of breach and stuff, it's like, we don't even know. We can't know because there is so much of that. I mean, think about it, any organization that gets breached, the first thing they're trying to do is keep as much of it out of the news as they can, and that includes the lawsuits. And so, you know, it's like, all right, well, “Hey, let's settle this before you ever file.”Okay, good. No one will ever know about that. That will never show up anywhere. It is going to show up on a balance sheet anywhere, right? I mean, it's there, but it's buried in big categories of lots of other things, and how are you ever going to track that back without, you know, like, a full-on audit of all of their accounting for that year? Yeah, it's—so I always kind of laugh when people start talking about that and they want to know, what's the average cost of a breach. I'm like, “There's no way to measure that. There is none.”Corey: It's not cheap, and the reputational damage gets annoying. I still give companies grief for these things all the time because it's—again, the breach is often about information of mine that I did not consciously choose to give to you and the, “Oh, I'm going to blame a third-party process.” No, no, you can outsource work, but not responsibility. You can't share that one.Alyssa: Ah, third-party diligence, uh, that seems to be a thing. You know, I think we're supposed to make sure our third parties are trustworthy and doing the right things too, right? I mean, it's—Corey: Best example I ever saw that was an article in the Wall Street Journal about the Pokemon company where they didn't name the vendor, but they said they declined to do business with them in part based upon their lax security policy around S3 buckets. That is the first and so far only time I have had an S3 Bucket Responsibility Award engraved and sent to their security director. Usually, it's the ignoble prize of the S3 Bucket Negligence Award, and there are oh so many of those.Alyssa: Oh, and it's hard, right? Because you're standing—I mean, I'm in that position a lot, right? You know, you're looking at a vendor and you've got the business saying, “God, we want to use this vendor. All their product is great.” And I'm sitting there saying, but, “Oh, my God, look at what they're doing. It's a mess. It's horrible. How do I how do we get around this?”And that's where, you know, you just have to kind of—I wish I could say no more, but at the end of the day, I know what that does. That just—okay, well, we'll go file an exception and we'll use it anyway. So, maybe instead, we sit and work on how to do this, or maybe there is an alternative vendor, but let's sort it out together. So yeah, I mean, I do applaud them. Like that's great to, like, be able to look at a vendor and say, “No, we ain't touching you because what you're doing over there is nuts.” And I think we're learning more and more how important that is, with a lot of the supply chain attacks.Corey: Actually, I'm worried about having emailed you, you're going to leak my email address when your inbox inevitably gets popped. Come on. It's awful stuff.Alyssa: Yeah, exactly. So, I mean, it's we there's—but like everything, it's a balance again, right? Like, how can we keep that business going and also make sure that their vendors—so that's where it just comes down to, like, okay, let's talk contracts now. So, now we're back to legal.Corey: We are. And if you talk to a lawyer and say, “I'm thinking about going to law school,” the answer is always the same. “No… don't do it.” Making it clear that is apparently a terrible life and professional decision, which of course, brings us to your most recent terrible life and professional decision. As we record this, we are reportedly weeks away from you having a physical copy in your hands of a book.And the segue there is because no one wants to write a book. Everyone wants to have written a book, but apparently—unless you start doing dodgy things and ghost-writing and exploiting people in the rest—one is a necessary prerequisite for the other. So, you've written a book. Tell me about it.Alyssa: Oof, well, first of all, spot on. I mean, I think there are people who really do, like, enjoy the act of writing a book—Corey: Oh, I don't have the attention span to write a tweet. People say, “Oh, you should write a book, Corey,” which I think is code for them saying, “You should shut up and go away for 18 months.” Like, yeah, I wish.Alyssa: Writing a book has been the most eye-opening experience of my life. And yeah, I'm not a hundred percent sure it's one I'll ever—I've joked with people already, like, I'll probably—if I ever want another book, I'll probably hire a ghostwriter. But no, I do have a book coming out: Cybersecurity Career Guide. You know, I looked at this cyber skills gap, blah, blah, blah, blah, blah, we hear about it, 4 million jobs are going to be left open.Whatever, great. Well, then how come none of these college grads can get hired? Why is there this glut of people who are trying to start careers in cyber security and we can't get them in?Corey: We don't have six months to train you, so we're going to spend nine months trying to fill the role with someone experienced?Alyssa: Exactly. So, 2020 I did a bunch of research into that because I'm like, I got to figure this out. Like, this is bizarre. How is this disconnect happening? I did some surveys. I did some interviews. I did some open-source research. Ended up doing a TED Talk based off of that—or TEDx Talk based off of that—and ultimately that led into this book. And so yeah, I mean, I just heard from the publisher yesterday, in fact that we're, like, in that last stage before they kick it out to the printers, and then it's like three weeks and I should have physical copies in my hands.Corey: I will be getting one when it finally comes out. I have an almost, I believe, perfect track record of having bought every book that a guest on this show has written.Alyssa: Well, I appreciate that.Corey: Although, God help me if I ever have someone, like, “So, what have you done?” “I've written 80 books.” Like, “Well, thank you, Stephen King. I'm about to go to have a big—you're going to see this number of the company revenue from orbit at this point with that many.” But yeah, it's impressive having written a book. It's—Alyssa: I mean, for me, it's the reward is already because there are a lot of people have—so my publisher does really cool thing they call it early acc—or electronic access program, and where there are people who bought the book almost a year ago now—which is kind of, I feel bad about that, but that's as much my publisher as it is me—but where they bought it a year ago and they've been able to read the draft copy of the book as I've been finishing the book. And I'm already hearing from them, like, you know, I'm hearing from people who really found some value from it and who, you know, have been recommending it other people who are trying to start careers and whatever. And it's like, that's where the reward is, right?Like, it was, it's hell writing a book. It was ten times worse during Covid. You know, my publisher even confirmed that for me that, like, look, yeah, you know, authors around the globe are having problems right now because this is not a good environment conducive to writing. But, yeah, I mean, it's rewarding to know that, like, all right, there's going to be this thing out there, that, you know, these pages that I wrote that are helping people get started in their careers, that are helping bring to light some of the real challenges of how we hire in cyber security and in tech in general. And so, that's the thing that's going to make it worthwhile. And so yeah, I'm super excited that it's looking like we're mere weeks now from this thing being shipped to people who have bought it.Corey: So, now it's racing, whether this gets published before the book does. So, we'll see. There is a bit of a production lag here because, you know, we have to make me look pretty and that takes a tremendous amount of effort.Alyssa: Oh, stop. Come on now. But it will be interesting to see. Like, that would actually be really cool if they came out at about the same time. Like, you know, I'm just saying.Corey: Yeah. We'll see how it goes. Where's the best place for people to find you if they want to learn more?Alyssa: About the book or in general?Corey: Both.Alyssa: So—Corey: Links will of course be in the [show notes 00:32:49]. Let's not kid ourselves here.Alyssa: The book is real easy. Go to Alyssa—A-L-Y-S-S-A, back here behind me for those of you seeing the video. Um—I can't point the right direction. There we go. That one. A-L-Y-S-S-A dot link—L-I-N-K slash book. It's that simple. It'll take you right to Manning's site, you can get in.Still in that early access program, so if you bought it today, you would still be able to start reading the draft versions of it. If you want to know more about me, honestly, the easiest way is to find me on Twitter. You can hear all the ridiculousness of flight school and barbecue and some security topics, too, once in a while. But at @alyssam_infosec. Or if you want to check out the website where I blog, every rare occasion, it's alyssasec.com.Corey: And all of that will be in the [show notes 00:33:41]. Thank you—Alyssa: There's a lot. [laugh].Corey: I'm looking forward to seeing it, too. Thank you so much for taking the time to deal with my nonsense today. I really appreciate it.Alyssa: Oh, that was nonsense? Are you kidding me? This was a great discussion. I really appreciate it.Corey: As have I. Thanks again for your time. It is always great to talk to people smarter than I am—which is, let's be clear, most people—Alyssa Miller, BISO at S&P Global. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice—or smash the like and subscribe button if this is on the YouTubes—whereas if you've hated the podcast, same thing, five-star review, platform of choice, smash both of the buttons, but also leave an angry comment, either on the YouTube video or on the podcast platform, saying that this was a waste of your time and what you didn't like about it because you don't need to read Alyssa's book; you're going to get a job the tried and true way, by printing out a copy of your resume and leaving it on the hiring manager's pillow in their home.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

DevOps and Docker Talk
Nomad Orchestration

DevOps and Docker Talk

Play Episode Listen Later Jun 3, 2022 54:09


Bret is joined by Erik Veld, Manager, Developer Advocacy at HashiCorp, the creators of Nomad. Nomad is an orchestrator like Kubernetes and Swarm but it has a unique set of features that make it an interesting alternative on multiple levels. It's known for having a much simpler infrastructure design than Kubernetes, and also having a stronger community and feature release cycle then Swarm. Erik talks about the basics of Nomad, the reason it was created and runs through some demos. Streamed live on YouTube April 7, 2022.Unedited live recording of this show on YouTube (Ep #165). Includes demos.★Topics★Nomad website Nomad GitHub page Tech-Nomadic, Run Your Software Anywhere (YouTube) Managing DigitalOcean Kubernetes clusters with Terraform (YouTube)★Erik Veld★Erik on Twitter★Join my Community★Best coupons for my Docker and Kubernetes coursesChat with us on our Discord Server Vital DevOpsHomepage bretfisher.com★ Support this podcast on Patreon ★

Changelog Master Feed
Optimising sociotechnical systems (Ship It! #55)

Changelog Master Feed

Play Episode Listen Later Jun 2, 2022 68:57


Today we are talking how to optimise sociotechnical systems with Ben Ford, founder & CEO of Mission Control. The correct order is: people, process & technology. The tools are important, and we talk about specific ones in the second half of this episode, but there are rules and principles that govern how people interact, and we need to start there.

