Podcasts about Sast

By Doug Green “AI is generating code, but it's not generating secure code.” In this episode of the Technology Reseller News podcast, Doug Green speaks with Jonathan Kozimor, Vice President of Channel Americas at Checkmarx, about the company's next-generation SAST engine and the growing opportunity for MSPs and channel partners in application security. Kozimor says software development has changed dramatically. Developers are producing more code, AI is accelerating that process, and traditional security models are struggling to keep up. The old approach of writing code, scanning it, and fixing issues later is no longer enough. Checkmarx's new SAST engine is designed to reduce noise, false positives, and lack of context by helping teams focus on the vulnerabilities that matter most. “The industry does not need more vulnerability data,” Kozimor says. “Security teams already have plenty of findings. What they need is intelligence, and they need faster fixes.” The podcast also explores findings from recent Checkmarx research, including the gap between security awareness and execution. Kozimor notes that many organizations understand the risks, but still struggle to operationalize security at the speed of modern development. Looking ahead, Kozimor says AppSec must become more automated, more intelligent, and more deeply embedded in the development lifecycle. AI will play a role, but it must be paired with governance, security policy, and human oversight. For channel partners, the opportunity is clear. Customers need help modernizing AppSec, managing change, and embedding security into development workflows without slowing innovation. “This is where the partner ecosystem is fundamental to customer success,” Kozimor says. Learn more at www.checkmarx.com

Most AppSec teams are working through more findings than their teams can validate. SAST surfaces thousands of potential issues. DAST generates alert volume that outpaces triage capacity. Somewhere in that output are the vulnerabilities that matter, the ones that are actually exploitable in production. This conversation explores why automated testing often stops short of the hardest part of the job: proving what is real. We dig into how business logic flaws and authorization vulnerabilities get missed by tools that scan without reasoning, what exploit validation looks like at runtime, and how security engineers are shifting toward findings that developers will actually act on. The segment is sponsored by XBOW. Visit https://securityweekly.com/xbow to see how autonomous AI pentesting delivers expert-quality findings in hours with real exploit validation your team can actually act on. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-386

Most AppSec teams are working through more findings than their teams can validate. SAST surfaces thousands of potential issues. DAST generates alert volume that outpaces triage capacity. Somewhere in that output are the vulnerabilities that matter, the ones that are actually exploitable in production. This conversation explores why automated testing often stops short of the hardest part of the job: proving what is real. We dig into how business logic flaws and authorization vulnerabilities get missed by tools that scan without reasoning, what exploit validation looks like at runtime, and how security engineers are shifting toward findings that developers will actually act on. The segment is sponsored by XBOW. Visit https://securityweekly.com/xbow to see how autonomous AI pentesting delivers expert-quality findings in hours with real exploit validation your team can actually act on. Show Notes: https://securityweekly.com/asw-386

Most AppSec teams are working through more findings than their teams can validate. SAST surfaces thousands of potential issues. DAST generates alert volume that outpaces triage capacity. Somewhere in that output are the vulnerabilities that matter, the ones that are actually exploitable in production. This conversation explores why automated testing often stops short of the hardest part of the job: proving what is real. We dig into how business logic flaws and authorization vulnerabilities get missed by tools that scan without reasoning, what exploit validation looks like at runtime, and how security engineers are shifting toward findings that developers will actually act on. The segment is sponsored by XBOW. Visit https://securityweekly.com/xbow to see how autonomous AI pentesting delivers expert-quality findings in hours with real exploit validation your team can actually act on. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-386

Most AppSec teams are working through more findings than their teams can validate. SAST surfaces thousands of potential issues. DAST generates alert volume that outpaces triage capacity. Somewhere in that output are the vulnerabilities that matter, the ones that are actually exploitable in production. This conversation explores why automated testing often stops short of the hardest part of the job: proving what is real. We dig into how business logic flaws and authorization vulnerabilities get missed by tools that scan without reasoning, what exploit validation looks like at runtime, and how security engineers are shifting toward findings that developers will actually act on. The segment is sponsored by XBOW. Visit https://securityweekly.com/xbow to see how autonomous AI pentesting delivers expert-quality findings in hours with real exploit validation your team can actually act on. Show Notes: https://securityweekly.com/asw-386

"Manuprāt, Jāņos jebkurš Latvijā var dzirdēt griezi arī vēl mūsdienās, taču ir jāieklausās dabā. Tās, ka cilvēks nav dzirdējis griezi, norāda, ka dabā viņš ieklausās pārāk maz," vērtē bioloģijas doktors un Latvijas Ornitoloģijas biedrības pārstāvis Oskars Keišs. "Grieze ir Latvijas lauku ainavas neatņemama sastāvdaļa. Tomēr mūsdienās ar griezi ir pašvaki gan tiešā, gan pārnestā nozīmē. " "Par griezi ir izplatīti daudzi mīti. Tā kā griezi praktiski nekad cilvēki neredz, tad pat zinātniskā literatūra ir senos laikos rakstīts, ka grieze uz ziemošanas vietām iet kājām. Bet tā, protams, nav. Grieze lido. Varbūt nelido tik labi kā izcilie lidotāji bezdelīgas un svīres, un, protams, lido diezgan tālus gabalus un pārziemo Centrālāfrikā," turpina Oskars Keišs. Grieze ir viens no pēdējiem gājputniem, kas pie mums atgriežas. Grieze ligzdo uz zemes. Viņai ir 8 līdz 12 olas, un tas norāda, ka grieze ir pielāgojusies augstai mirstībai. Gluži kā pīles.  Cilvēki parasti ir dzirdējuši griezes tēviņa balsi, bet ne citas griezes balsis. Arī mātītēm un mazuļiem ir balsis un tie tādi pīkstieni, kas atgādina dzeltenās cielavas balsi.  Grieze Latvijā ir ienākuši kopā ar cilvēku, jo pirms lauksaimniecības laikmetā grieze dzīvoja tikai stepes zonā, kur nav mežu, jo grieze nav meža putns. Grieze ir lauku putns. "Ilgstoši grieze sadarbojās ar cilvēka cilvēka ekstensīvo saimniecību. Taču kopš mehāniskās pļaujmašīnas ieviešanas griezei Eiropā klājas grūti. Piemēram, Anglijā tā ir izzudusi un notiek reintrodukcijas programma. Grieze nespēj izvairīties no pļaujmašīnām, īpaši, ja visu nopļauj vienā reizē. Ja pļautu pakāpeniski, grieze varētu aizbēgt. Kad pirms 100 gadiem visas pļavas lēnām nopļāva, tā pļava, kuru pļāva pirmo, jau bija pietiekami piemērota, lai tur atkal varētu paslēpties grieze. Modernā tehnika ļauj visu nopļaut 2-3 dienās. To, ko nesapļauj pļaujmašīnas, apēd dažādi plēsēji," skaidro Oskars Keišs. Arī tādu pļavu, kur griezēja būtu piemērota dzīvesvieta, kļūst aizvien mazāk. Lauksaimniecības zemes pārvēršana par aramzemēm daudzām sugām nav piemērota.

