Send us a text

In this special holiday-themed episode of Relating to DevSecOps, hosts Ken and Mike channel their inner Dickens with a retrospective journey through the "Ghosts of DevSecOps Past, Present, and Future." From lessons learned about security awareness and collaboration challenges of the past, to the growing pains and contradictions of today’s implementation of security basics, they explore it all. Wrapping up with a hopeful look at future innovations like policy-as-code and preemptive security measures, the hosts outline their visions for a more integrated and automated security future. Packed with insights, humor, and holiday spirit, this is a must-listen for those charting the path forward in DevSecOps.

Send us a text

In this episode of Relating to DevSecOps, hosts Ken and Mike tackle the complex challenges of managing security budgets in organizations of all sizes. From small, scrappy teams to sprawling enterprises, they explore how security leaders can navigate tight financial constraints while maintaining strong security postures. They share insights on integrating security into IT operations, leveraging open-source tools, and rethinking traditional budget allocations. Whether you’re a CISO grappling with scaling or a developer looking to improve security outcomes, this discussion is packed with actionable strategies and thought-provoking debates on the future of security spending

https://www.youtube.com/watch?v=8U3QzJBCNZ0 

Send us a text

In this episode, Ken and Mike discuss the pressing issue of staffing security in the DevSecOps field. They explore the challenges of finding qualified application security professionals, the importance of diverse backgrounds in security roles, and the paradox of understaffed security teams despite a high demand for cybersecurity jobs. 

The conversation also delves into strategies for mitigating staffing issues, such as empowering security champions within organizations, leveraging automation and tooling, and avoiding bottlenecks in security processes. Throughout the discussion, they emphasize the need for a balanced approach to security that considers both technical and human factors.

Send us a text

Ken and Mike dive deep into the world of metrics and measurement in the context of security and DevSecOps. They explore the critical role metrics play in driving security improvements, from tracking vulnerabilities to gauging the effectiveness of incident response. The hosts discuss what makes a good metric, the importance of aligning metrics with business goals, and the dangers of relying too heavily on numbers alone. They also tackle the challenges of quantifying "squishy" aspects like culture and training effectiveness. Whether you're a seasoned security professional or just getting started, this episode offers valuable insights into the art and science of measurement in security

Reference talk:

https://www.youtube.com/watch?v=GXTvlQXVCOs&t=0s

Send us a text

Ken and Mike discuss the importance of postmortems in incident response and security incidents. They explore the definition of postmortems, the value of reflection, the challenges of blame, and the significance of actionable outcomes. They also touch on the transparency of postmortems and the need for root cause analysis. The conversation concludes with a brief announcement about an upcoming conference series.

Send us a text

Ken and Mike discuss supply chain security, including software composition analysis (SCA) and software bill of materials (SBOM). They highlight the importance of understanding the components that make up your software and the risks associated with using third-party libraries. They also discuss recent supply chain failures, such as the XZ library hack and the SolarWinds attack. The hosts emphasize the need for organizations to stay up to date with software patches and to consider the security of commercial off-the-shelf software. They caution against placing too much focus on any one security tool or approach, including SBOM, and instead advocate for a well-rounded approach to security.

Send us a text

In this episode Mike and Ken dive into the wild world of SaaS products in DevSecOps. From vendors to security tooling hygiene they cover an often overlooked ecosystem of cloud and software services that may be rotting in the sky of your workloads. Join up for a listen on SaaS Security!

Send us a text

With pep and full youtube energy Ken and Mike discuss the findings of the IBM "Cost of a Data Breach" report and its implications for DevSecOps. They highlight the importance of integrating security into every phase of the software development life cycle and the positive impact it can have on reducing the cost of a data breach.

Send us a text

Ken and Mike discuss their new year's resolutions related to application security. They also reflect on the impact of AI and its adoption in the industry. The hosts share their experiences attending conferences and highlight interesting talks on topics such as zero-day vulnerabilities and fuzzing LLM models. They discuss the OWASP LLM Top 10 and the evolving perception of AI in the industry. The conversation concludes with a discussion on the definition of DevSecOps and how it has evolved over time, as well as their predictions for DevSecOps in 2024.

Send us a text

We are joined by incredible guests Mikhail Chechik and Marcus Hallberg as they help us define DevSecOps and emphasize the importance of a security mindset throughout the development process. These two incredible folks explore common misconceptions about shifting left and discuss the challenges of triaging and validating vulnerabilities early in the development lifecycle. We enter in the wild world of this wonderful shifting buzzword and how it applies to incident response, design, people, and the general development process.