Ship It! DevOps, Infra, Cloud Native
Optimising sociotechnical systems

Ship It! DevOps, Infra, Cloud Native

Play Episode Listen Later Jun 2, 2022 68:57


Today we are talking how to optimise sociotechnical systems with Ben Ford, founder & CEO of Mission Control. The correct order is: people, process & technology. The tools are important, and we talk about specific ones in the second half of this episode, but there are rules and principles that govern how people interact, and we need to start there.

Future of Tech
The Future of Securing the Developer's Lifestyle with Guy Podjarny, Founder, Snyk

Future of Tech

Play Episode Listen Later May 30, 2022 50:51


Across industries, empowering creatives tends to lead to great results because they are the engine of whatever is being created. This is true for developers just as it would be for any sort of creative. As technology becomes more advanced and the world more interconnected, security concerns also become more pronounced too. Therefore, builders must consider security as they make their products and help operate them too. Guy Podjarny, the Co-Founder and President of Snyk, understands that security practices and platforms must focus on developers. On this episode of Future of Tech, Guy discusses how the security industry has moved to a DevSecOps mentality where developers are brought into the security process. He chats about the importance of empathizing with users when creating products. Guy shares his motivations for his podcast, “The Secure Developer,” as well as for writing books. He also offers up some great advice for future entrepreneurs. Enjoy this episode!     Main Takeaways: The importance of Empathy When Creating a Product: Empathy is a quality that improves relationships between people. It's also, according to Guy, essential when building any product, including a product for developers like Snyk. People do not need to have someone else's experience to interact with them or even to serve them, but they do need to attempt to deeply understand their experiences and needs. Creating Community and Clarifying Ideas: It's fascinating to hear why someone continues to put effort into creative projects over time. Concerning his podcast, Guy shares he appreciates the chats and how it's beneficial to the greater security industry as well. Guy is also a prolific author of books and shares that he writes them, in part, because it helps him to clarify his ideas.    Being Prepared for the Ride: The entrepreneurial journey is not for the faint at heart. Guy compares the experience of being involved in a startup to a ”roller coaster.” He suggests that an awareness of this reality is helpful knowledge for a person who is about to go on this… ride. With this knowledge, he explains, one could assess other areas outside their work life to see if they are ready to dive into the start-up world.   Having Good Boundaries: Having strong boundaries helps to care for, and protect, key areas of life. Guy shares how he has developed clear rules between his work and family life, so that he is able to honor his family time. Certainly, it's not easy to place limitations on work, especially in a world that is so interconnected and where work is often so accessible. Even though that may be the case and work is important, so too is everything outside of work, especially one's family.   Key Quotes:    (11:05) “The light bulb moment that we had was that if you want developers to embrace security, you have to think about developers first. You have to not take an auditor practice and just think about how do you plug it into a development environment but the other way around — think about how do you build a developer tool that would tackle security?    (08:06)  “DevSecOps is really fundamentally around doing to security what has happened to ops and bringing security into that fold. And so transforming security from that sort of central organization that is off to the side to something that is embedded into the regular practices of developing and operating and securing software end-to-end and changing how security is done to go from auditing and local services…to platform builders. And focusing on empowering the application teams — the teams that are actually building and operating the software to ensure that it's secure.   (15:03) “I think more important than sort of saying ‘Developers are the only ones to build for developers' is to ensure that whatever it is that you're building, you invest in empathy [and] you invest in talking to customers and not just to the buyers, but to the users of the product.”   (41:54) “Because we are a developer-first company, we are a depth-first company. So what we do is we build deep solutions and all of our products started as narrow, but deep products that were excellent for a specific stack or a specific use case in need. And then once we feel like we've nailed the experience, we expand to support additional stacks.”   (48:45) “Startups are hard and what they do is – they're a roller coaster. So the highs are very high and the lows are very low, and you can have a dozen of them in a given day. And they're not necessarily proportional to the success or the failure. You could not have a customer succeed, or even just say the wrong thing and you can be in a pretty low situation. But the highs are really high and you can equally be super thrilled and high on it. So I think you want to know that you are ready for something like that. For example, what other roller coasters are happening in your life at the moment? Is it the right time for you to do it or not?    

Getting into IT with Grant
DevOps and CI/CD Pipelines | Best practices in engineering and change and release management

Getting into IT with Grant

Play Episode Listen Later May 29, 2022 33:59


In this episode, we'll start by separating out Agile from DevOps, and then bringing in CI/CD pipelines.  We'll also discuss DevSecOps and some of the best practices in engineering that a developer can adopt. We'll also give an overview of what a CI/CD pipeline looks like, what a pipeline stage is, what a pipeline's purpose is, and how it is related to DevOps.  As a bonus, I talk about tools for Static Code Analysis (SCA) and Static Application Security Testing (SAST)!  We'll also touch on Test Driven Development (TDD).  ----- Accelerate: The Science of Lean Software and DevOps: Building and Scaling High Performing Technology Organizations Storytime with Dad Podcast

Rocketcast
Mobile Security e cultura de segurança [feat. iFood] | Faladev #52

Rocketcast

Play Episode Listen Later May 27, 2022 55:51


Segurança é um fator importante para qualquer aplicação, mas quando falamos de um app do tamanho do iFood, que toca em tantas frentes com tipos diferenciados de usuários e clientes, os cuidados são indispensáveis. Sabendo que segurança é uma parte tão essencial de um produto, por que devs não costumam inserir essa etapa na sua cultura de desenvolvimento? Junto com os convidados Diogo Nunes e Nicolas Schirmer vamos conversar sobre questões de segurança no desenvolvimento mobile, como são alguns processos de desenvolvimento do iFood e a cultura DevSecOps dentro dos times. Host: Diego Fernandes (CTO @ Rocketseat) Convidados: Diogo Nunes (Sr. Manager, Application Security & Cyber Education @ iFood) Nicolas Schirmer (Lead AppSec Mobile Security @ iFood)

Embracing Digital Transformation
#88 Collaborative DevSecOps with Sophos Factory

Embracing Digital Transformation

Play Episode Listen Later May 24, 2022 39:59


On this episode, Darren talks with Sophos' Callen Sapien, Director of Product Management, Sophos Factory, and Mike Fraser, VP of DevSecOps about their product that allows for truly collaborative SecDevOps. Blog: https://www.intel.com/content/www/us/en/government/podcasts/embracing-digital-transformation-episode88.html

