Relating to DevSecOps

Ken and Mike discuss their new year's resolutions related to application security. They also reflect on the impact of AI and its adoption in the industry. The hosts share their experiences attending conferences and highlight interesting talks on topics such as zero-day vulnerabilities and fuzzing LLM models. They discuss the OWASP LLM Top 10 and the evolving perception of AI in the industry. The conversation concludes with a d...

We are joined by incredible guests Mikhail Chechik and Marcus Hallberg as they help us define DevSecOps and emphasize the importance of a security mindset throughout the development process. These two incredible folks explore common misconceptions about shifting left and discuss the challenges of triaging and validating vulnerabilities early in the development lifecycle. We enter in the wild world of this wonderful shifting buzzwor...

On this episode of R2DSO Mike and Ken dive into their takeaways and experiences from LASCON 2023 in Austin, TX where AI was both a problem child and praised bringer of salvation in security. Vendors and companies alike are embracing AI with wide eyes and there was no shortage of talks, presentations, and hallway conversations about the topic. Beyond that security is fast accepting that they can't be the department of "No&...

In this episode Ken and Mike dive directly into the meat with solutioning and mitigation. All too often security professionals finding themselves falling into the trap of focusing on vulnerability counts, evangelizing findings, and playing the age old game of red, yellow, green. We jump straight into the why of this focus in the industry and offer some ideas on how to get out of it successfully. If you're interested in a conve...

In today's episode, we untangle the web of alphabet-soup technologies: CSPM, VM, SIEM, and Log Aggregators. We go beyond the buzzwords to give you a no-nonsense look at how these tools fit together, complement each other, or might even replace one another in specific use-cases. Selecting the right tool can be overwhelming, and we're here to guide you through the when, where, and how of leveraging these technologies effect...

Dive headfirst into AppSec and Terraform security with  Ken and Mike in this electrifying podcast episode. They demystify complex security concepts, offer golden nuggets on Cybersecurity programs as a DevSecOps concept, and provide a rare glimpse into the high-octane training sessions they're delivering at BlackHat, Defcon, and Lascon. This episode is a view into  building resilient security programs, tackling compliance chall...

Ken and Mike dive into the exciting world of modern application and cloud security, with a keen focus on the challenges posed by legacy systems. They explore the hurdles faced when dealing with older applications written in stalwart languages like Java, .NET, Rails, and Python, and shed light on the complexities of addressing security issues in these systems. Join them as they discuss everything from slow performance and resistance...

In this captivating episode of R2DSO hosts Ken and Mike embark on an exploration of security automation in the realms of application and cloud security. With a a keen understanding of the pitfalls, they emphasize the need for precision, consistency, and repeatability. Stepping beyond the traditional confines of scanning, and automation techniques destined for failure, they offer insightful analogies and practical advice, empowering...

In this action-packed episode, Ken, Mike, and Izzy (Ken's cat) dive headfirst into the wild world of DevSecOps Penetration Testing – is it possible or downright preposterous? Can we truly automate pentesting in this breakneck DevSecOps environment, or are we chasing a cybersecurity unicorn?

Discover the vital distinction between red team operations and adversarial simulations within the DevSecOps landscape. We strip back to bas...

Join Mike and Ken as they discuss collaborative security work and what working together looks like in enterprise and organizations. In an effort to help people make better security decisions, in this episode they cover avoiding silos, working effectively together, picking your battles, reframing the security conversation with engineers, and using security as an enabler.

Now Available on YouTube:
https://youtu.be/HDOWGq...

Join Mike and Ken in their discussion about Incident Response and how it fits into the DevSecOps world and arena. Incident Response, logging and monitoring are hard problems to solve and Mike has some strong opinions on how to leverage and use native tooling to prepare and respond to incidents in your environment. Understanding logs, what to do with them, and how to filter through all of the noise are all covered in this episode. M...

We dive back into bringing guests onto the show focusing on real problems with real people on the ground. In this episode, we are joined by Hecber Cordova, Director of Cloud Security at RBC. He shares insights around growth into DevSecOps, developing empathy with your engineering teams, creating cloud patterns, paved paths, and building secure architectures from the ground up. If you're interested in hearing from someone who h...

In this episode, Mike and Ken will dive deep into the world of ChatGPT and explore how it can be used to generate code for developers and operations teams. They'll discuss the benefits and drawbacks of relying on AI for security, and how it can be used to improve the security posture of your organization.

But that's not all - Mike and Ken will also explore the challenges that come with scripting examples such as terraform,...

In this episode, our hosts recap the Global OWASP AppSec Dublin conference and share insights into interesting talks about DevSecOps. They delve into the challenges and opportunities that come with securing modern applications in a dynamic and ever-changing landscape. The hosts also share their frustrations with application security vendors in the space and discuss potential solutions to overcome these challenges. Along the way, th...

Today's episode covers one of the most common problems for software development teams and their security partners. Application Inventory. App Inventory brings to mind different struggles and difficulties for teams and even Ken and Mike have a few different experiences in approach. The team breaks apart some differences between asset inventory, software constellations, service discovery, and api security.

If you want t...

Happy New Year! Another year of DevSecOps fun as we head into an unpredictable and volatile security market, Ken and Mike talk hiring and the struggle between having a ton of talented passionate junior talent and a security mission that requires experienced individuals with a limited budget. Inadequate staffing, the reality of security vs engineering budgets, bridging the talent gap with internships and an all call to organizations...

We hope all of the turkey comas have worn off! These holiday delays are almost over, and in the meantime here we are with the second part of how security verticals fit into the great sprawling world of DevSecOps! Mike and Ken discuss migration fro on prem to cloud and how this shift has had a tremendous effect on the perception of data security. It's become easier and easier to spin up data storage solutions in cloud and infra...