Relating to DevSecOps

Send us a textIn this episode we chat blueprints, security patterns, reference architectures, and plans. Basically what we've seen in terms of the left hand side of the SDLC in establishing requirements early. This topic came about after reading the recent AWS Security reference architecture and grappling with implementation. We get pretty metaphor and analogy heavy in this one with some examples that may or may not make sense. Ultimately, these things work! We've seen them in the real world in a variety of samples, and hopefully you'll use them tooAWS Security Reference Architecturehttps://aws.amazon.com/blogs/security/aws-security-reference-architecture-a-guide-to-designing-with-aws-security-services/Developer Take on Using Reference Architectureshttps://ab-lumos.medium.com/embedding-security-into-sdlc-using-reference-architectures-for-developers-29403c00fb3d

Send us a textIn this somewhat makeshift, low-power episode recorded during the NYC power grid strain we do our best at getting inventive with recording techniques. Topic of the day is does DevSecOps really work? We discuss some of our failures, frustrations, and successes with DevSecOps. We also cover things you can do to succeed with DevSecOps techniques. While it may seem like fighting an uphill battle in security automation and all of these fancy modern security practices, we share some stories and methods to make sure these things stick.

Send us a textEpisode number 28 moves us back to a more people focused topic as we dive into technical vs non-technical management, leadership, management styles, how we've approached managers and management in our careers, and general hot takes on leadership and management in the DevSecOps world. Opinion heavy in this one and while this isn't management advice, hopefully it sparks some ideas and avenues of thought for our listeners.Referenced in this episode:Extreme Ownership:https://echelonfront.com/extreme-ownership/The first 90 Days:https://www.amazon.com/First-90-Days-Strategies-Expanded/dp/1422188612 Software Lead Weekly Reading List:https://softwareleadweekly.com/

Send us a textIn this react video of a podcast we have a look at a recent blog post on whether the QA, DBA, and BA jobs are going away in favor of more consolidated roles in development such as the full stack engineer and cloud services like abstracted databases. Simon baits Ken into a reaction since security is excluded, but eventually conclusions and comparisons are drawn to the security industry and  just how important these role functions are in today's modern workloads. Thanks to Simon for bringing the bait and to the author for putting these thoughts together and highlighting just how similar the people and communication challenges are across the technology aisles.Credit where credit is due! Read the article yourself for some perspective and insight:https://towardsdatascience.com/has-devops-killed-the-ba-qa-dba-roles-fbc187abdde If you'd like to hear us rant more throw us some feedback, if you'd like us to rant less throw us some feedback. Thanks again for tuning in!  

Send us a textAfter such a fun conversation last week, we bring Mike back in to discuss applying security at build time and what we can do with infrastructure as code through linting and early analysis. We break down the difference between Linting, Policy as Code, and SaaS and talk about how each of these might fit into your workloads. Plus! As a security practitioner, what you can do to move the ball forward in automated testing and security in your CI/CD pipelines. We got it back down to 30-ish minutes and hope you enjoy the listen. Join us for a conversation from GREP to Hashicorp Sentinel

Send us a textEpisode 25 is all about CSPM and our good friend Michael McCabe. Mike has a ton of experience securing application and cloud workloads and we break down how CSPM fits into the larger landscape of DevSecOps. Whether you look at it as the first step, last step, catch all, or waste of money, we break down ways a CSPM can be a valuable part of your cloud strategy and DevSecOps. In the worlds of buzzwords, hot air, and the security hype train, Mike has all kinds tips and tricks around navigating cloud, infrastructure as code, and CSPM so that we can turn a lot of the misinformation into actionable improvements to your security posture.

Send us a textAnd that means authentication and authorization. Once you start splitting up the monolithic apps and iterating faster and faster, how does your mindset on security change? Simon and I have our own opinions, but we're starting with authentication and authorization on this episode as well as some ideas that come to mind when organizations take their first microservices steps. It's only one part of the mystery, but an important consideration! Hoping you all get something out of this.In episode #25 we will be taking a break on the microservices side and going hard in the paint with some security issues with a surprise guest. Tune in!

Send us a textKen and Simon talk engineering and security ramifications of microservices, why organizations choose to split up their treasured applications and cut them into bite size pieces for ease of use and maintenance. As with most technological advances - the best outcomes come from good implementation so SImon and Ken talk about some real world experiences, some things to think about, and some overarching microservices topics. This will probably be a two-parter so stay tuned for even more on this huge (but complex and isolated) topic.

Send us a textAn exciting episode indeed! Jon Schwartz the CTO of Jetty joins us in a discussion about security through his career, leadership guidance, and how to align with all roles in your organization. Hear some real world examples of security, engineering, and devops working together towards a common goal and listen in to learn how to use a new perspective to bring security to the table. We really enjoyed this conversation! A big thanks to Jonathan for coming onIf you'd like to learn more about Jetty you can find them at https://www.jetty.com and if you're interested in joining their team, have a look at https://www.jetty.com/careers/ 

Send us a textKeeping with the SecOps theme the crew discusses Application Inventory, arguably the most important part of any successful application security program. Challenges are always there in keeping an accurate and robust inventory, and with a focus on assets Jamieson, Ken, and Simon discuss what they want out of an inventory and how you might look at it from the outside in when dealing with a world of ever changing application environments that can differ from hour to hour.