Screaming in the Cloud
Let Your Backups Help you Sleep with Simon Bennett

Screaming in the Cloud

Play Episode Listen Later May 24, 2022 33:43


About SimonFounder and CEO of SnapShooter a backup company Links Referenced: SnapShooter.com: https://SnapShooter.com MrSimonBennett: https://twitter.com/MrSimonBennett TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Finding skilled DevOps engineers is a pain in the neck! And if you need to deploy a secure and compliant application to AWS, forgettaboutit! But that's where DuploCloud can help. Their comprehensive no-code/low-code software platform guarantees a secure and compliant infrastructure in as little as two weeks, while automating the full DevSecOps lifestyle. Get started with DevOps-as-a-Service from DuploCloud so that your cloud configurations are done right the first time. Tell them I sent you and your first two months are free. To learn more visit: snark.cloud/duplo. Thats's snark.cloud/D-U-P-L-O-C-L-O-U-D.Corey: What if there were a single place to get an inventory of what you're running in the cloud that wasn't "the monthly bill?" Further, what if there were a way to compare that inventory to what you were already managing via Terraform, Pulumi, or CloudFormation, but then automatically add the missing unmanaged or drifted parts to it? And what if there were a policy engine to immediately flag and remediate a wide variety of misconfigurations? Well, stop dreaming and start doing; visit snark.cloud/firefly to learn more.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. One of the things that I learned early on in my career as a grumpy Unix systems administrator is that there are two kinds of people out there: those who care about backups an awful lot, and people who haven't lost data yet. I lost a bunch of data once upon a time and then I too fell on the side of backups are super important. Here to talk with me about them a bit today is Simon Bennett, founder and CEO of SnapShooter.com. Simon, thanks for joining me.Simon: Thanks for having me. Thank you very much.Corey: It's fun to be able to talk to people who are doing business in the cloud space—in this sense too—that is not venture-backed, that is not, “Well, we have 600 people here that are building this thing out.” And similar to the way that I handle things at The Duckbill Group, you are effectively one of those legacy things known as a profitable business that self-funds. What made you decide to pursue that model as opposed to, well, whatever the polite version of bilking venture capitalists out of enormous piles of money for [unintelligible 00:01:32]?Simon: I think I always liked the idea of being self-sufficient and running a business, so I always wanted to start a physical business when I was younger, but when I got into software, I realized that that's a really easy way, no capital needed, to get started. And I tried for years and years to build products, all of which failed until finally SnapShooter actually gained a customer. [laugh].Corey: “Oh, wait, someone finally is paying money for this, I guess I'm onto something.”Simon: Yeah.Corey: And it's sort of progressed from there. How long have you been in business?Simon: We started in 2017, as… it was an internal project for a company I was working at who had problems with DigitalOcean backups, or they had problems with their servers getting compromised. So, I looked at DigitalOcean API and realized I could build something. And it took less than a week to build a product [with billing 00:02:20]. And I put that online and people started using it. So, that was how it worked.Every other product I tried before, I'd spent months and months developing it and never getting a customer. And the one time I spent less than [laugh] less than a week's worth of evenings, someone started paying. I mean, admittedly, the first person was only paying a couple of dollars a month, but it was something.Corey: There's a huge turning point where you just validate the ability and willingness for someone to transfer one dollar from their bank account to yours. It speaks to validation in a way that social media nonsense generally doesn't. It's the oh, someone is actually willing to pay because I'm adding value to what they do. That's no small thing.Simon: Yeah. There's definitely a big difference between people saying they're going to and they'd love it, and actually doing it. So.Corey: I first heard about you when Patrick McKenzie—or @patio11, as he goes by on Twitter—wound up doing a mini-thread on you about, “I've now used SnapShooter.com for real, and it was such a joy, including making a server migration easier than it would otherwise have been. Now, I have automatically monitored backups to my own S3 account for a bunch of things, which already had a fairly remote risk of failure.” And he keeps talking about the awesome aspects of it. And okay, when Patrick says, “This is neat,” that usually means it's time for me to at least click the link and see what's going on.And the thing that jumped out at me was a few things about what it is that you offer. You talk about making sure that people can sleep well at night, that it's about why backups are important, about—you obviously check the boxes and talk about how you do things and why you do them the way that you do, but it resonates around the idea of helping people sleep well at night. Because no one wants to think about backups. Because no one cares about backups; they just care an awful lot about restores, usually right after they should have cared about the backups.Simon: Yeah. This is actually a big problem with getting customers because I don't think it's on a lot of people's minds, getting backups set up until, as you said in the intro, something's gone wrong. [laugh]. And then they're happy to be a customer for life.Corey: I started clicking around and looking at your testimonials, for example, on your website. And the first one I saw was from the CEO of Transistor.fm. For those who aren't familiar with what they do, they are the company that hosts this podcast. I pay them as a vendor for all the back issues and whatnot.Whenever you download the show. It's routing through their stuff. So yeah, I kind of want them to have backups of these things because I really don't want to have all these conversations [laugh] again with everyone. That's an important thing. But Transistor's business is not making sure that the data is safe and secure; it's making podcasts available, making it easy to publish to them.And in your case, you're handling the backup portion of it so they can pay their money and they set it up effectively once—set it and forget it—and then they can go back to doing the thing that they do, and not having to fuss with it constantly. I think a lot of companies get it wrong, where they seem to think that people are going to make sustained, engaged efforts in whatever platform or tool or service they build. People have bigger fish to fry; they just want the thing to work and not take up brain sweat.Simon: Yeah. Customers hardly ever log in. I think it's probably a good sign when they don't have to log in. So, they get their report emails, and that's that. And they obviously come back when they got new stuff to set up, but from a support point of view is pretty, pretty easy, really, people don't—[laugh] constantly on there.Corey: From where I sit, the large cloud providers—and some of the small ones, too—they all have backup functionality built into the offering that they've got. And some are great, some are terrible. I assume—perhaps naively—that all of them do what it says on the tin and actually back up the data. If that were sufficient, you wouldn't have any customers. You clearly have customers. What is it that makes those things not work super well?Simon: Some of them are inflexible. So, some of the providers have built-in server backups that only happen weekly, and six days of no backups can be a big problem when you've made a mistake. So, we offer a lot of flexibility around how often you backup your data. And then another key part is that we let you store your data where you want. A lot of the providers have either vendor lock-in, or they only store it in themselves. So… we let you take your data from one side of the globe to the other if you want.Corey: As anyone who has listened to the show is aware, I'm not a huge advocate for multi-cloud for a variety of excellent reasons. And I mean that on a per-workload basis, not, “Oh, we're going to go with one company called Amazon,” and you use everything that they do, including their WorkMail product. Yeah, even Amazon doesn't use WorkMail; they use Exchange like a real company would. And great, pick the thing that works best for you, but backups have always been one of those areas.I know that AWS has great region separation—most of the time. I know that it is unheard of for there to be a catastrophic data loss story that transcends multiple regions, so the story from their side is very often, oh, just back it up to a different region. Problem solved. Ignoring the data transfer aspect of that from a pricing perspective, okay. But there's also a risk element here where everyone talks about the single point of failure with the AWS account that it's there, people don't talk about as much: it's your payment instrument; if they suspend your account, you're not getting into any region.There's also the story of if someone gets access to your account, how do you back that up? If you're going to be doing backups, from my perspective, that is the perfect use case, to put it on a different provider. Because if I'm backing up from, I don't know, Amazon to Google Cloud or vice versa, I have a hard time envisioning a scenario in which both of those companies simultaneously have lost my data and I still care about computers. It is very hard for me to imagine that kind of failure mode, it's way out of scope for any disaster recovery or business continuity plan that I'm coming up with.Simon: Yeah, that's right. Yeah, I haven't—[laugh] I don't have that in my disaster recovery plan, to be honest about going to a different cloud, as in, we'll solve that problem when it happens. But the data is, as you say, in two different places, or more. But yeah, the security one is a key one because, you know, there's quite a lot of surface area on your AWS account for compromising, but if you're using either—even a separate AWS account or a different provider purely for storage, that can be very tightly controlled.Corey: I also appreciate the idea that when you're backing stuff up between different providers, the idea of owning both sides of it—I know you offer a solution where you wind up hosting the data as well, and that has its value, don't get me wrong, but there are also times, particularly for regulated industries, where yeah, I kind of don't want my backup data just hanging out with someone else's account with whatever they choose to do with it. There's also the verification question, which again, I'm not accusing you of in any way, shape, or form of being nefarious, but it's also one of those when I have to report to a board of directors of like, “Are you sure that they're doing what they say they're doing?” It's a, “Well, he seemed trustworthy,” is not the greatest answer. And the boards ask questions like that all the time. Netflix has talked about this where they backup a rehydrate-the-business level of data to Google Cloud from AWS, not because they think Amazon is going to disappear off the face of the earth, but because it's easier to do that and explain it than having to say, “Well, it's extremely unlikely and here's why,” and not get torn to pieces by auditors, shareholders, et cetera. It's the path of least resistance, and there is some validity to it.Simon: Yeah, when you see those big companies who've been with ransomware attacks and they've had to either pay the ransom or they've literally got to build the business from scratch, like, the cost associated with that is almost business-ending. So, just one backup for their data, off-site [laugh] they could have saved themselves millions and millions of pounds. So.Corey: It's one of those things where an ounce of prevention is worth a pound of cure. And we're still seeing that stuff continue to evolve and continue to exist out in the ecosystem. There's a whole host of things that I think about like, “Ooh, if I lost, that would be annoying but not disastrous.” When I was going through some contractual stuff when we were first setting up The Duckbill Group and talking to clients about this, they would periodically ask questions about, “Well, what's your DR policy for these things?” It's, “Well, we have a number of employees; no more than two are located in the same city anywhere, and we all work from laptops because it is the 21st century, so if someone's internet goes out, they'll go to a coffee shop. If everyone's internet goes out, do you really care about the AWS bill that month?”It's a very different use case and [unintelligible 00:11:02] with these things. Now, let's be clear, we are a consultancy that fixes AWS bills; we're not a hospital. There's a big difference in the use case and what is acceptable in different ways. But what I like is that you have really build something out that lets people choose their own adventure in how managed they want it to be, what the source is, what the target should be. And it gives people enough control but without having to worry about the finicky parts of aligning a bunch of scripts that wind up firing off in cron jobs.Simon: Yeah. I'd say a fair few people run into issues running scripts or, you know, they silently fail and then you realize you haven't actually been running backups for the last six months until you're trying to pull them, even if you were trying to—Corey: Bold of you to think that I would notice it that quickly.Simon: [laugh]. Yeah, right. True. Yeah, that's presuming you have a disaster recovery plan that you actually test. Lots of small businesses have never even heard of that as a thing. So, having as us, kind of, manage backups sort of enables us to very easily tell people that backups of, like—we couldn't take the backup. Like, you need to address this.Also, to your previous point about the control, you can decide completely where data flows between. So, when people ask us about what's GDPR policies around data and stuff, we can say, “Well, we don't actually handle your data in that sense. It goes directly from your source through almost a proxy that you control to your storage.” So.Corey: The best answer: GDPR is out of scope. Please come again. And [laugh] yeah, just pass that off to someone else.Simon: In a way, you've already approved those two: you've approved the person that you're managing servers with and you've already approved the people that are doing storage with. You kind of… you do need to approve us, but we're not handling the data. So, we're handling your data, like your actual customer; we're not handling your customer's customer's data.Corey: Oh, yeah. Now, it's a valuable thing. One of my famous personal backup issues was okay, “I'm going to back this up onto the shared drive,” and I sort of might have screwed up the backup script—in the better way, given the two possible directions this can go—but it was backing up all of its data and all the existing backup data, so you know, exponential growth of your backups. Now, my storage vendor was about to buy a boat and name it after me when I caught that. “Oh, yeah, let's go ahead and fix that.”But this stuff is finicky, it's annoying, and in most cases, it fails in silent ways that only show up as a giant bill in one form or another. And not having to think about that is valuable. I'm willing to spend a few hours setting up a backup strategy and the rest; I'm not willing to tend it on an ongoing basis, just because I have other things I care about and things I need to get done.Simon: Yeah. It's such a kind of simple and trivial thing that can quickly become a nightmare [laugh] when you've made a mistake. So, not doing it yourself is a good [laugh] solution.Corey: So, it wouldn't have been a @patio11 recommendation to look at what you do without having some insight into the rest of the nuts and bolts of the business and the rest. Your plans are interesting. You have a free tier of course, which is a single daily backup job and half a gig of storage—or bring your own to that it's unlimited storage—Simon: Yep. Yeah.Corey: Unlimited: the only limits are your budget. Yeah. Zombo.com got it slightly wrong. It's not your mind, it's your budget. And then it goes from Light to Startup to Business to Agency at the high end.A question I have for you is at the high end, what I've found has been sort of the SaaS approach. The top end is always been a ‘Contact Us' form where it's the enterprise scope of folks where they tend to have procurement departments looking at this, and they're going to have a whole bunch of custom contract stuff, but they're also not used to signing checks with fewer than two commas in them. So, it's the signaling and the messaging of, “Reach out and talk to us.” Have you experimented with that at all, yet? Is it something you haven't gotten to yet or do you not have interest in serving that particular market segment?Simon: I'd say we've been gearing the business from starting off very small with one solution to, you know, last—and two years