AI coding tools are accelerating development fast, but they're also exposing the limits of traditional AppSec tooling. Josh Grossman, CTO of Bounce Security and longtime AppSec consultant, joins the podcast to break down AGHAST, his new open-source security tool that combines static analysis with AI to uncover business logic flaws and authorization issues that traditional scanners miss. FOLLOW OUR SOCIAL MEDIA:➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcastThanks for Listening!~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In this episode of Resilient Cyber, I sit down with Katie Norton, Research Manager for DevSecOps and Software Supply Chain Security at IDC, to unpack what application security looks like as AI moves from copilot to autonomous teammate across the software development lifecycle.We dive into:

Šoreiz raidījumā Piespēle par vietējo klubu basketbolu. “Valmieras” komanda tikko aizvadītajā sezonā startēja četros turnīros un triumfēja trijos no tiem. Vidzemes klubs izcīnīja Latvijas kausu, Latvijas-Igaunijas līgas čempiontitulu, kā arī triumfēja Latvijas Basketbola līgā. Vienības galvenais treneris bija Kaspars Vecvagars, kurš tikai pirms trim gadiem noslēdza spēlētāja karjeru, bet pagājušā gada vidū kļuva par Valmieras vienības galveno treneri. Vecvagaram šī bija pirmā sezona kā kādas komandas galvenajam trenerim. Nedēļas notikumu izlasē: Latvijas hokeja izlase pasaules čempionātā turpina cīņu par ceturtdaļfinālu - zaudēts Austrijai un Somijai, uzveikta ASV un Lielbritānijas izlase; Ilggadējais Latvijas basketbola flagmanis “VEF Rīga” atlaiž galveno treneri Mārtiņu Gulbi, viņa vietā stājas Jevgēnijs Kosuškins; Tuvojas Pasaules kausa finālturnīrs futbolā: Portugāles izlasē iekļauts Krištianu Ronaldu, viņš un Argentīnas izlases simbols Lionels Mesi jūnijā kļūs par pirmajiem futbolistiem vēsturē, kas piedalījušies sešos PK finālturnīros. Sastāvus nosauc daudzi favorīti, tostarp Vācija un Anglija.  

".. pietiktu, ja viņš būtu tikai dzejnieks. Pietiktu, ja viņš būtu tikai esejists. Pietiktu, ja viņš būtu tikai mūsu Atmodas tēvs. Pietiktu, ja viņš būtu tikai Tautas frontes dibinātājs," tā reiz par Jāni Peteru dokumentālajā filmā "Jānis Peters un mūsu laiks” teikusi Māra Zālīte. Uz tikko izdotās ļoti biezās (1072 lpp.) grāmatas "Viena mūža grāmata. Jānis Peters. Dzejnieks. Diplomāts. Cilvēks" zelta vāka ir Vitolda Svirska darbs ar dzejnieka portretu, bet grāmatas sastādītājas Initas Saulītes-Zanderes pēcvārdā liktās rindas "Uzturiet debesis spēkā pat tad, ja to vispār nav” ir no dzejnieka atlasītās mūža izlases pēdējā dzejoļa, kuru viņš lūdzis izcelt treknākiem burtiem. Pats dzejnieks uzrunājis Initu Saulīti-Zanderi grāmatu sastādīt, jo viņam patikusi viņas veidotā "Elegantā Rīga", un izdevniecību "Aminori", jo viņam patikusi grāmata par Juri Jurjānu. Pats dzejnieks 2024. gadā sastādījis savu dzejoļu mūža izlasi "Savu balsi meklējot", tagad tā ir biezās viena mūža grāmatas sastāvdaļa. Pārējais – publikācijas, fragmenti no citiem izdevumiem, atmiņas, paša dzejnieka rakstītais un akcentētais, piemēram, viņa sadarbība ar Leļļu teātri un līdzdarbība kino daudziem varētu būt atklājums. Viņš ir "revolūcijā iesauktais dzejnieks", jo sabiedriskajā darbībā un diplomātijā pavadītajos gados praktiski dzeju nerakstīja. "Viena mūža grāmata. Jānis Peters. Dzejnieks. Diplomāts. Cilvēks". Sastādītāja Inita Saulīte-Zandere, izdevis "Aminori". Pats viņš gan grāmatu nepieredzēja, jo aizgāja mūžībā 2025. gadā.   Raidījumu atbalsta:

A maioria dos programas de AppSec está afogada em findings, dashboards, scanners, CVEs, SLAs e relatórios que ninguém aguenta mais ler. O problema não é falta de ferramenta. O problema é falta de contexto, correlação e inteligência para entender o que realmente importa. Neste episódio, eu apresento o M.A.R.I.A., o Management Application Risk Integrated Analysis, uma plataforma criada para atuar como uma camada de inteligência de risco em Segurança de Aplicações. O M.A.R.I.A. não nasceu para ser mais um scanner. Ele nasceu para responder perguntas que ferramentas tradicionais normalmente ignoram: qual aplicação está realmente em risco? Qual vulnerabilidade merece atenção agora? Qual time precisa de ajuda? Qual mudança aumentou o risco do ambiente? A proposta é simples e ambiciosa: conectar dados de SAST, DAST, SCA, IaC, Secret Scan, pipelines, repositórios, contexto de negócio e exposição real para transformar ruído em decisão. Porque no fim do dia, AppSec não deveria ser uma fábrica de tickets. Deveria ser um sistema de priorização inteligente para proteger o que importa. Neste episódio, falo sobre:Por que scanners sozinhos não resolvem AppSecO problema real por trás do excesso de vulnerabilidadesA diferença entre dashboard, ASPM e inteligência de riscoComo o M.A.R.I.A. pretende correlacionar contexto técnico e contexto de negócioOnde entram risco, exposição, criticidade, SLA, dívida de segurança e Security ChampionsPor que AppSec precisa sair do modo “lista de problemas” e entrar no modo “tomada de decisão”Um episódio para quem está cansado de medir segurança por quantidade de findings e quer começar a discutir risco de verdade.Become a supporter of this podcast: https://www.spreaker.com/podcast/devsecops-podcast--4179006/support.Apoio: Nova8, Snyk, Conviso, Gold Security, Digitalwolk e PurpleBird Security.

Todo mundo fala de DevSecOps. Todo mundo fala de IA. Mas quase ninguém conectou os pontos do jeito certo ainda. Neste episódio, a gente entra em um território que está começando a separar quem só usa ferramenta de quem realmente entende o jogo: SpecOps com IA. E não, isso não é sobre mais um YAML bonito ou documentação que ninguém lê. É sobre transformar especificações em algo vivo. Algo que define o sistema antes do código existir… e impede que ele saia da linha depois. A conversa passa por:por que “finding-based security” já não escala maiscomo a IA pode validar intenção, não só códigoo conflito direto entre vibe coding e governança realcomo specs podem virar enforcement automático no pipelinee o que muda quando segurança deixa de ser checklist e vira contratoA gente também traz isso para o mundo real:como integrar isso com pipelines atuaisonde ferramentas como SAST e SCA entram (e onde deixam de ser suficientes)e como esse modelo pode evoluir para algo muito mais próximo de risk-driven securitySe você ainda está medindo segurança só por quantidade de vulnerabilidades, esse episódio vai te incomodar. Do jeito certo.Become a supporter of this podcast: https://www.spreaker.com/podcast/devsecops-podcast--4179006/support.Apoio: Nova8, Snyk, Conviso, Gold Security, Digitalwolk e PurpleBird Security.

Viesojamies zemnieku saimniecībā „Vecjērūži” Cēsu novada Taurenes pagastā, kur Latvijas karogs mastā nav tikai svētku atribūts, bet gan neatņemama ikdienas sastāvdaļa. Šis ir stāsts par lepnumu, saknēm un saimniekošanu zem Latvijas debesīm. Sarunājamies ar Ingu Ozolu un viņas brāli Māri Ozolu.

