Modern Cloud Security Programs hire for builders who can develop tools that help developers walk down a Paved road where security is not a blocker but at the same time prevents developers from making security mistakes. In this episode we spoke with Travis McPeak who shared his experience from his time at Netflix to talk about Modern Cloud Security Teams look like and work on day to day at scale for a large development team and how others can take some insights from this for their own Cloud Security Programs. This episode is better on video - YouTube Link Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Travis McPeak Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy

Azure Cloud Security Architecture (Day 0) ,Custom Azure Role definitions, Azure Privilege Access Management etc can be complex to build. Continuing from part 1 In the part 2 of our This is My Cloud Security Architecture Series Episode we have Sai, a Cloud Security Architect walking us through how to start with an Azure Security Architecture on Day 0 of your Cloud Security Architect role. Part -2 of the episode will go into Day 1+ of managing and scaling what we have created in Day 0. This episode is better on video - YouTube Link - Part 2 Part 1 of the This is My Cloud Security Architecture Series is here - YouTube Link - Part 1  Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Sai Gunaranjan (Sai's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy

Data Lakes as an asset to collect and build threat actors or hiring for Data Scientists/Analyst are not typical things in Cloud Security well unless the organisation is dealing with PetaBytes of data. At a large scale company these are data problem not a security problem at that point even if the problem is in security team. In this episode with Jonathan Rau, CISO of Lightspin we spoke about his previous experience of creating and growing a SecDataOps team with Cloud Security and Ops in IHSMarkit. We spoke about what is this SecDataOps, What is Security Data Lake and if Cloud Native tools are enough for these problems. This episode is better on video - YouTube Link Cloud Security Meetup Amsterdam - Tech Fashion Theme - Sep,2022  Cloud Security Meetup NewYork - Tech Fashion Theme - Sep,2022 Host Twitter: Ashish Rajan (@hashishrajan) Guest Linkedin: Jonathan Rau Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy

Azure Cloud Security Architecture, Azure Policies can be complex to build. In the part 1 of our This is My Cloud Security Architecture Series Episode we have Sai, a Cloud Security Architect walking us through how to start with an Azure Security Architecture on Day 0 of your Cloud Security Architect role. Part -2 of the episode will go into Day 1+ of managing and scaling what we have created in Day 0. This episode is better on video - YouTube Link Cloud Security Meetup NYC - Cloud Security Meetup NewYork - Tech Fashion Theme Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Sai Gunaranjan (Sai's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy

In this episode of the Virtual Coffee with Ashish edition, we spoke with Jack Naglieri (Jack's Twitter) about what Security Monitoring can look like for a Cloud Native Company  Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Jack Naglieri (Jack's Twitter)  Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (02:40) https://snyk.io/csp (02:51) Corey's professional background (03:34) Jack's introduction (06:15 )What is Cloud Native? (07:41) What is a modern security stack? (09:50) Why Cloud Native Security Monitoring? (12:36) The current market for security monitoring (15:45) Cloud Native monitoring for on-prem (18:10) How to start with Cloud Native Security Monitoring? (21:01) Security monitoring in cloud vs traditional (22:51) Challenges with Cloud Native Security Monitoring (25:25) How can SMBs tackle Cloud Native Security Monitoring? (26:52) Are cloud native tools more cost effective than traditional ones? (28:30) Heterogeneous log correlation (30:09) What is a security data lake? (35:25) Does the modern security team need data skills?

In this episode of the Virtual Coffee with Ashish edition, we spoke with Corey Ball (Corey's Twitter) about what does API in a modern software stack looks like and how these can be attacked and protected Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Corey Ball (Corey's Twitter) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (02:40) https://snyk.io/csp (02:51) Corey's professional background (03:11) Corey's journey to be cybersecurity author (04:36) What is API and why its important in 2022? (06:44) Is API is the backend or frontend pf applications? (08:36) What are people doing wrong with APIs? (12:16) Best Practice for API Security? (13:20) Most surprising things being seen in API Security? (14:35) How do you find API keys? (16:07) API gateway as a security control point (18:25) OWASP Top 10 API Security (20:00) Monitoring and detecting for API Security (20:57) How to approach pentesting APIs? (22:35) Learn about API hacking (25:22) API Security in the Cloud (29:05) Rest API vs GraphQL (34:27) Pentest  by consuming application documentation (36:10) Which APIs should be public?