ago, we added the ability to store data from one provider to a different provider. So, we're sort of stair-stepping our way up to enterprise. For example, at the end of last year, we went and got certificates for ISO 27001 and… one other one, I can't remember the name of them, and we're probably going to get SOC 2 at some point this year. And then yes, we will be pushing more towards enterprises. We add, like, APIs as well so people can set up backups on the fly, or so they can put it as part of their provisioning.That's hopefully where I'm seeing the business go, as in we'll become under-the-hood backup provider for, like, a managed hosting solution or something where their customers won't even realize it's us, but we're taking the backups away from—responsibility away from businesses.Corey: For those listeners who are fortunate enough to not have to have spent as long as I have in the woods of corporate governance, the correct answer to, “Well, how do we know that vendor is doing what they say that they're doing,” because the, “Well, he seemed like a nice guy,” is not going to carry water, well, here are the certifications that they have attested to. Here's copies under NDA, if their audit reports that call out what controls they claim to have and it validates that they are in fact doing what they say that they're doing. That is corporate-speak that attests that you're doing the right things. Now, you're going to, in most cases, find yourself spending all your time doing work for no real money if you start making those things available to every customer spending 50 cents a year with you. So generally, the, “Oh, we're going to go through the compliance, get you the reports,” is one of the higher, more expensive tiers where you must spend at least this much for us to start engaging down this rabbit hole of various nonsense.And I don't blame you in the least for not going down that path. One of these years, I'm going to wind up going through at least one of those certification approaches myself, but historically, we don't handle anything except your billing data, and here's how we do it has so far been sufficient for our contractual needs. But the world's evolving; sophistication of enterprise buyers is at varying places and at some point, it'll just be easier to go down that path.Simon: Yeah, to be honest, we haven't had many, many of those customers. Sometimes we have people who come in well over the plan limits, and that's where we do a custom plan for them, but we've not had too many requests for certification. But obviously, we have the certification now, so if anyone ever [laugh] did want to see it under NDA, we could add some commas to any price. [laugh].Corey: This episode is sponsored in parts by our friend EnterpriseDB. EnterpriseDB has been powering enterprise applications with PostgreSQL for 15 years. And now EnterpriseDB has you covered wherever you deploy PostgreSQL on premises, private cloud, and they just announced a fully managed service on AWS and Azure called BigAnimal, all one word.Don't leave managing your database to your cloud vendor because they're too busy launching another half dozen manage databases to focus on any one of them that they didn't build themselves. Instead, work with the experts over at EnterpriseDB. They can save you time and money, they can even help you migrate legacy applications, including Oracle, to the cloud.To learn more, try BigAnimal for free. Go to biganimal.com/snark, and tell them Corey sent you.Corey: What I like as well is that you offer backups for a bunch of different things. You can do snapshots from, effectively, every provider. I'm sorry, I'm just going to call out because I love this: AWS and Amazon LightSail are called out as two distinct things. And Amazonians will say, “Oh, well, under the hood, they're really the same thing, et cetera.” Yeah, the user experience is wildly different, so yeah, calling those things out as separate things make sense.But it goes beyond that because it's not just, “Well, I took a disk image. There we go. Come again.” You also offer backup recipes for specific things where you could, for example, back things up to a local file and external storage where someone is. Great, you also backup WordPress and MongoDB and MySQL and a whole bunch of other things.A unified cloud controller, which is something I have in my house, and I keep thinking I should find a way to back that up. Yeah, this is great. It's not just about the big server thing; it's about having data living in managed services. It's about making sure that the application data is backed up in a reasonable, responsible way. I really liked that approach. Was that an evolution or is that something you wound up focusing on almost from the beginning?Simon: It was an evolution. So, we started with the snapshots, which got the business quite far to be honest and it was very simple. It was just DigitalOcean to start with, actually, for the first two years. Pretty easy to market in a way because it's just focused on one thing. Then the other solutions came in, like the other providers and, you know, once you add one, it was easy to add many.And then came database backups and file backups. And I just had those two solutions because that was what people were asking for. Like, they wanted to make sure their whole server snapshot, if you have a whole server snapshot, the point in time data for MySQL could be corrupt. Like, there could be stuff in RAM that a MySQL dump would have pulled out, for example. Like… there's a possibility that the database could be corrupt from a snapshot, so people were asking for a bit of, more, peace of mind with doing proper backups of MySQL.So, that's what we added. And it soon became apparent when more customers were asking for more solutions that we really needed to, like, step back and think about what we're actually offering. So, we rebuilt this whole, kind of like, database engine, then that allowed us to consume data from anywhere. So, we can easily add more backup types. So, the reason you can see all the ones you've listed there is because that's kind of what people have been asking for. And every time someone comes up with a new, [laugh], like, a new open-source project or database or whatever, we'll add support, even ones I've never heard of before. When people ask for some weird file—Corey: All it takes is just waiting for someone to reach out and say, hey, can you back this thing up, please?Simon: Yeah, exactly, some weird file-based database system that I've never ever heard of. Yeah, sure. Just give us [laugh] a test server to mess around with and we'll build, essentially, like, we use bash in the background for doing the backups; if you can stream the data from a command, we can then deal with the whole management process. So, that's the reason why. And then, I was seeing in, like, the Laravel space, for example, people were doing MySQL backups and they'd have a script, and then for whatever reason, someone rotated the passwords on the database and the backup script… was forgotten about.So, there it is, not working for months. So, we thought we could build a backup where you could just point it at where the Laravel project is. We can get all the config we need at the runtime because it's all there with the project anyway, and then thus, you never need to tell us the password for your database and that problem goes away. And it's the same with WordPress.Corey: I'm looking at this now just as you go through this, and I'm a big believer in disclaiming my biases, conflicts of interest, et cetera. And until this point, neither of us have traded a penny in either direction between us that I'm ever aware of—maybe you bought a t-shirt or something once upon a time—but great, I'm about to become a customer of this because I already have backup solutions for a lot of the things that you currently support, but again, when you're a grumpy admin who's lost data in the past, it's, “Huh, you know what I would really like? That's right, another backup.” And if that costs me a few hundred bucks a year for the peace of mind is money well spent because the failure mode is I get to rewrite a whole lot of blog posts and re-record all podcasts and pay for a whole bunch of custom development again. And it's just not something that I particularly want to have to deal with. There's something to be said for a holistic backup solution. I wish that more people thought about these things.Simon: Can you imagine having to pull all the blog posts off [unintelligible 00:22:19]? [laugh]—Corey: Oh, my got—Simon: —to try and rebuild it.Corey: That is called the crappiest summer internship someone has ever had.Simon: Yeah.Corey: And that is just painful. I can't quite fathom having to do that as a strategy. Every once in a while some big site will have a data loss incident or go out of business or something, and there's a frantic archiving endeavor that happens where people are trying to copy the content out of the Google Search Engine's cache before it expires at whatever timeline that is. And that looks like the worst possible situation for any sort of giant backup.Simon: At least that's one you can fix. I mean, if you were to lose all the payment information, then you've got to restitch all that together, or anything else. Like, that's a fixable solution, but a lot of these other ones, if you lose the data, yeah, there's no two ways around it, you're screwed. So.Corey: Yeah, it's a challenging thing. And it's also—the question also becomes one of, “Well, hang on. I know about backups on this because I have this data, but it's used to working in an AWS environment. What possible good would it do me sitting somewhere else?” It's, yeah, the point is, it's sitting somewhere else, at least in my experience. You can copy it back to that sort of environment.I'm not suggesting this is a way that you can run your AWS serverless environment on DigitalOcean, but it's a matter of if everything turns against you, you can rebuild from those backups. That's the approach that I've usually taken. Do you find that your customers understand that going in or is there an education process?Simon: I'd say people come for all sorts of reasons for why they want backup. So, having your data in two places for that is one of the reasons but, you know, I think there's a lot of reasons why people want peace of mind: for either developer mistakes or migration mistakes or hacking, all these things. So, I guess the big one we come up with a lot is people talking about databases and they don't need backups because they've got replication. And trying to explain that replication between two databases isn't the same as a backup. Like, you make a mistake you drop—[laugh] you run your delete query wrong on the first database, it's gone, replicated or not.Corey: Right, the odds of me fat-fingering an S3 bucket command are incredibly likelier than the odds of AWS losing an entire region's S3 data irretrievably. I make mistakes a lot more than they tend to architecturally, but let's also be clear, they're one of the best. My impression has always been the big three mostly do a decent job of this. The jury's still out, in my opinion, on other third-party clouds that are not, I guess, tier one. What's your take?Simon: I have to be careful. I've got quite good relationships with some of these. [laugh].Corey: Oh, of course. Of course. Of course.Simon: But yes, I would say most customers do end up using S3 as their storage option, and I think that is because it is, I think, the best. Like, is in terms of reliability and performance, some storage can be a little slow at times for pulling data in, which could or could not be a problem depending on what your use case is. But there are some trade-offs. Obviously, S3, if you're trying to get your data back out, is expensive. If you were to look at Backblaze, for example, as well, that's considerably cheaper than S3, especially, like, when you're talking in the petabyte-scale, there can be huge savings there. So… they all sort of bring their own thing to the table. Personally, I store the backups in S3 and in Backblaze, and in one other provider. [laugh].Corey: Oh, yeah. Like—Simon: I like to have them spread.Corey: Like, every once in a while in the industry, there's something that happens that's sort of a watershed moment where it reminds everyone, “Oh, right. That's why we do backups.” I think the most recent one—and again, love to them; this stuff is never fun—was when that OVH data center burned down. And OVH is a somewhat more traditional hosting provider, in some respects. Like, their pricing is great, but they wind up giving you what amounts to here as a server in a rack. You get to build all this stuff yourself.And that backup story is one of those. Oh, okay. Well, I just got two of them and I'll copy backups to each other. Yeah, but they're in the same building and that building just burned down. Now, what? And a lot of people learned a very painful lesson. And oh, right, that's why we have to do that.Simon: Yeah. The other big lesson from that was that even if the people with data in a different region—like, they'd had cross-regional backups—because of the demand at the time for accessing backups, if you wanted to get your data quickly, you're in a queue because so many other people were in the same boat as you're trying to restore stored backups. So, being off-site with a different provider would have made that a little easier. [laugh].Corey: It's a herd of elephants problem. You test your DR strategy on a scheduled basis; great, you're the only person doing it—give or take—at that time, as opposed to a large provider has lost a region and everyone is hitting their backup service simultaneously. It generally isn't built for that type of scale and provisioning. One other question I have for you is when I make mistakes, for better or worse, they're usually relatively small-scale. I want to restore a certain file or I will want to, “Ooh, that one item I just dropped out of that database really should not have been dropped.” Do you currently offer things that go beyond the entire restore everything or nothing? Or right now are you still approaching this from the perspective of this is for the catastrophic case where you're in some pain already?Simon: Mostly the catastrophic stage. So, we have MySQL [bin logs 00:27:57] as an option. So, if you wanted to do, like, a point-in-time of store, which… may be more applicable to what you're saying, but generally, its whole, whole website recovery. For example, like, we have a WordPress backup that'll go through all the WordPress websites on the server and we'll back them up individually so you can restore just one. There are ways that we have helped customers in the past just pull one table, for example, from a backup.But yeah, we geared towards, kind of, the set and the forget. And people don't often restore backups, to be honest. They don't. But when they do, it's obviously [laugh] very crucial that they work, so I prefer to back up the whole thing and then help people, like, if you need to extract ten megabytes out of an entire gig backup, that's a bit wasteful, but at least, you know, you've got the data there. So.Corey: Yeah. I'm a big believer in having backups in a variety of different levels. Because I don't really want to do a whole server restore when I remove a file. And let's be clear, I still have that grumpy old Unix admin of before I start making changes to a file, yeah, my editor can undo things and remembers that persistently and all. But I have a disturbing number of files and directories whose names end in ‘.bac' with then, like, a date or something on it, just because it's—you know, like, “Oh, I have to fix something in Git. How do I do this?”Step one, I'm going to copy the entire directory so when I make a pig's breakfast out of this and I lose things that I care about, rather than having to play Git surgeon for two more days, I can just copy it back over and try again. Disk space is cheap for those things. But that's also not a holistic backup strategy because I have to remember to do it every time and the whole point of what you're building and the value you're adding, from my perspective, is people don't have to think about it.Simon: Yes. Yeah yeah yeah. Once it's there, it's there. It's running. It's as you say, it's not the most efficient thing if you wanted to restore one file—not to say you couldn't—but at least you didn't have to think about doing the backup first.Corey: I really want to thank you for taking the time out of your day to talk to me about all this. If people want to learn more for themselves, where can they find you?Simon: So, SnapShooter.com is a great place, or on Twitter, if you want to follow me. I am @MrSimonBennett.Corey: And we will, of course, put links to that in the [show notes 00:30:11]. Thank you once again. I really appreciate it.Simon: Thank you. Thank you very much for having me.Corey: Simon Bennett, founder and CEO of SnapShooter.com. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this episode, please leave a five-star review on your podcast platform of choice, whereas if you've hated this episode, please leave a five-star review on your podcast platform of choice, along with an angry insulting comment that, just like your backup strategy, you haven't put enough thought into.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.

Resilient Cyber
S3E3: Dan Lorenc - Software Supply Chain, Sigstore and OSS

Resilient Cyber

Play Episode Listen Later May 23, 2022 23:49


Chris: We're undoubtedly seeing a growing discussion around Software Supply Chain, with several notable events and also now evolving guidance/legislation such as the Cyber EO, NIST guidance etc. Any thoughts on why this is just now becoming such a focused concern?Nikki: When a lot of people discuss software supply chain security, it can quickly turn into a discussion about SBOM or Log4j and SolarWinds. I think about software supply chain security as being part of a really good threat detection and response program - what are your thoughts on that?Nikki: I also wanted to address, expanding on the topic of threat detection and moving into threat modeling - do you think that with the attack surface expanding through the software supply chain that there are threat modeling techniques that can be used to understand and account for that growing attack surface?Chris: You've been pretty involved in efforts around software supply chain and DevSecOps, most notably sigstore - can you tell us what that is and why it is important or useful? Nikki: In the last couple of years ' technical debt' has become a bigger concern for organizations, but this includes software supply chain, dependencies, EOL or outdated software, etc. How do you think organizations can account for their software inventory better and more efficiently?Chris: As we look to the future of Software Supply Chain, with efforts such as SBOM, VEX, Sigstore, SLSA and more, where do you think we're headed? What does the state of software supply chain look like in say 3 years?

Relating to DevSecOps
Episode #044: Multiball Pinball with Multicloud Hot Takes and Infrastructure as Code

Relating to DevSecOps

Play Episode Listen Later May 21, 2022 37:24


Mike and Ken are BACK after a small hiatus and they jump into hot takes on multi-cloud. What does multi-cloud even mean? How does it differ from hybrid cloud, private cloud, or even just the status quo data center. The hosts discuss integration of products and projects into a multicloud deployment, security concerns associated with the approach, and how it differs from  the horrors and challenges in private cloud and hybrid cloud. The team talks resources, talent, hiring, and what challenges they've faced over time shifting organizations into cloud deploymentsAs the passion increases, hot takes on hot takes manifest and a discussion of cloud unicorns ensues. We hope you enjoy!

Dark Rhino Security Podcast
SC S6 E3 Tim Chase - Field CISO, Professional Speaker, Ethical Hacker

Dark Rhino Security Podcast

Play Episode Listen Later May 20, 2022 42:27


#SecurityConfidential #DarkRhinoSecurity Tim Chase joins host Manoj Tandon on this episode of Security Confidential. Tim Chase is a Field CISO, Professional Speaker, Author, Ethical Hacker, Certified Application Security Engineer, etc. He is also a LinkedIn Learning Instructor who writes training modules about DevOps and DevSecOp. Tim is an expert at resolving challenging security incidents with a short turnaround time. He is a graduate of Tennessee Tech and the University of Phoenix. 00:00 Introduction 01:13 The problem of Ransomware, how do you see it evolving over in the near future? 05:17 Third-Party Risk 06:21 Applications built on open source code and how to ensure their security? 11:45 What do you see as the Top 3 root causes of security incidents? 14:40 Deep Provisioning 22:22 Step-by-step on how to build a cybersecurity program for SMB 32:05 How to make Cybersecurity logical when coaching a young cybersecurity team. What foundational elements do you emphasize? 37:30 Companies use Cybersecurity as a revenue 40:48 Outro To learn more about Tim Chase visit https://www.linkedin.com/in/timchase2/ To see Tim's Course on DevOps and DevSecOps visit https://www.linkedin.com/learning/devops-foundations-devsecops/welcome?autoplay=true To learn more about Dark Rhino Security visit https://www.darkrhinosecurity.com

DevOps and Docker Talk
GitOps with Pulumi

DevOps and Docker Talk

Play Episode Listen Later May 20, 2022 45:10


Unedited live recording of the complete show on YouTube (Ep #164). Includes demos.Bret is joined by David Flanagan, aka @Rawkode Academy, from Pulumi to show off how Pulumi infrastructure-as-code can improve GitOps pipelines. Our conversation focused on what GitOps and Pulumi are and how they work together to manage your infrastructure and app deploys. Streamed live on YouTube on March 24, 2022. ★ Topics ★PulumiProductK8s OperatorK8sGitOpsLaw of Demeter1Password SSH management★ David Flanagan aka Rawkode Academy★Rawkode Academy, Live weeklyRawkode on Twitter★ Join My Community ★Best coupons for my Docker and Kubernetes coursesChat with us on our Discord Server Vital DevOpsHomepage bretfisher.com★ Support this podcast on Patreon ★

Kubernetes Podcast from Google
KubeCon EU 2022, with Ricardo Rocha

Kubernetes Podcast from Google

Play Episode Listen Later May 19, 2022 27:16


Live from Valencia, it’s KubeCon EU! Craig talks to conference co-chair and CERN computer scientist Ricardo Rocha about the event, and what it’s like to be in a room full of people again. Do you have something cool to share? Some questions? Let us know: web: kubernetespodcast.com mail: kubernetespodcast@google.com twitter: @kubernetespod Chatter of the week 9am Karaoke News of the week CNCF news from KubeCon EU: SlashData survey 800 members Boeing Coinbase Prometheus Certified Associate Google Cloud improves GitOps usability with Config Sync and Porch kpt Other Google news from KubeCon Tetragon from Isovalent Envoy Gateway Infra Ask HN with the creators Cloud Foundry launches Korifi SUSE NeuVector is open source CloudNativePG from EnterpriseDB All the other options Assured Open Source Software from Google Cloud Recent Guest news: Akuity announces $20m Series A (episode 172) Komodor raises $42 million Series B (episode 153) Deepfence launches Deepfence Cloud (episode 173) Lightning Round Armory announced public early access to their new Continuous Deployment-as-a-Service product Aserto announces its ”better together” approach to authorization by bringing together OPA, OCI, and Sigstore Bunnyshell Introduces support for multi-repository Terraform with full-stack drift management and GitOps Calyptia announces the General Availability of Calyptia for Fluent Bit, CAST AI introduces advanced Autoscaler for AKS Clastix launches Kamaji, a new open source tool for Managed Kubernetes Service CloudCasa by Catalogic expands to support Microosft AKS Codenotary combines Community Attestation Service with background vulnerability scanning CodeZero Launches Surf, a new developer tool for observability in pre-production Kubernetes environments CrateDB introduces Logical Replication D2iQ Partners with GitLab DataCore Bolt container-native storage software now GA; built on their acquisition of Mayadata Datadog launches Application Security Monitoring and support for OpenTelemetry Protocol in the Datadog Agent, Deepfactor partners with Synopsys to help developers resolve cloud native supply chain security risks env0 enables full-stack IaC deployment and management with native Kubernetes support Era Software introduces EraStreams Fairwinds Insights unifies DevSecOps with additional shift-left enhancements GitLab free tier adds pull-based Kubernetes deployments Google announced a new low-cost, high-usage pricing tier for Google Cloud Managed Service for Prometheus HCL Technologies launches Kubernetes migration platform Kasten by Veeam launches K10 v5.0 released Runecast adds CI/CD integration and image scanning Lacework introduces new Kubernetes Audit Logs monitoring Loft Labs announces a Cluster API provider for vcluster NetFoundry embeds zero trust into Prometheus New Relic introduces low-overhead Kubernetes monitoring and Pixie plug-in framework Pure Storage’s new Database as a Service platform is GA Replicated introduces community licensing and pre-flight checks SphereEx releases DB-Plus Suite Snapt announces security package to run Kubernetes in public cloud SPIRE now runs on Windows Sysdig launches new Advisor and Sysdig Open Source leverages Falco plugins SysEleven unveils MetaKube Operator Timescale announces OpenTelemetry Tracing support for Promscale Vultr Kubernetes Engine now Generally Available Zesty Disk for Kubernetes introduced Links from the interview Episode 62 Lukas Heinrich Clemens Lange CERN LHC Computing Grid Large Hadron Collider Kubeflow Data on Kubernetes Community CNCF Research User Group CNCF TOC Volcano moves to incubation KubeCon EU 2022 Episode 165, with Jasmine James Selection process report for KubeCon EU KubeCon China 2021 Research track Puppies at KubeCon NA 2019 Code, mountains and flying Kubernetes on an F/16 Ricardo Rocha on Twitter and on the web

Screaming in the Cloud
At the Head of Community Development with Wesley Faulkner

Screaming in the Cloud

Play Episode Listen Later May 19, 2022 35:19


About WesleyWesley Faulkner is a first-generation American, public speaker, and podcaster. He is a founding member of the government transparency group Open Austin and a staunch supporter of racial justice, workplace equity, and neurodiversity. His professional experience spans technology from AMD, Atlassian, Dell, IBM, and MongoDB. Wesley currently works as a Developer Advocate, and in addition, co-hosts the developer relations focused podcast Community Pulse and serves on the board for SXSW.Links Referenced: Twitter: https://twitter.com/wesley83 Polywork: https://polywork.com/wesley83 Personal Website: https://www.wesleyfaulkner.com/ TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Finding skilled DevOps engineers is a pain in the neck! And if you need to deploy a secure and compliant application to AWS, forgettaboutit! But that's where DuploCloud can help. Their comprehensive no-code/low-code software platform guarantees a secure and compliant infrastructure in as little as two weeks, while automating the full DevSecOps lifestyle. Get started with DevOps-as-a-Service from DuploCloud so that your cloud configurations are done right the first time. Tell them I sent you and your first two months are free. To learn more visit: snark.cloud/duplo. Thats's snark.cloud/D-U-P-L-O-C-L-O-U-D.Corey: What if there were a single place to get an inventory of what you're running in the cloud that wasn't "the monthly bill?" Further, what if there were a way to compare that inventory to what you were already managing via Terraform, Pulumi, or CloudFormation, but then automatically add the missing unmanaged or drifted parts to it? And what if there were a policy engine to immediately flag and remediate a wide variety of misconfigurations? Well, stop dreaming and start doing; visit snark.cloud/firefly to learn more.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. I am joined again for a second time this year by Wesley Faulkner. Last time we spoke, he was a developer advocate. And since then, as so many have, he's changed companies. Wesley, thank you for joining me again. You're the Head of Community at SingleStore, now. Congrats on the promotion.Wesley: Thank you. It's been a very welcome change. I love developer advocates and developer advocacy. But I love people, too, so it's almost, I think, very analogous to the ebbs and flow that we all have gone through, through the pandemic, and leaning into my strong suits.Corey: It's a big deal having a ‘head of' in a role title, as opposed to Developer Advocate, Senior Developer Advocate. And it is a different role. It's easy to default into the world of thinking that it's a promotion. Management is in many ways orthogonal to what it takes to succeed in an actual role. And further, you're not the head of DevRel, or DevRelopers or whatever you want to call the term. You are instead the Head of Community. How tied is that to developer relations, developer advocacy, or other things that we are used to using as terms of art in this space?Wesley: If we're talking about other companies, I would say the Head of Community is something that's under the umbrella of developer relations, where it's just a peer to some of the other different elements or columns of developer relations. But in SingleStore specifically, I have to say that developer relations in terms of what you think about whole umbrella is very new to the company. And so, I consider myself the first person in the role of developer relations by being the Head of Community. So, a lot of the other parts are being bolted in, but under the focus of developer as a community. So, I'm liaisoning right now as helping with spearheading some of the design of the activities that the advocates do, as well as architecting the platform and the experiences of people coming in and experiencing SingleStore through the community's perspective.So, all that to say is, what I'm doing is extremely structured, and a lot of stuff that we're doing with the efficacy, I'm using some of my expertise to help guide that, but it's still something that's kind of like an offshoot and not well integrated at the moment.Corey: How has it changed the way that you view the function of someone who's advocating to developers, which is from my cynical perspective, “Oh, it's marketing, but we don't tell people it's marketing because they won't like it.” And yes, I know, I'll get emails about that. But how does it differ from doing that yourself versus being the head of the function of a company? Because leadership is a heck of a switch? I thought earlier in my career that oh, yeah, it's a natural evolution of being a mediocre engineer. Time to be a mediocre manager. And oh, no, no, I aspired to be a mediocre manager. It's a completely different skill set and I got things hilariously wrong. What's it like for you going through that shift?Wesley: First of all, it is kind of like advertising, and people may not think of it that way. Just to give an example, movie trailers is advertising. The free samples at the grocery store is advertising. But people love those because it gives an experience that they like in a package that they are accustomed to. And so, it's the same with developer relations; it's finding the thing that makes the experience worthwhile.On the community side, this is not new to me. I've done several different roles, maybe not in this combination. But when I was at MongoDB, I was a technical community manager, which is like a cog in the whole giant machine. But before that, in my other life, I managed social and community interactions for Walmart, and I had, at the slow period, around 65, but during the holidays, it would ramp up to 95 direct reports that I managed.It's almost—if you're a fan of The Princess Bride, it's different than fighting one person. Sometimes it's easier to fight, like, a squad or a gang of people. So, being Head of Community with such a young company is definitely a lot different than. In some ways, harder to deal with this type of community where we're just growing and emerging, rather than something more well-established.Corey: It probably gives you an interesting opportunity. Because back when I was doing engineering work as an SRE or whatever we call them in that era, it was, “Yeah, wow, my boss is terrible and has no idea what the hell they're doing.” So, then I found myself in the role, and it's, “Cool. Now, do all the things that you said you would do. Put up or shut up.”And it turns out that there's a lot you don't see that our strategic considerations. I completely avoided things like managing up or managing laterally or balancing trade-offs in different ways. Yeah, you're right. If you view the role of management as strictly being something that is between you and your direct reports, you can be an amazing manager from their perspective, but completely ineffective organizationally at accomplishing the goals that have been laid out for you.Wesley: Yeah. The good thing about being head of and the first head of is that you help establish those goals. And so, when you take a role with another company saying, “Hey, we have headcount for this,” and it's an established role, then you're kind of like streamlining into a process that's already underway. What's good about this role specifically, a ‘head of,' is that I help with not only designing what are the goals and the OKRs but deciding what the teams and what the team structure should look like. And so, I'm hiring for a specific position based on how it interacts with everything else.So, when I'm coming in, I don't say, “Well, what do you do?” Or, “How do you do it?” I said, “This is what needs to be done.” And that makes it so much easier just to say that if everything is working the way it should and to give marching orders based on the grand vision, instead of hitting the numbers this quarter or next quarter. Because what is core to my belief, and what's core, too, of how I approach things is at the heart of what I'm trying to do, which is really great, in terms of making something that didn't exist before.Corey: The challenge, too, is that everyone loves to say—and I love to see this at different ways—is the evolution and understanding of the DevRel folks who I work with and I have great relationships with realizing that you have to demonstrate business value. Because I struggle with this my entire career where I know intrinsically, that if I get on stage and tell a story about a thing that is germane to what my company does, that good things are going to happen. But it's very hard to do any form of attribution to it. In a different light, this podcast is a great example of this.We have sponsors. And people are listening. Ideally, they aren't fast-forwarding through sponsor messages; I do have interesting thoughts about the sponsors that I put into these ads. And that's great, but I also appreciate that people are driving while they're listening to this, and they are doing the dishes, they are mowing the lawn, and hopefully not turning up the volume too loudly so it damages their hearing. And the idea that they're going to suddenly stop any of those things and go punch in the link that I give is a little out to lunch there.Instead, it's partially brand awareness and it is occasionally the, “Wait. That resonates exactly with the problem that I have.” So, they get to work or they get back in front of a computer and the odds are terrific they're not going to punch in that URL of whatever I wound up giving; they're going to type in whatever phrases they remember and the company name into Google. Now—and doing attribution on something like that is very hard.It gets even more hard when we're talking about something that is higher up the stack that requires a bit more buy-in than individual developers. There's often a meeting or two about it. And then someone finally approaches the company to have a conversation. Now, does it work? Yes. There are companies that are sponsoring this stuff that spend a lot of time, effort, and money on that.I don't know how you do that sort of attribution; I don't pretend to know, but I know that it works. Because these people whose entire job is making sure that it does tell me it does. So, I smile, I nod, and that's great. But it's very hard to wind up building out a direct, “If you spend X dollars sponsoring this, you will see Y dollars in response.” But in the DevOps world, when your internal doing these things, well, okay because to the company, I look an awful lot like an expensive developer except I don't ever write production code.And then—at least in the before times—“So, what does your job do? Because looking at the achievements and accomplishments last quarter, it looks an awful lot like you traveled to exotic places on the company dime, give talks that are of only vague relevance to what we do, and then hang out at parties with your friends? Nice job, how can I get that?” But it's also first on the chopping block when okay, how do we trim expenses go? And I think it's a mistake to do that. I just don't think that story of the value of developer relations is articulated super-well. And I say that, but I don't know how to do a much better job of it myself.Wesley: Well, that's why corporate or executive buy-in is important because if they know from the get-go while you're there, it makes it a little bit easier to sell. But you do have to show that you are executing. So, there are always two parts to presenting a story, and that's one, the actual quantitative, like, I've done this many talks—so that output part—I've written this many blog posts, or I've stood up this many events that people can attend to. And then there's the results saying, people did read this post, people did show up to my event, people did listen to my talk that I gave. But you also need to give the subjective ones where people respond back and say, “I loved your talk,” or, “I heard you on Corey's podcast,” or, “I read your blog posts,” because even though you might not understand that it goes all the way down in a conversion funnel to a purchase, you can least use that stand-in to say there's probably, like, 20, 30 people behind this person to have that same sentiment, so you can see that your impact is reaching people and that it's having some sort of lasting effect.That said, you have to keep it up. You have to try to increase your output and increase your sphere of influence. Because when people go to solve their problem, they're going to look into their history and their own Rolodex of saying what was the last thing that I heard? What was the last thing that's relevant?There is a reason that Pepsi and Coke still do advertising. It's not because people don't know those brands, but being easily recalled, or a center of relevance based on how many touchpoints or how many times that you've seen them, either from being on American Idol and the logo facing the camera, or seeing a whole display when you go into the grocery store. Same with display advertising. All of this stuff works hand in hand so that you can be front-of-mind with the people and the decision-makers who will make that decision. And we went through this through the pandemic where… that same sentiment, it was like, “You just travel and now you can't travel, so we're just going to get rid of the whole department.”And then those same companies are hunting for those people to come back or to rebuild these departments that are now gone because maybe you don't see what we do, but when it's gone, you definitely notice a dip. And that trust is from the top-up. You have to do not just external advocacy, but you have to do internal advocacy about what impacts you're having so that at least the people who are making that decision can hopefully understand that you are working hard and the work is paying off.Corey: Since the last time that we spoke, you've given your first keynote, which—Wesley: Yes.Corey: Is always an interesting experience to go through. It was at a conference called THAT Conference. And I feel the need to specify that because otherwise, we're going to wind up with a ‘who's on first' situation. But THAT Conference is the name.Wesley: Specify THAT. Yes.Corey: Exactly. Better specify THAT. Yes. So, what was your keynote about? And for a bit of a behind-the-scenes look, what was that like for you?Wesley: Let me do the behind-the-scenes because it's going to lead up to actual the execution.Corey: Excellent.Wesley: So, I've been on several different podcasts. And one of the ones that I loved for years is one called This Week in Tech with Leo Laporte. Was a big fan of Leo Laporte back in the Screen Saver days back in TechTV days. Loved his opinion, follow his work. And I went to a South by Southwest… three, four years ago where I actually met him.And then from that conversation, he asked me to be on his show. And I've been on the show a handful of times, just talking about tech because I love tech. Tech is my passion, not just doing it, but just experiencing and just being on either side of creating or consuming. When I moved—I moved recently also since, I think, from the last time I was on your show—when I moved here to Wisconsin, the organizer of THAT Conference said that he's been following me for a while, since my first appearance on This Week in Tech, and loved my outlook and my take on things. And he approached me to do a keynote.Since I am now Wisconsin—THAT Conference is been in Wisconsin since inception and it's been going on for ten years—and he wanted me to just basically share my knowledge. Clean slate, have enough time to just say whatever I wanted. I said, “Yes, I can do that.” So, my experience on my end was like sheer excitement and then quickly sheer terror of not having a framework of what I was going to speak on or how I was going to deliver it. And knowing as a keynote, that it would be setting the tone for the whole conference.So, I decided to talk on the thing that I knew the most about, which was myself. Talked about my journey growing up and learning what my strengths, what my weaknesses are, how to navigate life, as well as the corporate jungle, and deciding where I wanted to go. Do I want to be the person that I feel like I need to be in order to be successful, which when we look at structures and examples and the things that we hold on a pedestal, we feel that we have to be perfect, or we have to be knowledgeable, and we have to do everything, well rounded in order to be accepted. Especially being a minority, there's a lot more caveats in terms of being socially acceptable to other people. And then the other path that I could have taken, that I chose to take, was to accept my things that are seen as false, but my own quirkiness, my own uniqueness and putting that front and center about, this is me, this is my person that over the years has formed into this version of myself.I'm going to make sure that is really transparent and so if I go anywhere, they know what they're getting, and they know what they're signing up for by bringing me on board. I have an opinion, I will share my opinion, I will bring my whole self, I won't just be the person that is technical or whimsical, or whatever you're looking for. You have to take the good with the bad, you