Send us Fan MailIn Episode 87 of Application Paranoia, Colin Bell is joined by Rob Cuddy and Kris Duer to unpack the industry's growing push toward security platform consolidation.Are customers really asking for fewer tools, or are vendors shaping the narrative? Is consolidation improving security outcomes, or simply making complexity easier to explain to executives, boards, and auditors?The team also discusses AI-generated code, customer questions from the field, SAST analysis choices, data flow, false positives, and Kris's take on AI fear-based marketing.Plus: NPC streaming, Second Life hacking nostalgia, golf season, proactive SCA monitoring, and a quick preview of Colin and Kris's upcoming webinar on AI-assisted development.Webinar: Join Colin and Kris on 6 May for a discussion on how AI is changing how code gets written, trusted, validated, and approved. Register here: https://www.linkedin.com/events/7449460461881704448/

What happens to application security when AI agents start writing most of the code?Jack Cable knows both sides of this problem better than almost anyone. As a Senior Technical Advisor at CISA, he helped architect the Secure by Design initiative that challenged the entire software industry to stop shipping insecure products and expecting customers to clean up the mess. Now, as the founder of Corridor, he's building at the center of a question that didn't exist two years ago: how do you govern, secure, and trust code that no human wrote?In this episode, Jack walks us through the journey from federal cybersecurity policy to startup founder, and why he believes we're at an inflection point that makes everything before it look manageable. We talk about why a decade of shift-left never actually fixed the vulnerability backlog, and why the rise of coding agents, Cursor, Claude Code, Codex, and the internal tools enterprises are quietly building, is about to make that backlog look quaint.Jack makes the case for a new category he's helping define called Agentic Security Coding Management, and explains what separates it from the SAST tools and ASPM platforms security teams already have. We get into the uncomfortable duality of AI as both the source of the problem and the proposed solution, the frontier labs showing up in AppSec with unclear intentions, and the market confusion that's leaving CISOs struggling to tell real governance from repackaged scanning.We spend the back half of the conversation on the hard questions. What does real governance of AI-generated code actually look like when thousands of developers are running agents in parallel? Is it policy enforcement at the agent level, provenance tracking, runtime attestation, or something nobody has built yet? And drawing on his time at CISA, Jack shares where he sees regulation heading: liability frameworks, mandatory disclosure, and what happens if we get the policy either too heavy or too absent at the exact wrong moment.Whether you're a CISO trying to get ahead of this, a founder building in the space, or a developer watching your workflow transform in real time, this is the conversation that frames where AppSec goes from here.

A IA não vai “impactar” AppSec. Vai engolir quem estiver parado. Neste episódio, a conversa é direta: o que sobra para quem trabalha com Segurança de Aplicações quando a IA começa a escrever código, revisar pull request, gerar arquitetura e até corrigir vulnerabilidade sozinha? Spoiler: o jogo muda completamente. Falamos sobre o fim do AppSec operacional baseado em checklist e o nascimento de um novo perfil. Menos executor, mais estrategista. Menos ferramenta, mais contexto. Você vai entender como SAST, DAST e SCA perdem protagonismo isolados e passam a ser só sinais dentro de um sistema maior, orientado por risco real e decisão automatizada. Também exploramos o lado desconfortável: IA gerando vulnerabilidades em escala, pipelines cada vez mais opacos e o risco de confiar cegamente em “correções inteligentes” que ninguém revisou de verdade. Se você ainda está focado em rodar ferramenta e abrir ticket, esse episódio vai doer. E é exatamente por isso que você precisa ouvir. Você vai sair com uma visão clara de para onde a profissão está indo:O AppSec Engineer vira um “Risk Engineer”Modelagem de ameaças deixa de ser evento e vira fluxo contínuoSegurança passa a ser código, contexto e decisão em tempo realIA deixa de ser ferramenta e vira parte do problema e da soluçãoO futuro não precisa de mais gente rodando scan. Precisa de gente que entende o que realmente importa quando tudo começa a rodar sozinho.Become a supporter of this podcast: https://www.spreaker.com/podcast/devsecops-podcast--4179006/support.Apoio: Nova8, Snyk, Conviso, Gold Security, Digitalwolk e PurpleBird Security.

11. aprīlī Mārupes Mūzikas un mākslas skolā koncertā "Pārmaiņu pastaiga" būs iespēja iepazīt ansambli "Ornamentium", kura sastāvā ir piecas mūziķes: Ella Elīze Viļumsone (soprāns), Darja Baranova (flauta), Varvara Steķe (oboja), Anete Dane (klavieres) un Karīna Mazūra (sitaminstrumenti). Koncertā tiks pirmatskaņots skaņdarbu cikls "Gadalaiki", kuru veido Almas Kalniņas "Saules atspulgs", Pola Bernota "Vasariņa", Tabitas Balodes "Rest is as good as sleep - nepieradināts. Rudens", Gitas Rebekas Adleres "Ziema - variācijas ledus hallē" un Laumas Kazākas "Gadalaiki Emīlijas Dikinsones dzejā". Koncerta programmā iekļauti arī norvēģu komponista Stoles Kleiberga un vācu baroka meistara G. F. Tēlemaņa skaņdarbi. Koncertu papildinās arī mākslinieku Maijas Arvenas, Pētera Jansena, Ilzes Pavāres un Augusta Zariņa gleznu izstāde, kurā skatāmie darbi ir gadalaiku noskaņās. Sarunā ar ansambļa dalībniecēm Darju, Aneti un Karīnu - par ansambļa dzimšanu pirms gada un līdzšinējo radošo veikumu, nosaukuma atšifrējumu, interesesi par laikabiedru radītajiem sacerējumiem, jauno komponistu sagādātajiem pārsteigumiem un izaicinājumiem, mūzikas un mākslas mijiedarbi.

Sestdien, 14. martā, Rīgas Kongresu namā Latvijas Nacionālais simfoniskais orķestris mazākajiem klausītājiem un viņu ģimenēm sarūpējis muzikālu izrādi “LeNeSOns apmeklē teātri”, kurā kopā ar diriģentu Māri Kuģi un Dailes teātra 10. studijas aktieriem – Eduardu Rediko, Agati Grīnhofu, Katrīnu Altenburgu un Ralfu Puzānu - atskaņos pazīstamas melodijas no dažādām teātra izrādēm un operām. Sarunā ar diriģentu Māri Kuģi - par izaicinājumiem, gatavojot un diriģējot koncertu jaunajiem klausītājiem, un arī metot tiltu uz 25. martu, kad Māris Kuģis stāsies pie Orķestra "Rīga" diriģenta pults koncertā "Aizturētā elpa". Koncerta nosaukums aizgūts no programmā iekļautā Indras Rišes 2000. gada opusa klarnešu kvartetam. Izskanēs arī J. S. Baha Fantāzija un fūga dominorā, D. Šostakoviča Kamersimfonija pārlikumā pūšaminstrumentu sastāvam, kā arī Ē. Vitekra un K. Nīsteda darbi. Māris Kuģis par 14. martā gaidāmajiem notikumiem atklāj: "Sastādot programmu šādam koncertam, nāk klāt daudz papildus faktoru, par kuriem ir jādomā - lai skaņdarbi nav par garu, lai tie nav tādi, kas pieaugušajiem būtu vieglāk uztverami, piemēram, lēna, klusa mūzika. Bērniem tas ir daudz lielāks izaicinājums, un par to ir jādomā. Pirms diviem gadiem, diriģējot LeNeSOnu, bija brīži, kad bērnu čalas un sajūsmas izsaucieni bija dzirdami. Jāatzīst gan, ka toreiz tas notika Hanzas peronā, tur bija mazliet citādāks izkārtojums. Kongresu namā tomēr ir atbilstošāks koncertzāles izvietojums. Būs ļoti dažāda mūzika, tāda, kas, man šķiet, ļoti uzrunās gan jaunos, gan pieaugušos. Vairāki mūziķi arī man nāca klāt un teica, cik viņi ir priecīgi tieši par šo programmu, saaicinājuši visus iespējamos radu bērnus (smejas). Man tiešām liels prieks, un es ar nepacietību gaidu rītdienu."

In this episode, the hosts discuss the seismic shift in the application security landscape triggered by the rise of Large Language Models (LLMs) and Anthropic's "Claude Code". They highlight the massive economic repercussions of these AI advancements, noting that billions in market value were wiped from traditional cybersecurity stocks as investors begin to believe frontier models might eventually write perfectly secure code. The hosts critique the industry's historical reliance on "checkbox" compliance tools like SAST, DAST, and SCA, arguing that these "archaic" methods are being replaced by AI-native strategies capable of reasoning through complex logic flaws. While they acknowledge that AI can suffer from "reasoning drift" and still requires deterministic validation to avoid false positives, they emphasize that security professionals must adapt by building custom "skills" and focusing on governance and observability. The discussion concludes that as developers move to "AI speed," the traditional role of the AppSec professional is evolving into a "Jarvis-like" orchestrator who manages automated workflows and infuses institutional knowledge into AI agents to maintain oversight without slowing down production.

Guntars Godiņš sastādījis un atdzejojis igauņu mūsdienu dzejas antoloģiju "Man pietiks ar Latviju" un palicis uzticīgs arī igauņu dzejniekam Contram krājumā "Lecamaukla". Studijā viesojas Guntars Godiņš, Contra sarunai pievienojas attālināti. Sērijā "Orbītas bibliotēka" izdota igauņu mūsdienu dzejas antoloģija "Man pietiks ar Latviju", kurā iekļauti četrpadsmit dzejnieku darbi. Antoloģijā pārstāvēti dažādu paaudžu autori – no vidējās paaudzes līdz pašiem jaunākajiem –, lai atspoguļotu pēc iespējas pilnasinīgāku igauņu mūsdienu dzejas ainu. Antoloģijā iekļauti 14 dzejnieku darbi. Pārstāvētie autori: Trīna Soometsa (Triin Soomets), Jirgens Rooste (Jürgen Rooste), Krūsa Kalju (Kruusa Kalju), Marts Kangurs (Mart Kangur), Karolina Pihelgas (Carolina Pihelgas), Jiri Kolks (Jüri Kolk), Sveta Grigorjeva (Sveta Grigorjeva), Berita Kašana (Berit Kaschan), Tenis Vilu (Tõnis Vilu), Pireta Peldvere (Piret Põldver), Trīna Paja (Triin Paja), Reijo Rooss (Reijo Roos), Mārja Pertna (Maarja Pärtna), Riste Sofie Kēra (Riste Sofie Käär). Contras krājuma "Lecamaukla" atvēršanas svētki būs 20. martā Rīgas grāmatu svētkos, kur varēs sastapt gan Guntaru Godiņu, gan Contru. Krājumu izdevis apgāds "Pētergailis". Savukārt igauņu mūsdienu dzejas antoloģijas atvēršanas pasākums būs 29. aprīlī Igaunijas vēstniecībā Latvijā.

Очередное мок-собеседование на канале! Сегодня в гостях Саша (не СТО) — Senior DevOps Engineer, с которым мы проходим по всему циклу разработки: от проектирования CI/CD до траблшутинга в Kubernetes.  Много практики, лайв-кодинга и архитектурных вопросов. Слушаем, запоминаем вопросы, влетаем за разбором на Patreon/Бусти!

Stāsta arheologs, Latvijas Kultūras akadēmijas (LKA) pētnieks Jānis Meinerts. Materiālu sagatavojusi LKA vadošā pētniece, tradicionālās kultūras un folkloras pētniece Ieva Vītola. Producente: Gita Lancere. Ka ezeri lidojuši pa gaisu, stāsta latviešu tautas teikas, kas pierakstītas teju visā Latvijā, tiesa, ne par visiem mūsu zemes ezeriem, un tomēr ļoti daudziem. Tā, piemēram, Sēlijā 1939. gadā pierakstīta teika par Saukas ezeru, kas kopā ar simtiem citu šāda tipa teiku tagad glabājas Latviešu folkloras krātuvē: Senos laikos Sauka ezera vietā bijuši lauki un mājas. Kādu dienu trīs meitas mazgājušas veļu. Tanī dienā bijusi ļoti liela migla. Viena meita pacēlusi galvu un sacījusi: „Kas te šņāc un kas rūc”. Otra sacīja „Tas jau ezers lido pa gaisu!” Trešā meita atminējusi vārdu un sākusi dziedāt: „Meties, Sauka ezeriņ, Še ir labi tīrumiņi!” Ezers nolaidies un appludinājis visu apkārtni. Noslīkušas ar visas trīs velētājas. Lielie ezera viļņi izskalojuši dažus mājas baļķus, lai zina, ka kādreiz ir bijusi apdzīvota vieta. (LFK 1654, 7081) Teiku motīvs par lidojošu ezeru, kas izvēlas vietu un nolaižoties uz zemes appludina mājas un noslīcina cilvēkus, ir ļoti raksturīgs Latvijas ezeru folklorai. Ne tikai teikas un nostāsti veido ezeru folkloru, arī ezeru nosaukumi un dažādi mikrotoponīmi, kas doti ezeru līčiem, sēkļiem un salām, atklāj ezeru krastos dzīvojošo ļaužu glabāto un tālāk nodoto mantojumu. Teikas par ezeriem visbiežāk stāsta par to izcelšanos. Folkloras pētnieki tās klasificējuši kā izcelšanās jeb etioloģiskās teikas. Tās ir no paaudzes paaudzē nodoti stāstījumi, kas vēsta par dažādu parādību un objektu rašanos. Piemēram, latviešu folklorā ir zināmas teikas, kas stāsta kā savulaik radusies saule, mēness, zeme, akmeņi, purvi, upes un arī ezeri. Teikas par lidojošiem ezeriem nereti iesākas ar vārdiem – “sen”, “senos laikos”, “reiz”, “kad radusies pasaule” un tamlīdzīgi. Lidojošo ezeru teiku sižets lielākoties ir šāds – tas noticis vietā, kur tagad atrodas ezers; tur parasti meitas velējušas (t. i. mazgājušas) veļu, ganīti mājlopi, arts tīrums, pļauts siens vai svinētas kāzas. Tai brīdī ezers lidojis pa gaisu un tuvojies kā liels, tumšs negaisa mākonis un, kādam iesaucoties, uzminot vai pieminot ezera vārdu, tas nokritis lejā uz zemes, appludinot mājas, ciemus vai veselu ieleju un visbiežāk arī noslīcinot cilvēkus un lopus. Vairākās teikās par ezeriem var izsekot to lidošanas maršrutiem – piemēram, jau minētais Saukas ezers esot atlidojis no Strubenču purva Sēlpils pagastā (par to pierakstītas deviņas teikas) vai arī no Stukmaņu Gnēvja purva (par to stāsta piecas teikas). Savukārt Alauksta ezers Piebalgas gleznainajā ainavā ieradies no Alūksnes puses, dažās teikās pat minēts, ka Alauksts bijis Alūksnes ezera dēls. Saskaņā ar teikās stāstīto, Alaukstam nav viegli gājis ar savu noskatīto dzīvesvietu, nācies cīnīties ar citu lidojošu ezeru – Inesi. Kā stāsta teika, “abi gribējuši vienā vietā gulēt. Viņi sāka ķildoties. Inesis Alaukstam iedevis septiņus pliķus un Alauksts Inesim vienu pliķi. No tā laika Alaukstam ir septiņas salas, bet Inesim viena sala.” (LFK 968, 2582) Lidojošo ezeru teikās stāstīts ne tikai par ezera salu izcelšanos, bieži tiek skaidrota arī ezera nosaukuma rašanās. Piemēram, par Ušura ezeru pierakstīta šāda teika: Kur tagad viļņojas Ušuru ezers, senāk bijušas zemnieku mājas. Kādu dienu uz šīm mājām aizgājuši divi skroderi darbu meklēt. Saimnieks arī viņiem to devis. Skroderi ļoti priecājušies un tūdaļ ķērušies pie šūšanas. Istaba bijusi ļoti silta, un tie aizgājuši ābeļdārzā zem kuplajām ābelēm atvēsināties. Bet te – kur gadījusies, kur ne – ap skroderu galdu kājām sākusi berzēties saimnieka cūka. Skroderi sākuši kliegt: "Uš! Uš! Uš! Nāc, saimniek!" Te uz mājām uzkritis liels lietus mākonis. Izcēlies ezers un visus noslīcinājis. Izglābušies tikai skroderi. Skroderi ezeru nosaukuši par Ušu ezeru. Pēc gadiem apkārtējie ļaudis ezeru sākuši dēvēt par Ušuru ezeru. (LFK 17, 9882) Teika ir pasakai, leģendai vai nostāstam līdzīgs folkloras žanrs, kas cenšas izskaidrot dažādu priekšmetu un parādību izcelsmi. Saistībā ar teikām allaž paceļas jautājums – cik liels patiesības kodols šajos tautas tekstos ir? Vai tiešām ezeri kādreiz ir lidojuši pa gaisu un appludinājuši mājas un cilvēku apdzīvotas vietas? Vai tiešām pilskalnos ir caurumi, kuros ielaistā pīle var izpeldēt blakus dīķī? Folkloras pētnieki uzskata, ka teikas ir viens no saturā visdaudzveidīgākajiem latviešu vēstītājas folkloras žanriem, kam raksturīga iezīme ir to izziņas raksturs. Teikās var sastapt informāciju par kādreizējo realitāti, liecības par cilvēku dzīvi, nozīmīgām vietām un notikumiem. Ņemot vērā, ka teikās var atrast norādes un saikni ar realitāti, tas ir folkloras žanrs, kam savos pētījumos uzmanību pievērsuši arī citu zinātņu nozaru pētnieki, tostarp arheologi. Tā, 20. gadsimta 50.–60. gados, balstoties uz teikās atrodamajām norādēm par lidojošiem ezeriem, kas noslīcinājuši mājas, appludinājuši ciemus un muižas, arheologs Jānis Apals sāka sistemātisku Latvijas ezeru apsekošanu, desmit Vidzemes ezeros atklājot līdz tam nezināmu arheoloģisko pieminekļu veidu – ezermītnes.   Vairāk par lidojošo ezeru teikām lasāms: Latviešu tautas teikas. Izcelšanās teikas. Sast. A. Ancelāne. 1991. Latviešu pasakas un teikas. XV sējums. Sast. P. Šmits. 1937. Pieejams arī: http://valoda.ailab.lv/folklora/pasakas/saturs.htm Latviešu tautas teikas un pasakas. VII, I sējums. Sast. A. Lerhs-Puškaitis. 1903. Pieejams arī: https://www.digitalabiblioteka.lv/?id=oai:the.european.library.DOM:420020&creatorATS=111998&all=1&of=4-10 Urtāns J. Augšzemes ezeri. Arheoloģija un folklora. 2008

Trīs zvaigžņu balva pagājusi un netikām pie gada žurnaļugas balvas, bet toties uzzinājām par mūsu Olimpiskais sastāvs. Kā arī Masaļskis ir atpakaļ un dod inside info par U-20! Fenikss – Tagad arī Online https://fenikss.lu/

Vectēva brāļa Alfrēda Drulles ar roku rakstītas atmiņas par bērnību Druvienas apkārtnē nonāca Ivara Drulles rokās. Tas gan nebija oriģināls, jo tas bija pazudis. Līdz mūsdienām bija nonākusi kserokopija ar miglainām, sliktas kvalitātes bildēm, tomēr tas bija sākums grāmatai. Tad ķērās klāt novadpētnieks Nils Treijs, lai šķetinātu radurakstus, notikumus, meklētu aizmirstus vietvārdus, zināmus un nezināmus cilvēkus. "Dravnieku māju stāsti" – tie ir Druvienas Drulles, Debesnieki, Tocupi un Kučuri, kuri dalās savās atmiņās, Alfrēda Drullas atmiņām pievienojas muzejā saglabātās Ērikas Zvejnieces un Artura Tocupa atmiņas, Ērika mātes Alises Debesnieces atmiņas, apcerējums par Kārli Kučuri, lai radītu pilnīgāku laikmeta ainu Druvienā. Tagad grāmatai pievienoti kultūrvēsturiski komentāri, fotogrāfijas un kartes. Sastādītājs un komentāru autors Nils Treijs raksta: "Mūsdienās, tāpat kā senākos laikos, Druvienas pagasta austrumu daļā stāv četras "Dravnieku" mājas – trīs no tām pašā Tirzas upes krastā un viena ir nedaudz attālāk no pārējām, otrpus Grotes-Druvienas lielceļam. Māju nosaukums saistīts ar šejienes iedzīvotāju senāko nodarbi – dravniecību." Grāmatu izdevusi Druvienas Vecā skola-muzejs ar Latviešu vēsturisko zemju, Vidzemes plānošanas reģiona, Gulbenes novada un Valsts Kulturkapitāla fonda atbalstu. Raidījumu atbalsta:

Mit gondolunk a Mészáros csoport karácsonyi buliját vezető Ördög Nóráról, mennyi idő múlva szokná meg az emberiség az égen megjelenő nagy gömbök látványát,  muszáj-e fürdőnadrágban zuhanyozni a meztelen betörőharc elkerüléséhez, működik-e a szendvicsbe csomagolt kritika, miért nincsenek már meglepetés-bulik, mi az evolúciós haszna a felboruló kecskéknek, belefér-e havi 1-2 zacskós leves, melyik volt az év magyar lemeze, ki volt az év embere, hogyan lehet kibírni a rossz vicceket mesélő pasidat, fejleszthető-e a humorérzék, van-e még helye a szépségversenyeknek, mit lehet elérni picsogással, muszáj-e levágni a töredezett hajvégeket, mit tehet egy apa az ötödikes fia menősítéséért, vajon az állatok használnak-e tudatmódosító szereket, terveztek-e újévi fogadalmat tenni, gondolkoztatok-e már névváltoztatáson, miben különbözik a mesterséges és az emberi intelligencia, év végén miről néznétek meg egy wrappedet, a Terminátor filmeket megjelenési vagy kronológiai sorrendben érdemes megnézni, jobb lenne-e a sportszeletekkel díszített karácsonyfa, van-e fxMesternek a Bëlga mintájára több egyszínű szerelése??

In 2026, security is no longer a final checkpoint; it is the very foundation of the code you write. With global cybercrime costs crossing the $10.5 trillion mark, the industry has moved toward a "Secure-by-Design" mandate. This episode dives into the DevSecOps revolution: the art of bridging the gap between rapid innovation and stringent regulatory compliance (GDPR, HIPAA, SOC-2). We explore the specialized tools that transform compliance from a manual bottleneck into an automated, self-running process within your CI/CD pipeline.

Eiropas Savienības (ES) dalībvalstu līderi vienojušies par 90 miljardu eiro liela aizdevuma piešķiršanu Ukrainai, lai palīdzētu risināt Ukrainas budžeta problēmas. Tomēr nespēja vienoties par iesaldēto Krievijas aktīvu izmantošanu šo līdzekļu iegūšanai. Režisors Hermanis vairs nevirzīs ideju par vēlēšanu sistēmas maiņu Latvijā, jo vīlies atbalsta trūkumā. Biedzot ievēlēts Sabiedrisko elektronisko plašsaziņas līdekļu padomes (SEPLP) trešais loceklis. Rēzeknē spriež par "Gora" nodošanu privātuzņēmējam. Aktualitātes Krustpunktā analizē laikraksta "Diena" žurnālists Atis Rozentāls, portāla "TVNET" galvenā redaktore Ērika Staškēvica un Latvijas Radio pētnieciskās žurnālistikas daļas žurnālists Kārlis Arājs.  

Eiropas Savienības (ES) dalībvalstu līderi vienojušies par 90 miljardu eiro liela aizdevuma piešķiršanu Ukrainai, lai palīdzētu risināt Ukrainas budžeta problēmas. Tomēr nespēja vienoties par iesaldēto Krievijas aktīvu izmantošanu šo līdzekļu iegūšanai. Režisors Hermanis vairs nevirzīs ideju par vēlēšanu sistēmas maiņu Latvijā, jo vīlies atbalsta trūkumā. Biedzot ievēlēts Sabiedrisko elektronisko plašsaziņas līdekļu padomes (SEPLP) trešais loceklis. Rēzeknē spriež par "Gora" nodošanu privātuzņēmējam. Aktualitātes Krustpunktā analizē laikraksta "Diena" žurnālists Atis Rozentāls, portāla "TVNET" galvenā redaktore Ērika Staškēvica un Latvijas Radio pētnieciskās žurnālistikas daļas žurnālists Kārlis Arājs.  