Special Episode by Shilpi and Ashish sharing their recap, highlights, big takeaways, Cloud Talks and Training from Hacker Summer Camp - Blackhat Defcon Diana Initiative BSides Vegas 2022. Blog with links: Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp (00:00) Intro (00:43) What is Hacker Summer Camp (01:24) Who should attend Hacker Summer Camp (02:00)  Black Hat 2022 KeyNote Recap (07:48) Cloud Themes at Black Hat 2022 (14:41) Buzzword Bingo at Black Hat 2022 (20:11) Black Hat 2022 Recap - CISO Perspective (22:23) SBOM in Cloud at Black Hat 2022? (23:31) Black Hat 2022 Recap - Cloud Perspective (30:27) Zero Trust in Cloud at Black Hat 2022? (33:15) Defcon 30 2022 Recap (43:17) Defcon 30 Cloud Village Talks Recap (45:49) Ashish reacts to 10yrs of people failing default best practice (48:57) Defcon 30 Cloud Village Talks Recap Contd (52:32) Cloud Talks from other Defcon 30 Villages - Red Team, Recon Village, AppSec Village (55:11) BSides Vegas 2022 Recap (58:26) Diana Initiative 2022 (58:58) Are things getting worse before they get better (comment below) (1:00:24) Ashish Conclusion

In this episode of the Virtual Coffee with Ashish edition, we spoke with Jeevan Singh (Jeevan's Linkedin) about Threat Modelling STRIDE Threat Modelling can be used for self service Application running in Cloud and allowing Security Teams to go on holiday without worrying about Digital Supply Chain. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Jeevan Singh (Jeevan's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (02:15) https://snyk.io/csp (02:40) Jeevan's Professional Background (04:23) What is threat modelling (05:35) Flicking the Threat Modelling switch (06:47) Common AppSec Mistake (09:58) What is Threat Modelling Important? (11:46) Tainted Flow Analysis and Threat Modelling (13:00) Where does this fit in CI/CD? (14:25) Security Teams going on vacation made possible (15:34) Impact of teaching developers how to run Threat Model (16:33) First time running Observe Phase of Threat Modelling with Developers (17:13) Developers are better at Threat Model than Security (19:09) Level of programming expertise for Threat Modelling (21:32) Fixing Threats vs Finding relevant controls for the threat (22:00) Bad example of role of Threat Modelling in Business (23:41) Should Threat Model be done in Dev? (24:54) Example of Threat Model for an App hosted in Cloud? (27:27) Threat Model Skeleton for Cloud Native Apps (30:12) Does complexity increase with multi-cloud/hybrid environments? (32:27) What’s involved in rolling a Threat model program in an organisation? (36:26) Who is the minimum representation in Threat modelling session? (38:30) Advice for folks who are starting threat modelling today in their organization (41:59) Cultural Change required for Threat Modelling (43:19) Example of getting Management agreement (44:58) Jeevan's 4 Stage of Threat model talk - https://www.youtube.com/watch?v=DtvjJL8xcPY (45:28) Time-boxing Threat Model Sessions (48:21) Maintaining Quality of Risk identified during threat modeling (50:21) Keeping developers updated on latest security vulnerabilities (54:07) Jeevan’s Favourite Threat Model Type (55:09) Where can people learn threat modelling? (56:12) Fun Section

In this episode of the Virtual Coffee with Ashish edition, we spoke with Karthik Ramamoorthy (Karthik's Linkedin) about Container security with NIST Framework for financial services organizations. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Karthik Ramamoorthy (Karthik's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy

Special Episode by Shilpi and Ashish sharing their recap, highlights, big takeaways, meh moments and in person experience from AWS ReInforce 2022. Twitter Space with Cloud Security Community about the AWS Re:Inforce 2022 Recap & Highlights Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy