Cloud Security Podcast -  we are continuing with our "Kubernetes Security & KubeCon EU 2023" and for the fiveth episode in this series Eve Ben Ezra from The New York Times. GitOps, OPA Conftest, ArgoCD are some of the components to add security to a Cloud Native Security Pipeline! - Eve Ben Ezra from The New York Times shared how we can use these tools to create a Dev Friendly Security Pipeline. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: ⁠⁠⁠⁠⁠⁠⁠www.cloudsecuritypodcast.tv⁠⁠⁠⁠⁠⁠⁠ FREE CLOUD BOOTCAMPs on ⁠⁠⁠⁠⁠⁠⁠www.cloudsecuritybootcamp.com⁠⁠⁠⁠⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠⁠⁠) Guest Socials: Eve Ben Ezra (Eve Ben Ezra's Linkedin) Podcast Twitter - ⁠⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠@CloudSecureNews⁠⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠⁠Cloud Security News ⁠⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Questions (00:00) Introduction (03:10) A bit about Eve (04:05) Eve's 2nd Kubecon (04:43) About Eve's talk at Kubecon (05:29) What is GitOps? (06:28) What is Argo CD? (07:19) What is OPA? (07:34) Why NYTimes has a development platform? (09:14) Challenges with implementing a shared infrastructure (11:17) Feedback is one of the challenges (12:19) Using OPA gatekeeper (13:30) When should developers get feedback in GitOps operational framework? (14:52) What does local feedback to developers look like? (15:54) What is Conftest? (16:24) How do people get started with OPA? (18:32) Making security more accessible for developers (23:02) Managed or self hosted Kubernetes deployment (24:09) How to get started with this? (25:08) Starting with OPA vs Starting with CICD (25:35) Where can you start learning about Kubernetes? (28:10) The difference between CI and CD See you at the next episode!

Cloud Security Podcast -  we are continuing with our "Kubernetes Security & KubeCon EU 2023" and for the fourth episode in this series Mackenzie Jackson from GitGuardian. Mackenzie Jackson from GitGuardian was part of a report that found 10 Million secrets stored across the entire Github space on the internet. In this interview we go into how secrets have evolved from just being username/password to API Tokens, AWS Access Keys and whole lot more. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: ⁠⁠⁠⁠⁠⁠www.cloudsecuritypodcast.tv⁠⁠⁠⁠⁠⁠ FREE CLOUD BOOTCAMPs on ⁠⁠⁠⁠⁠⁠www.cloudsecuritybootcamp.com⁠⁠⁠⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠⁠) Guest Socials: Shane Lawrence (⁠Shane's Linkedin⁠) and Daniele Santos (⁠Dani's Linkedin⁠) Podcast Twitter - ⁠⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠@CloudSecureNews⁠⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠⁠Cloud Security News ⁠⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Questions (00:00) Introduction (03:42) A bit about Mackenzie Jackson (04:16) What are secrets? (05:28) How are we dealing with secrets? (07:35) Mackezie talks about GitGuardian's Secret Sprawl Report (11:43) Managing history in Github (12:37) Mackenzie talks about ggcanary (14:09) Common types of secrets found in scans (15:42) Responsibility of Github and CSP providers (17:12) Are people ready to respond to honey token alarms? (20:33) Breaches causes by leaked secrets (23:34) Fun facts found in Secrets Sprawl Report (24:25) Secret sprawl is going to happen (25:09) Where do people start? (26:06) Implementing Git Hook as a security measure (28:08) How to get people to care about secrets (30:06) Where can people learn about secrets protection? (31:25) Where you can reach Mackenzie for more questions on secrets? See you at the next episode!

Cloud Security Podcast -  we are continuing with our "Kubernetes Security & KubeCon EU 2023" and for the fourth episode in this series Shane Lawrence and Daniele Santos from Shopify explained how kube-audit an open source tool from Shopify. They spoke about how they have used the audit tool to improve security with a developer security lens. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: ⁠⁠⁠⁠⁠www.cloudsecuritypodcast.tv⁠⁠⁠⁠⁠ FREE CLOUD BOOTCAMPs on ⁠⁠⁠⁠⁠www.cloudsecuritybootcamp.com⁠⁠⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠⁠) Guest Socials: Shane Lawrence (Shane's Linkedin) and Daniele Santos (Dani's Linkedin) Podcast Twitter - ⁠⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠@CloudSecureNews⁠⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠⁠Cloud Security News ⁠⁠⁠⁠⁠ - ⁠⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠⁠ Spotify TimeStamp for Interview Questions (00:00) Introduction (02:52) A bit about Shane (03:45) A bit about Dani (04:23) Which kubecons have Shane and Dani attended? (05:03) A bit about Dani and Shane's talk at Kubecon EU (06:42) Misconfigurations in Kubernetes (09:48) Dani talks about the Kubernetes Security Report (10:13) Use case for Kubernetes Misconfiguration (11:45) What is Azure Escape? (12:51) What is container escape? (15:26) What is kubeaudit? (15:49) Contributing to kubeaudit (16:40) The maturity of kubeaudit (19:04) How would kubeaudit help with an azure escape? (19:41) The developer experience (21:34) How shopify uses kubeaudit (24:59) Getting started with kubeaudit (25:53) Challenges with implementing kubeaudit (27:19) Maturity of kubernetes security and kubecon (30:02) Learning about kubernetes (34:07) Areas of security not being spoken about enough (36:16) Open Source and Software supply chain risks See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Kubernetes Security & KubeCon EU 2023" and for the third episode in this series, we spoke to Liz Rice ( Liz's Linkedin⁠). Liz Rice from Isovalent speaks about how Network Security can be done in Kubernetes. Kubernetes network security with eBPF, Cilium can be raised to be better than selinux seccomp tcpdump - yes the linux networking security tools. Yes you read that right. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: ⁠⁠⁠⁠www.cloudsecuritypodcast.tv⁠⁠⁠⁠ FREE CLOUD BOOTCAMPs on ⁠⁠⁠⁠www.cloudsecuritybootcamp.com⁠⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠⁠@hashishrajan⁠⁠⁠⁠) Guest Socials: Andrew Martin (⁠⁠Andrew's Linkedin⁠⁠) Podcast Twitter - ⁠⁠⁠⁠@CloudSecPod⁠⁠⁠⁠ ⁠⁠⁠⁠@CloudSecureNews⁠⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠⁠Cloud Security News ⁠⁠⁠⁠ - ⁠⁠⁠⁠Cloud Security BootCamp⁠⁠⁠⁠ Spotify TimeStamp for Interview Questions (00:00) Introduction (00:15) A word from our sponsor snyk.io/csp (03:36) A bit about Liz Rice (04:36) Liz's path into Cloud Native (06:22) What is EBPF? (08:12) Use case for EBPF in on premise (10:37) SC Linux and EBPF (11:28) Why we are solving this now with Kubernetes? (13:22) EBPF in managed vs unmanaged Kubernetes? (15:37) Implementation of EBPF (17:38) Access Management and Network Security (21:02) Challenges with multi cluster Kubernetes deployment (24:03) Key management in multi cluster (25:11) Current gaps in Kubernetes security (27:41) Developer first in the cloud native space (32:47) The future of EBPF (34:36) Where can you learn more about EBPF (36:25) The fun questions See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Kubernetes Security & KubeCon EU 2023" and for the second episode in this series, we spoke to Andrew Martin (Andrew's Linkedin). Kubernetes Security Best practices built using the OWASP Top 10 for Kubernetes is not enough to deal with new and unknown attack vectors for your Kubernetes deployment. In this episode we have Andrew Martin on how you can deal with Kubernetes attack vectors including supply chain issues. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: ⁠⁠⁠www.cloudsecuritypodcast.tv⁠⁠⁠ FREE CLOUD BOOTCAMPs on ⁠⁠⁠www.cloudsecuritybootcamp.com⁠⁠⁠ Host Twitter: Ashish Rajan (⁠⁠⁠@hashishrajan⁠⁠⁠) Guest Socials: Andrew Martin (⁠Andrew's Linkedin⁠) Podcast Twitter - ⁠⁠⁠@CloudSecPod⁠⁠⁠ ⁠⁠⁠@CloudSecureNews⁠⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠⁠Cloud Security News ⁠⁠⁠ - ⁠⁠⁠Cloud Security BootCamp⁠⁠⁠ Spotify TimeStamp for Interview Questions (00:00) Introduction (00:15) A word from our sponsors - head over to snyk.io/csp to find out more (02:50) A bit about Andrew Martin (03:33) What is cloud native security? (06:31) What is Kubernetes Security? (10:23) Kubernetes Security vs Cloud Native Security (11:52) Why is Kubernetes so popular? (16:20) What are the components of Kubernetes security? (21:43) Container security in Kubernetes landscape (26:34) Common attack vectors for Kubernetes (32:16) Impact of cloud in attack vectors (35:38) Managed Kubernetes (38:13) Rationale for using multi cluster (41:11) Should everyone use Kubernetes? (44:18) Is Serverless still relevant ? (47:38) Where can people learn about Kubernetes security? (53:01) The fun questions See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Kubernetes Security & KubeCon EU 2023" and for the first episode in this series, we spoke to Kirsten Newcomer (Kirsten's Linkedin). Kirsten Newcomer from Red Hat has been championing Kubernetes security and the role DevSecOps will play in helping improve security for Kubernetes implementations. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: ⁠⁠www.cloudsecuritypodcast.tv⁠⁠ FREE CLOUD BOOTCAMPs on ⁠⁠www.cloudsecuritybootcamp.com⁠⁠ Host Twitter: Ashish Rajan (⁠⁠@hashishrajan⁠⁠) Guest Socials: Kirsten Newcomer (⁠Kirsten's Linkedin⁠) Podcast Twitter - ⁠⁠@CloudSecPod⁠⁠ ⁠⁠@CloudSecureNews⁠⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠⁠Cloud Security News ⁠⁠ - ⁠⁠Cloud Security BootCamp⁠⁠ Spotify TimeStamp for Interview Questions (00:00) Introduction (02:42) Word from our sponsors about Snyk Launch - find out more at snyk.io/events/snyklaunch (03:08) A bit about Kristen Newcomer (04:13) How has Kubernetes security evolved ? (06:57) Is Kubernetes still popular? (07:45) Why is Kubernetes still popular? (0:58) Challenges with security Kubernetes (15:35) How to work effectively with Kubernetes (18:50) Adoption of IaC for security (24:30) Maturity of Kubernetes Security (29:24) Challenges with auditing Kubernetes (31:55) How to approach Kubernetes security? (35:08) Zero Trust and Kubernetes (39:01) Is SBOM bringing more attention to Kubernetes? (42:51) Where do people start with Kubernetes? (45:41) Managed vs unmanaged Kubernetes? (47:05) How you can reach out to Kristen! See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Cloud Security - the Leadership View" and for the final episode in this series, we spoke to Guy Podjarny ( GuyPo's Linkedin). If you are working on building or securing Cloud resources, can you truly imagine solving the next log4j or AWS/Azure/GCP vulnerability without including the help of Platform Engineers or IT engineers? This is the bigger picture of what we CyberSecurity people have to do day in day out. We work with wider team members Episode ShowNotes, Links and Transcript on Cloud Security Podcast: ⁠www.cloudsecuritypodcast.tv⁠ FREE CLOUD BOOTCAMPs on ⁠www.cloudsecuritybootcamp.com⁠ Host Twitter: Ashish Rajan (⁠@hashishrajan⁠) Guest Socials: Guy Podjarny ( ⁠GuyPo's Linkedin⁠) Podcast Twitter - ⁠@CloudSecPod⁠ ⁠@CloudSecureNews⁠ If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - ⁠Cloud Security News ⁠ - ⁠Cloud Security BootCamp⁠ Spotify TimeStamp for Interview Questions A word from our sponsors - you can visit them on ⁠snyk.io/csp⁠ (00:00) Introduction (03:49) A bit about Guy Podjarny (04:51) What is DevSecOps today? (07:15) 3 Phases of DevSecOps (07:44) DevSecOps vs ShiftLeft (09:15) The maturity of DevSecOps (11:52) The notion of start left (13:36) Threat modelling and developers (14:38) What is Cloud Security? (16:03) The notion of App Cloud (17:43) Gartner acronyms and cloud security (22:21) Security champion program in cloud (28:33) Future of IaaS, PaaS and SaaS (32:22) Challenges with Security Championship Program (42:19) Generative AI and DevSecOps in Cloud (47:45) Fun Questions See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Cloud Security - the Leadership View" and this week in this series, we spoke to Larry Whiteside Jr ( Larry's Linkedin ) If you are working on building a CyberSecurity Program in 2023 with Cloud in mind then this episode with Larry who shared his approach to building a CyberSecurity program along with war stories of implementing CyberSecurity in an on-premise world is the episode you need to hear. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv FREE CLOUD BOOTCAMPs on www.cloudsecuritybootcamp.com Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials: Larry Whiteside Jr ( Larry's Linkedin ) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (02:50) A word from our sponsors - you can visit them on snyk.io/csp (04:05) Larry talks about his 1st CISO role (06:01) Cybersecurity Programs in a Pre Cloud World (09:07) What were the challenges for CISOs in the past? (11:05) Cybersecurity Program in 2023 (14:01) There was no NIST CFA (14:59) Why frameworks are important (16:59) What is a cybersecurity program? (21:32) Components of cybersecurity program (23:02) Has cloud changed things? (30:01) The value of certifications (33:14) GRC Automation and Shift Left (42:53) The auditor's perspective (44:50) Does GRC need to know coding? (49:07) Cloud Security Program Playbook (52:52) The Fun Section See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Cloud Security - the Leadership View" and first up on this series, we spoke to Bianca Lankford (Bianca's Linkedin) about what does it take to build a Cloud Security program that runs behind your favourite TV Show on an OTT Media Platform like Warner Brother Discovery Cloud . In this episode Bianca Lankford, from Warner Brother Discovery, share her experience on building Cloud Security Program and the importance of developers in the solving the Cloud Security challenge. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Socials:  Bianca Lankford (Bianca's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (03:06) snyk.io/csp (03:45) A bit about Bianca (04:27) Challenge of Scale in Media Industry (06:38) Cloud based security program vs on prem (08:04) How cloud security can enable businesses (11:11) Cloud Security Program in Media Industry (13:45) Getting leadership buy in for cloud security program (17:05) Explaining cloud security as a business risk (18:33) Pillars of cloud security program at scale (20:12) Multi Cloud Security Program (20:52) Skills required for multi cloud security team (22:25) The future of application security and cloud security (24:01) Metrics of operationalising cloud security program at scale (25:32) Time to detection in Cloud (26:32) Navigating cloud security program through changing compute (28:09) Security guardrails vs security gate (30:53) Stages for a cloud security program (32:35) The Fun Section See you at the next episode!

Cloud Security Podcast -  This month we are talking about "Building on the AWS Cloud" and next up on this series, we spoke to Chad Lorenc (Chad's Linkedin) about AWS Security Reference Architecture, Cloud Adoption Framework & Security Maturity Model are 3 ways to level up the maturity you have in Cloud . In this episode Chad Lorenc, from AWS shared lessons and talk about How AWS Customers can prepare to use 3 models to Crawl, Walk & Run their security practice. Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:   Chad Lorenc (Chad's Linkedin)  Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security BootCamp Spotify TimeStamp for Interview Questions (00:00) Introduction (03:35) A word from our sponsors - check them out at snyk.io/csp (03:51) A bit about Chad (05:38) How things are different in the Cloud (07:59) The Maturity framework of AWS (11:20) How maturity scales in AWS (13:17) Anti-Patterns when building maturity in Cloud (15:35) Framework examples on how to build maturity models (19:27) Mapping maturity models to business objectives (20:19) The role of cloud native tools (26:23) Patterns in AWS to watch out for (28:38) Challenges for security leaders trying to get into cloud (35:07) Foundational pieces for building maturity in AWS (37:50) How to implement AWS Control tower? (43:09) Give developers more freedom in cloud (47:34) Benchmark scales for security maturity (51:27) Resources to help you build your own maturity roadmap See you at the next episode!