Neste episódio, vestimos a armadura do Homem de Ferro para falar de DevSecOps do jeito certo: sem buzzword, sem romantização e sem ferramenta milagrosa. DevSecOps aqui é engenharia, estratégia e responsabilidade compartilhada não um badge bonito no pipeline. Exploramos como AppSec se conecta ao DevSecOps quando o time para de “jogar segurança no final” e começa a projetar sistemas pensando em falha, ataque e resiliência desde o início. É o Jarvis rodando no CI/CD: dando contexto, alertando riscos e ajudando a tomar decisões melhores, não só gritando erro. Se você acha que DevSecOps é só SAST, DAST e um monte de check verde, esse episódio é um choque de realidade. Se você quer construir software como o Tony Stark constrói armaduras evoluindo a cada versão você está no lugar certo.Become a supporter of this podcast: https://www.spreaker.com/podcast/devsecops-podcast--4179006/support.Apoio: Nova8, Snyk, Conviso, Gold Security, Digitalwolk e PurpleBird Security.

Este conteúdo é um trecho do nosso episódio: “#248 Vibe Coding: o que está por trás do hype?”. Nele, Breno Gonçalves Barbosa, Analista de Desenvolvimento de Sistemas, e Rafael Mendes, Lead Software Developer, ambos da dti digital, compartilham ferramentas essenciais e métodos concretos para validar a segurança do código gerado com apoio da IA. Saiba como balancear velocidade de desenvolvimento com proteção efetiva, além de incluir processos de revisão humana desde o início do ciclo. Dê o play e ouça agora! Assuntos abordados: Linters, SAST e DAST para código gerado por IA; SonarQube e padronização de regras; Vulnerabilidades específicas em código IA; Scripts de validação por commit; Segurança integrada nos prompts iniciais; Automação de ataques contra código IA. Links importantes: Vagas disponíveis Newsletter Dúvidas? Nos mande pelo Linkedin Contato:  entrechaves@dtidigital.com.br O Entre Chaves é uma iniciativa da dti digital, uma empresa WPP

"Avec l'IA, on a un multiplicateur de puissance, mais il faut garder une approche structurée et prudente." Le D.E.V. de la semaine est Benoît Larroque, CTO chez Konvu. Avec l'IA, la cybersécurité est entrée dans une nouvelle dimension où la détection et la correction des vulnérabilités peuvent enfin rattraper le rythme effréné de leur apparition. Benoît détaille comment l'intelligence artificielle permet de filtrer et prioriser efficacement les failles, tout en rappelant l'exigence cruciale de vérifications humaines pour éviter les faux positifs. Il insiste sur le feedback continu et la vigilance indispensable face à la rapidité des évolutions. Un échange lucide sur les apports réels et les nouvelles limites de la cyber à l'ère de l'IA.Chapitrages00:00:53 : Introduction à la Cybersécurité00:01:17 : L'Impact de l'IA sur la Cybersécurité00:02:51 : Avant l'IA : Une Autre Époque00:05:01 : Transformation grâce à l'IA00:05:55 : Humanisation du Processus00:07:01 : Simplification des Tâches00:08:45 : La Gestion des Vulnérabilités00:11:06 : Analyse des Composants Logiciels00:12:29 : La Complexité des Mises à Jour00:13:56 : Approche de Validation Manuelle00:17:30 : Détection des Vulnérabilités par l'IA00:20:53 : Nouvelles Méthodes d'Attaque00:25:33 : Gestion des Risques de Sécurité00:29:26 : Optimisation de l'Effort de Sécurité00:36:08 : L'utilisation des LLM00:43:52 : SAST et Prompt Injection00:49:45 : Recommandations de Lecture00:50:11 : Conclusion et Remerciements Liens évoqués pendant l'émission Designing Data Intensive ApplicationsRelease It! **Restez compliant !** Cet épisode est soutenu par Vanta, la plateforme de Trust Management qui aide les entreprises à automatiser leur sécurité et leur conformité. Avec Vanta, se mettre en conformité avec des standards comme SOC 2, ISO 27001 ou HIPAA devient plus rapide, plus simple, et surtout durable. Plus de 10 000 entreprises dans le monde utilisent déjà Vanta pour transformer leurs obligations de sécurité en véritable moteur de croissance.

Send us a textQuantum threats aren't waiting politely on the horizon, and neither should we. We kick off with Signal's bold move to deploy post-quantum encryption, unpacking the “belt and suspenders” approach that blends classical cryptography with quantum-resistant algorithms. No jargon traps—just clear takeaways on why this matters for privacy, resilience, and the pressure it puts on other messaging platforms to evolve. We point you to smart reads from Ars Technica and Bruce Schneier that make the technical guts approachable and actionable.From there, we switch gears into a focused CISSP Domain 8 walkthrough: how to weave security into every phase of the software development lifecycle. We talk practical integration across waterfall, agile, and DevOps; show why change management, continuous monitoring, and application-aware incident response are non-negotiable; and explain how maturity models like CMMI and BSIMM help teams move from reactive to repeatable. We also break down the developer's toolbox—secure language choices, vetted libraries with SCA, hardened runtimes, and IDE plugins that surface issues in real time—so teams can ship faster without trading away safety.Speed meets rigor in the CI/CD pipeline, where shift-left security comes alive with SAST, DAST, and SOAR-driven checks. We cover repository hygiene, secret scanning, and how to measure effectiveness with audit trails and risk analysis that map code issues to business impact. You'll get a clear view of third-party risk across COTS and open source, the shared responsibility model for SaaS, PaaS, and IaaS, and the daily practices that keep APIs from leaking data: least privilege, strict authorization, input validation, and rate limiting. We close with software-defined security—policies as code—bringing consistency, versioning, and automation to your defenses. Subscribe, share with a teammate who owns your pipeline, and leave a review to tell us the next Domain 8 topic you want us to deep-dive.Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

Мок-интервью для junior/начинающего middle DevOps: CI/CD, Git-ветки, AWS (VPC, S3), Kubernetes (probes, DaemonSet), Terraform. Разбираем основы, типовые вопросы и ошибки — простым языком.

Recebemos a brilhante Michelle Mesquita para provar, na prática, que AppSec não é sinônimo de “rodar um scanner e rezar”. Conversamos sobre como construir segurança desde o design, passando por threat modeling, SAST/DAST/SCA e políticas reprodutíveis — tudo sem cair na armadilha do PDF de vulnerabilidades que ninguém lê. Sim, nós também rimos (de nervoso) quando lembramos daqueles relatórios com 500 findings.Falamos ainda sobre carreira: onde começam as pessoas de AppSec, por que comunicação e influência importam tanto quanto CWE e CVE, e como programas como Security Champions destravam escala e cultura. Discutimos comunidades e referências (OWASP e afins), automação no pipeline, gamificação e até como usar IA para reduzir ruído e acelerar feedback útil para devs.E, claro, mantivemos o nosso jeitinho: didático, direto e levemente irônico. Se você quer sair do “firefighting” e colocar segurança como requisito funcional do seu produto, este episódio é para você. Prepare o café, abra o IDE e vem com a gente.O Kubicast é uma produção da Getup, empresa especialista em Kubernetes e projetos open source para Kubernetes. Os episódios do podcast estão nas principais plataformas de áudio digital e no YouTube.com/@getupcloud.

Tribe Sober - Your guide to alcohol-free living! This week I'm chatting to an inspirational woman Mary Ann Shearer who is a best selling author and a motivational speaker. In this Episode Mary Ann is a woman before her time and was advocating veganism thirty years ago! Her first book "The Natural Way" was written more than 20 years ago She explained that if you give your children lots of sweet things it sets them up for alcohol dependency later in life Mary Ann had alcoholic parents and as a result she craves order and control and has never drunk alcohol We agreed that children of alcoholic parents tend to be like her - or they tend to follow the pattern of their parents She advised people who have stopped drinking to satisfy their cravings by eating fresh fruit not chocolates or sweets Our bodies need glucose and eating fresh fruit satisfies the craving for alcohol Mary Ann feels that alcoholics are clever people who need a creative outlet - sobriety will give them the time and space to find one She explained the damage that alcohol does to our endocrine system - and how it makes menopause much worse To find out more about Mary Ann go to her website - https://maryannshearer.com/ - her book is called "Perfect Health - The Natural Way" available on Amazon More info Subscription membership for Tribe Sober join up HERE To access our website click HERE To join our January Challenge click HERE - a small donation to a good cause will provide you with community and online support during January If you want to go it alone and would still like one of our trackers then email us at janet@tribesober.com Episode Sponsor This episode is sponsored by the Tribe Sober Membership Program.  If you want to change your relationship with alcohol then sign up today.  Read more about our 8-step program and subscribe HERE.    Help us to spread the word! We made this podcast so that we can reach more people who need our help.  Please subscribe and share. We release a podcast episode every Saturday morning. You can follow Tribe Sober on Facebook, Twitter and Instagram.  You can catch our FB live on Saturday mornings (11am SAST) and you can join our private Facebook group HERE Thank you for listening!  Till Next Week Janet x

Christian Espinosa, founder of Blue Goat Cyber and leading voice in medical device cybersecurity, joins Etienne Nichols to unpack the urgent and often misunderstood topic of cybersecurity in MedTech. From FDA's 2023 regulatory overhaul to real-world hacking scenarios that could harm patients, Christian provides practical advice for innovators, RA/QA professionals, and software teams. He also shares why waiting until the last minute on cybersecurity could cost startups millions—or even kill a project entirely.Whether you're a quality professional trying to build compliant systems or an innovator racing toward FDA submission, this episode lays out exactly what you need to know to stay ahead of cyber threats and within regulatory guardrails.Key Timestamps:00:01 – Intro to guest Christian Espinosa and Blue Goat Cyber06:28 – Why medical device cybersecurity is different from traditional IT security11:49 – Real-world hacking example: acne laser device turned skin-burner13:57 – FDA expectations post-September 2023: what changed17:12 – Secure boot: a microcontroller mistake that derailed a launch20:35 – Common cybersecurity vendor mistake MedTech companies make23:40 – SBOM: Software Bill of Materials and why it's legally critical27:58 – Cyberattacks in hospitals: assuming a hostile network35:44 – AI in medical devices: data bias and cybersecurity challenges41:10 – Developers ≠ cybersecurity experts: the training gap nobody talks about45:20 – What RA/QA professionals need to know now49:30 – Why cybersecurity must be iterative, not a final-phase add-on55:20 – Espinosa's final advice for MedTech professionals57:52 – The story behind “Blue Goat Cyber”Standout Quotes:“Cybersecurity for medical devices isn't about data breaches—it's about patient harm. You could paralyze someone or misdiagnose sepsis. This isn't theoretical.”— Christian Espinosa, on the real risks of insecure devices“Most developers don't understand cybersecurity. We assume they do—but that's like expecting an architect to be a locksmith.”— Christian Espinosa, on why so many devices fail security assessmentsTop Takeaways:Cybersecurity isn't just about data—it's about patient safety. From burning skin to missed sepsis diagnoses, vulnerabilities in devices have real-world harm potential.FDA now requires more than just a basic security plan. Post-September 2023 rules mandate testing (SAST, DAST, fuzzing), SBOMs, and risk assessments tied to patient harm.Start cybersecurity planning during the requirements phase. Hardware like microcontrollers must support secure boot and other protections—retrofits can cripple product plans.Iterate cybersecurity like any core development activity. One-time testing near submission is too late; build security into your pipeline just like QA or usability.Traditional cybersecurity vendors aren't enough. Many fail to meet FDA's nuanced expectations for medical devices, causing costly submission rejections.References & Resources:Christian Espinosa on LinkedInBlue Goat CyberEtienne Nichols on LinkedInMedTech 101 – Understanding SBOM (Software Bill of...

All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Yaron Levi, CISO, Dolby. Joining us is Joey Rachid, CISO, Xerox. In this episode: It's a balancing act Choose to leave the kids' table Your team is essential Don't change CISOs midstream Huge thanks to our sponsor, Blackslash Backslash offers a new approach to application security by creating a digital twin of your application, modeled into an AI-enabled App Graph. It categorizes security findings by business process, filters “triggerable” vulnerabilities, and simulates the security impact of updates. Backslash dramatically improves AppSec efficiency, eliminating legacy SAST and SCA frustration. Learn more at https://www.backslash.security/  

Guest: Diana Kelley, CSO at Protect AI  Topics: Can you explain the concept of "MLSecOps" as an analogy with DevSecOps, with 'Dev' replaced by 'ML'? This has nothing to do with SecOps, right? What are the most critical steps a CISO should prioritize when implementing MLSecOps within their organization? What gets better  when you do it? How do we adapt traditional security testing, like vulnerability scanning, SAST, and DAST, to effectively assess the security of machine learning models? Can we? In the context of AI supply chain security, what is the essential role of third-party assessments, particularly regarding data provenance? How can organizations balance the need for security logging in AI systems with the imperative to protect privacy and sensitive data? Do we need to decouple security from safety or privacy? What are the primary security risks associated with overprivileged AI agents, and how can organizations mitigate these risks?  Top differences between LLM/chatbot AI security vs AI agent security?  Resources: “Airline held liable for its chatbot giving passenger bad advice - what this means for travellers” “ChatGPT Spit Out Sensitive Data When Told to Repeat ‘Poem' Forever” Secure by Design for AI by Protect AI “Securing AI Supply Chain: Like Software, Only Not” OWASP Top 10 for Large Language Model Applications OWASP Top 10 for AI Agents  (draft) MITRE ATLAS “Demystifying AI Security: New Paper on Real-World SAIF Applications” (and paper) LinkedIn Course: Security Risks in AI and ML: Categorizing Attacks and Failure Modes

All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by David Spark, the producer of CISO Series, and Steve Zalewski. Joining us is Jay Jay Davey, vp of cyber security operations, Planet.  In this episode: Aligning incentives The realities of the job Delivering ROI Holistic cybersecurity Thanks to our sponsor, Backslash Security Backslash offers a new approach to application security by creating a digital twin of your application, modeled into an AI-enabled App Graph. It categorizes security findings by business process, filters “triggerable” vulnerabilities, and simulates the security impact of updates. Backslash dramatically improves AppSec efficiency, eliminating legacy SAST and SCA frustration. Learn more at www.backslash.security.

All links and images for this episode can be found on CISO Series. Check out this post for the discussion that is the basis of our conversation on this week's episode co-hosted by me, David Spark, the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Eric Gold, chief evangelist, BackSlash. In this episode: Start with the culture Moving AppSec to a higher level A strategy for security Maturing the basics Thanks to our sponsor, Backslash Security Backslash offers a new approach to application security by creating a digital twin of your application, modeled into an AI-enabled App Graph. It categorizes security findings by business process, filters “triggerable” vulnerabilities, and simulates the security impact of updates. Backslash dramatically improves AppSec efficiency, eliminating legacy SAST and SCA frustration.  

NATO prasība Latvijai palielināt NBS skaitlisko sastāvu – par cik un kā tas iespējams? Par to diskusija Krustpunktā, kurā piedalās aizsardzības ministra padomnieks Jevgēnijs Rjaščenko Šaraks, Saeimas Aizsardzības, iekšlietu un korupcijas novēršanas komisijas sekretārs Jānis Skrastiņš, atvaļinātais viceadmirālis Gaidis Andrejs Zeibots un Latvijas Televīzijas raidījuma "De facto" žurnāliste Inga Šņore. Sazināmies arī ar bloga "Vara bungas" autoru un rezerves kapteini Mārtiņu Vērdiņu, kā arī Latvijas Darba devēju konfederācijas ģenerāldirektoru Kasparu Gorkšu.  

Tanya Janca, author of Alice and Bob Learn Secure Coding, discusses secure coding and secure software development life cycle with SE Radio host Brijesh Ammanath. This session explores how integrating security into every phase of the SDLC helps prevent vulnerabilities from slipping into production. Tanya strongly recommends defining security requirements early, and discusses the importance of threat modeling during design, secure coding practices, testing strategies such as static, dynamic, and interactive application security testing (SAST, DAST and IAST), and the need for continuous monitoring and improvement after deployment. This episode is sponsored by Codegate.ai

In this interview, we're excited to have Ilona Cohen to help us understand what changes this new US administration might bring, in terms of cybersecurity regulation. Ilona's insights come partially from her own experiences working from within the White House. Before she was the Chief Legal Officer of HackerOne, she was a senior lawyer to President Obama and served as General Counsel of the White House Office of Management and Budget (OMB). In this hyper-partisan environment, it's easy to get hung up on particular events. Do many of us lack cross-administration historical perspective? Probably. Should we be outraged by the disillusion of the CSRB, or was this a fairly ordinary occurrence when a new administration comes in? These are the kinds of questions I'll be posing to Ilona in this conversation. How the Change Healthcare breach can prompt real cybersecurity change 'Shift Left' feels like a cliché at this point, but it's often difficult to track tech and security movements if you aren't interacting with practitioners on a regular basis. Some areas of tech have a longer tail when it comes to late adopters and laggards, and application security appears to be one of these areas. In this interview, Jenn Gile catches us up on AppSec trends. Segment Resources: Microsoft Defender for Cloud Natively Integrates with Endor Labs 2024 Dependency Management Report How to pick the right SAST tool In the enterprise security news, Change Healthcare's HIPAA fine is vanishingly small How worried should we be about the threat of AI models? What about the threat of DeepSeek? And the threat of employees entering sensitive data into GenAI prompts? The myth of trillion-dollar cybercrime losses are alive and well! Kagi Privacy Pass gives you the best of both worlds: high quality web searches AND privacy/anonymity Thanks to the UK for letting everyone know about end-to-end encryption for iCloud! What is the most UNHINGED thing you've ever seen a security team push on employees? All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-395

In this interview, we're excited to have Ilona Cohen to help us understand what changes this new US administration might bring, in terms of cybersecurity regulation. Ilona's insights come partially from her own experiences working from within the White House. Before she was the Chief Legal Officer of HackerOne, she was a senior lawyer to President Obama and served as General Counsel of the White House Office of Management and Budget (OMB). In this hyper-partisan environment, it's easy to get hung up on particular events. Do many of us lack cross-administration historical perspective? Probably. Should we be outraged by the disillusion of the CSRB, or was this a fairly ordinary occurrence when a new administration comes in? These are the kinds of questions I'll be posing to Ilona in this conversation. How the Change Healthcare breach can prompt real cybersecurity change 'Shift Left' feels like a cliché at this point, but it's often difficult to track tech and security movements if you aren't interacting with practitioners on a regular basis. Some areas of tech have a longer tail when it comes to late adopters and laggards, and application security appears to be one of these areas. In this interview, Jenn Gile catches us up on AppSec trends. Segment Resources: Microsoft Defender for Cloud Natively Integrates with Endor Labs 2024 Dependency Management Report How to pick the right SAST tool In the enterprise security news, Change Healthcare's HIPAA fine is vanishingly small How worried should we be about the threat of AI models? What about the threat of DeepSeek? And the threat of employees entering sensitive data into GenAI prompts? The myth of trillion-dollar cybercrime losses are alive and well! Kagi Privacy Pass gives you the best of both worlds: high quality web searches AND privacy/anonymity Thanks to the UK for letting everyone know about end-to-end encryption for iCloud! What is the most UNHINGED thing you've ever seen a security team push on employees? All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-395

'Shift Left' feels like a cliché at this point, but it's often difficult to track tech and security movements if you aren't interacting with practitioners on a regular basis. Some areas of tech have a longer tail when it comes to late adopters and laggards, and application security appears to be one of these areas. In this interview, Jenn Gile catches us up on AppSec trends. Segment Resources: Microsoft Defender for Cloud Natively Integrates with Endor Labs 2024 Dependency Management Report How to pick the right SAST tool Show Notes: https://securityweekly.com/esw-395

In this episode of The BlueHat Podcast, hosts Nic Fillingham and Wendy Zenone are joined by Jason Geffner, Principal Security Architect at Microsoft, to discuss his groundbreaking work on scaling and automating Dynamic Application Security Testing (DAST). Following on from his BlueHat 2024 session, and outlined in this MSRC blog post, Jason explains the key differences between DAST, SAST, and IAST, and dives into the challenges of scaling DAST at Microsoft's enterprise level, detailing how automation eliminates manual configuration and improves efficiency for web service testing.     In This Episode You Will Learn:     Overcoming the challenges of authenticated requests for DAST tools  The importance of API specs for DAST and how automation streamlines the process  Insights into how Microsoft uses DAST to protect its vast array of web services    Some Questions We Ask:    What's a lesson from this work that you can share with those without Microsoft's resources?  Can you explain what the transparent auth protocol is that you mentioned in the blog post?  How is your work reducing the manual effort needed to configure DAST system services?     Resources:       View Jason Geffner on LinkedIn    View Wendy Zenone on LinkedIn    View Nic Fillingham on LinkedIn     Related Blog Post: Scaling Dynamic Application Security Testing (DAST) | MSRC Blog  Related BlueHat Session Recording: BlueHat 2024: S10: How Microsoft is Scaling DAST     Related Microsoft Podcasts:       Microsoft Threat Intelligence Podcast    Afternoon Cyber Tea with Ann Johnson    Uncovering Hidden Risks          Discover and follow other Microsoft podcasts at microsoft.com/podcasts   

John Maytham speaks with Fiona Miles, Director of FOUR PAWS South Africa, about the upcoming screening of Dethroned, a documentary that exposes the exploitation of big cats. Fiona highlights the film's powerful exploration of the global big cat trade and the cruelty of captive breeding. The screening will take place online on 26 November 2024 at 20:00 SAST, and viewers can join at this link. Following the film, there will be a live Q&A with Fiona, Vanessa Amoroso, and director Aaron Gekoski to discuss the urgent need for big cat protection.See omnystudio.com/listener for privacy information.

Thank you for listening to this episode! We hope it was helpful and encouraging.    SAST test: https://psychology-tools.com/test/sast   If you are a betrayed partner and would like to connect with Kylene for 1:1 coaching support, please click this link and book a free connection call: https://linktr.ee/KyleneTerhune   Join the free RecoverU Facebook page for betrayed partners: www.facebook.com/groups/recoverU   For addicted spouses check our puredesire.org and soulrefiner.org   Follow Kylene: On TikTok: @KyleneTerhune  On IG: @KyleneTerhune 

Scott Norberg joins Ken Johnson and Seth Law for an episode of Absolute AppSec all about SAST. Scott is an ASP.NET Security Consultant, Author, Researcher and Speaker. In addition to running his Opperis Technologies consultancy, Scott has recently begun working as lead application security architect at CDW. Before that he worked as Lead Application Security engineer at Gallagher and was a Senior Consultant with the AppSec team at Coalfire. He has been a web security specialist for nearly two decades, and holds several certifications, including Microsoft Certified Technology Specialist (MCTS), certifications for ASP.NET and SQL Server, and a Certified Information Systems Security Professional (CISSP) and CCSP certification. He also has an MBA from Indiana University. To find out more about Scott check out his website https://scottnorberg.com/ as well as his 2020 book Advanced ASP NET Core Security Vulnerabilities.

Log4j, solar winds, tesla hacks, and the wave of high profile appsec problems aren't going to go away with current approaches like SAST and SCA. Why? They are: -40 years old, with little innovation -Haven't solved the problem. In this segment, we talk about fully autonomous application security. Vetted by DARPA in the Cyber Grand Challenge, the approach is different: -Prove bugs, rather than trying to list all of them. -Zero false positives, which leads to better autonomy. Segment Resources: Article on competition: https://www.darpa.mil/about-us/timeline/cyber-grand-challenge Technical article on approach: https://spectrum.ieee.org/mayhem-the-machine-that-finds-software-vulnerabilities-then-patches-them Example vulns discovered: https://forallsecure.com/blog/forallsecure-uncovers-critical-vulnerabilities-in-das-u-boot https://github.com/forallsecure/vulnerabilitieslab Show Notes: https://securityweekly.com/vault-esw-12