have to take the I really understand technology, but I have ADHD and I might miss some deadlines. [laugh].Corey: This episode is sponsored in parts by our friend EnterpriseDB. EnterpriseDB has been powering enterprise applications with PostgreSQL for 15 years. And now EnterpriseDB has you covered wherever you deploy PostgreSQL on premises, private cloud, and they just announced a fully managed service on AWS and Azure called BigAnimal, all one word.Don't leave managing your database to your cloud vendor because they're too busy launching another half dozen manage databases to focus on any one of them that they didn't build themselves. Instead, work with the experts over at EnterpriseDB. They can save you time and money, they can even help you migrate legacy applications, including Oracle, to the cloud.To learn more, try BigAnimal for free. Go to biganimal.com/snark, and tell them Corey sent you.Corey: I have a very similar philosophy, and how I approach these things where it's there is no single speaking engagement that I can fathom even being presented to me, let alone me accepting that is going to be worth me losing the reputation I have developed for authenticity. It's you will not get me to turn into a shill for whatever it is that I am speaking in front of this week. Conversely, whether it's a paid speaking engagement or not, I have a standing policy of not using a platform that is being given to me by a company or organization to make them look foolish. In other words, I will not make someone regret inviting me to speak at their events. Full stop.And I have spoken at events for AWS; I have spoken at events for Oracle, et cetera, et cetera, and there's no company out there that I'm not going to be able to get on stage and tell an entertaining and engaging story, but it requires me to dunk on them. And that's fine. Frankly, if there is a company like that where I could not say nice things about them—such as Facebook—I would simply decline to pursue the speaking opportunity. And that is the way that I view it. And very few companies are on that list, to be very honest with you.Now, there are exceptions to this, if you're having a big public keynote, I will do my traditional live-tweet the keynote and make fun of people because that is, A, expected and, B, it's live-streamed anywhere on the planet I want to be sitting at that point in time, and yeah, if you're saying things in public, you can basically expect that to be the way that I approach these things. But it's a nuanced take, and that is something that is not fully understood by an awful lot of folks who run events. I'll be the first to admit that aspects of who and what I am mean that some speaking engagements are not open to me. And I'm okay with that, on some level, I truly am. It's a different philosophy.But I do know that I am done apologizing for who I am and what I'm about. And at some point that required a tremendous amount of privilege and a not insignificant willingness to take a risk that it was going to work out all right. I can't imagine going back anymore. Now, that road is certainly not what I would recommend to everyone, particularly folks earlier in their career, particularly for folks who don't look just like I do and have a failure mode of a board seat and a book deal somewhere, but figuring out where you will and will not compromise is always an important thing to get straight for yourself before you're presented with a situation where you have to make those decisions, but now there's a whole bunch of incentive to decide in one way or another.Wesley: And that's a journey. You can't just skip sections, right? You didn't get to where you are unless you went through the previous experience that you went through. And it's true for everyone. If you see those success books or how-to books written by people who are extremely rich, and, like, how to become successful and, like, okay, well, that journey is your own. It doesn't make it totally, like, inaccessible to everyone else, but you got to realize that not everyone can walk that path. And—Corey: You were in the right place at the right time, an early employee at a company that did phenomenally well and that catapulted you into reach beyond the wildest dreams of avarice territory. Good for you, but fundamentally, when you give talks like that as a result, what it often presents as is, “I won the lottery, and here's how you can too.” It doesn't work that way. The road you walked was unique to you and that opportunity is closed, not open anyone else, so people have to find their own paths.Wesley: Yeah, and lightning doesn't strike in the same place twice. But there are some things where you can understand some fundamentals. And depending on where you go, I think you do need to know yourself, you do need to know—like, be able to access yourself, but being able to share that, of course, you have to be at a point where you feel comfortable. And so, even if you're in a space where you don't feel that you can be your authentic self or be able to share all parts of you, you yourself should at least know yourself and then make that decision. I agree that it's a point of privilege to be able to say, “Take me how I am.”I'm lucky that I've gotten here, not everyone does, and just because you don't doesn't mean that you're a failure. It just means that the world hasn't caught up yet. People who are part of marginalized society, like, if you are, let's say trans, or if you are even gay, you take the same person, the same stance, the same yearning to be accepted, and then transport it to 50 years ago, you're not safe. You will not necessarily be accepted, or you may not even be successful. And if you have a lane where you can do that, all the power to you, but not everyone could be themselves, and you just need to make sure that at least you can know yourself, even if you don't share that with the world.Corey: It takes time to get there, and I think you're right that it's impossible to get there without walking through the various steps. It's one of the reasons I'm somewhat reluctant to talk overly publicly about my side project gig of paid speaking engagements, for instance, is that the way to get those is you start off by building a reputation as a speaker, and that takes an awful lot of time. And speaking at events where there's no budget even to pay you a speaking fee out of anyway. And part of what gets the keynote invitations to, “Hey, we want you to come and give a talk,” is the fact that people have seen you speak elsewhere and know what you're about and what to expect. Here's a keynote presented by someone who's never presented on stage before is a recipe for a terrifying experience, if not for the speaker or the audience, definitely [laugh] for the event organizers because what if they choke.?Easy example of this, even now hundreds of speaking engagements in, the adrenaline hit right before I go on stage means that sometimes my knees shake a bit before I walk out on stage. I make it a point to warn the people who are standing with me backstage, “Oh, this is a normal thing. Don't worry, it is absolutely expected. It happens every time. Don't sweat it.”And, like, “Thank you for letting us know. That is the sort of thing that's useful.” And then they see me shake, and they get a little skeptical. Like, I thought this guy was a professional. What's the story and I walk on stage and do my thing and I come back. Like, “That was incredible. I was worried at the beginning.” “I told you, we all have our rituals before going on stage. Mine is to shake like a leaf.”But the value there is that people know what to generally expect when I get on stage. It's going to have humor, there's going to be a point interwoven throughout what I tend to say, and in the case of paid speaking engagements, I always make sure I know where the boundaries are of things I can make fun of a big company for. Like, I can get on stage and make fun of service naming or I can make fun of their deprecation policy or something like that, but yeah, making fun of the way that they wind up handling worker relations is probably not going to be great and it could get the person who championed me fired or centered internally. So, that is off the table.Like, even on this podcast, for example, I sometimes get feedback from listeners of, “Well, you have someone from company X on and you didn't beat the crap out of them on this particular point.” It's yeah, you do understand that by having people on the show I'm making a tacit agreement not to attack them. I'm not a journalist. I don't pretend to be. But if I beat someone up with questions about their corporate policy, yeah, very rarely do I have someone who is in a position in those companies to change that policy, and they're certainly not authorized to speak on the record about those things.So, I can beat them up on it, they can say, “I can't answer that,” and we're not going to go anywhere. What is the value of that? It looks like it's not just gotcha journalism, but ineffective gotcha journalism. It doesn't work that way. And that's never been what this show is about.But there's that consistent effort behind the scenes of making sure that people will be entertained, will enjoy what they're seeing, but also are not going to deeply regret giving me a microphone, has always been the balancing act, at least for me. And I want to be clear, my style is humor. It is not for everyone. And my style of humor has a failure mode of being a jerk and making people feel bad, so don't think that my path is the only or even a recommended way for folks who want to get more into speaking to proceed.Wesley: You also mention, though, about, like, punching up versus punching down. And if you really tear down a company after you've been invited to speak, what you're doing is you're punching down at the person who booked you. They're not the CEO; they're not the owner of the company; they're the person who's in charge of running an event or booking speakers. And so, putting that person and throwing them under the bus is punching down because now you're threatening their livelihood, and it doesn't make any market difference in terms of changing the corporate's values or how they execute. So yeah, I totally agree with you in that one.And, like you were saying before, if there's a company you really thought was abhorrent, why speak there? Why give them or lend your reputation to this company if you absolutely feel that it's something you don't want to be associated with? You can just choose not to do that. For me, when I look at speaking, it is important for me to really think about why I'm speaking as well. So, not just the company who's hiring me, but the audience that I'll be serving.So, if I'm going to help with inspiring the next generation of developers, or helping along the thought of how to make the world a better place, or how people themselves can be better people so that we can just change the landscape and make it a lot friendlier, that is also its own… form of compensation and not just speaking for a speaker's fee. So, I do agree that you need to not just be super Negative Nancy, and try to fight all fights. You need to embrace some of the good things and try to make more of those experiences good for everyone, not just the people who are inviting you there, but the people who are attending. And when I started speaking, I was not a good speaker as well. I made a lot of mistakes, and still do, but I think speaking is easier than some people think and if someone truly wants to do it, they should go ahead and get started.What is the saying? If there's something is truly important, you'll be bad at it [laugh] and you'll be okay with it. I started speaking because of my role as a developer advocate. And if you just do a Google search for ‘CFPs,' you can start speaking, too. So, those who are not public speakers and want to get into it, just Google ‘CFP' and then start applying.And then you'll get better at your submissions, you'll get better at your slides, and then once you get accepted, then you'll get better at preparing, then you'll get better at actually speaking. There's a lot of steps between starting and stopping and it's okay to get started doing that route. The other thing I wanted to point out is I feel public speaking is the equivalent of lifting your own bodyweight. If you can do it, you're one of the small few of the population that is willing to do so or that can do it. If you start public speaking, that in itself is an accomplishment and an experience that is something that is somewhat enriching. And being bad at it doesn't take the passion away from you. If you just really want to do it, just keep doing it, even if you're a bad speaker.Corey: Yeah. The way to give a great talk because you have a bunch of terrible talks first.Wesley: Yeah. And it's okay to do that.Corey: And it's not the in entirety of community. It's not even a requirement to be involved with the community. If you're one of those people that absolutely dreads the prospect of speaking publicly, fine. I'm not suggesting that, oh, you need to get over that and get on stage. That doesn't help anyone. Don't do the things you dread doing because you know that it's not going to go well for you.That's the reason I don't touch actual databases. I mean, come on, let's be realistic. I will accidentally the data, and then we won't have a company anymore. So, I know what things I'm good at and things I'm not. I also don't do hostage negotiations, for obvious reasons.Wesley: And also, here's a little, like, secret tip. If you really want to do public speaking and you start doing public speaking and you're not so good at it from other peoples' perspective, but you still love doing it and you think you're getting better, doing public speaking is one of those things where you can say that you do it and no one will really question how good you are at it. [laugh]. If you're just in casual conversation, it's like, “Hey, I wrote a book.” People like, “Oh, wow. This person wrote the book on blah, blah, blah.”Corey: It's a self-published book that says the best way to run Kubernetes. It's a single page; it says, “Don't.” In 150-point type. “The end.” But I wrote a book.Wesley: Yeah.Corey: Yeah.Wesley: People won't probe too much and it'll help you with your development. So, go ahead and get started. Don't worry about doing that thing where, like, I have to be the best before I can present it. Call yourself a public speaker. Check, done.Corey: Always. We are the stories we tell, and nowhere is it more true than in the world of public speaking. I really want to thank you for taking the time out of your day to speak with me about this for a second time in a single year. Oh, my goodness. If people want to learn more about what you're up to, where can they find you?Wesley: I'm on Twitter, @wesley83 on Twitter. And you can find me also on PolyWork. So, polywork.com/wesley83. Or just go to wesleyfaulkner.com which redirects you there. I list pretty much everything that I am working on and any upcoming speaking opportunities, hopefully when they release that feature, will also be on that Polywork page.Corey: Excellent. And of course, I started Polywork recently, and I'm at thoughtleader.cloud because of course I am, which is neither here nor there. Thank you so much for taking the time to speak about this side of the industry that we never really get to talk about much, at least not publicly and not very often.Wesley: Well, thank you for having me on the show. And I wanted to take some time to say thank you for the work that you're doing. Not just elevating voices like myself, but talking truth to power, like we mentioned before, but being yourself and being a great representation of how people should be treating others: being honest without being mean, being snarky without being rude. And other companies and other people who've given me a chance, and given me a platform, I wanted to say thank you to you too, and I wouldn't be here unless it was people like you acknowledging the work that I've been doing.Corey: All it takes is just recognizing what you're doing and acknowledging it. People often want to thank me for this stuff, but it's just, what, for keeping my eyes open? I don't know, I feel like it's just the job; it's not something that is above and beyond any expected normal behavior. The only challenge is I look around the industry and I realize just how wrong that impression is, apparently. But here we are. It's about finding people doing interesting work and letting them tell their story. That's all this podcast has ever tried to be.Wesley: Yeah. And you do it. And doing the work is part of the reward, and I really appreciate you just going through the effort. Even having your ears open is something that I'm glad that you're able to at least know who the people are and who are making noises—or making noise to raise their profile up and then in turn, sharing that with the world. And so, that's a great service that you're providing, not just for me, but for everyone.Corey: Well, thank you. And as always, thank you for your time. Wesley Faulkner, Head of Community at SingleStore. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with a rambling comment telling me exactly why DevRel does not need success metrics of any kind.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.