Show cover of DevSec For Scale from Akeyless

DevSec For Scale from Akeyless

Cybersecurity. InfoSec. DevSecOps. AppSec. Should companies be talking about these subjects only when they become too large? NO! Should cybersecurity be a priority for every company, no matter the size? YES! According to a study by BullGuard study in 2020, 43% of SMB owners have no cybersecurity defense plan in place at all – leaving their most sensitive financial, customer and business data, and ultimately their companies, at significant risk. Many startup and SMB companies will admit that security is not on their list of top 3 things to think about.... maybe even top 5. This podcast will bring together experts, authors, and practitioners from all areas of the security ecosystem to discuss best practices and better ways for small companies to protect their data and networks.

Tracks

Infra-as-Code, OpenTofu, and Security w/ Ohad Maislish, Env0
How do you manage infrastructure-as-code and keep it secure? And can you keep open source fully open? In this episode, Ohad Maislish, Co-Founder and CEO at Env0 and OpenTofu Supporter discuss the evolution of infrastructure management, how OpenTofu started, and how to ensure security is baked into your code. Check out Ohad's podcast, The IaC Podcast as well: https://www.theiacpodcast.com/
24:21 1/16/24
Shift-Left Developer Security w/ Roy Avrahamy, Akeyless Security
How do you ensure developers make the best security decisions when building their applications? In this episode, Roy Avrahamy, Application Security Engineer at Akeyless Security gives us great insights into how to make sure your developers keep their minds on application security while still developing code at a fast pace. We discuss ideas about continuous learning, gamification, hackathons, and more.
26:39 8/16/23
Machine Learning Against Cyber Attacks w/ Lidan Hazout, Transmit Security
Can cyber attacks and risk be managed by machines alone? In this episode, Lidan Hazout, Risk & Fraud Detection Director at Transmit Security talks to us about how he is working to create Machine Learning algorithms to actually stop cybersecurity attacks before they even happen. We get into a lot of detail about how the algorithms decide good versus bad and what the more sophisticated types of attacks are out there. If you're looking for the website Lidan mentions toward the end where you can practice your cyber skills, check out https://www.kaggle.com/.
24:47 6/20/23
DSOMM and Security Maturity Models w/ Raz Probstein, Jit
Are you working on maturing your company's security? In this episode of DevSec For Scale, we hear from Raz Probstein, Solution Engineer at Jit, about the various methods companies have been using to up their security game. But one methodology stands out to both her and the company she works for, OWASP DSOMM. DSOMM focuses on DevSecOps security. There are quite a few differences between DSOMM and other models, and Raz breaks down why you should consider DSOMM when leveling up security. Check out Raz's slides from her recent talk about this topic at the OWASP AppSecIL 2023 conference: https://docs.google.com/presentation/d/1oI4n_YjXDIhshl8mgEJTlYFMI6UznZHKRsxvkmDvA2U/
28:30 5/30/23
Moving to a Password-less World w/ Mike Malone, Smallstep
Do you wish you could log into all your apps without passwords? Enter asymmetric cryptography. In this episode, Mike Malone, CEO and Founder of Smallstep walks us through how we got to where we are with password and secrets management and offers us ideas about how to change the way we think about credential security.
24:25 5/2/23
Secrets Management Pt 3: Managing Secrets for Real w/ Jeroen Willemsen
How do you actually get started managing secrets? In this episode of DevSec For Scale, we are joined by Jeroen for a third time to discuss the real ins and outs of getting started with secrets management. We talk about threat modeling, CI/CD, and even multi-cloud secrets management.
28:34 2/15/23
Observability and Security w/ Yosef Arbiv, Epsagon (Cisco)
What challenges are there with observability in modern microservices environments? Yosef Arbiv, Engineering Group Leader at Epsagon (Acquired by Cisco), joins the podcast to discuss observability best practices as well as the Open Telemetry project and how observability impacts the overall security health of an organization.
25:50 2/7/23
Secrets Management Pt 2: OWASP WrongSecerets w/ Jeroen Willemsen, OWASP Project Lead
In this episode of DevSec For Scale, we follow up our previous episode with some really great information about how the OWASP WrongSecrets project came about and how they manage everything, as well as how users can join and help with fixes, add challenges, and features. Jeroen also discusses the future of the project. To learn more, go to https://owasp.org/www-project-wrongsecrets/ or star the repo at https://github.com/commjoen/wrongsecrets/.
30:10 10/19/22
Shift-Left Testing For Microservices w/ Arjun Iyer, Signadot
How do you approach E2E and Integration testing in the new and complex world of Kubernetes and multi-cloud environments? Arjun Iyer, CEO & Co-Founder of Signadot joins the podcast for a very interesting and informative episode on how testing needs to shift left as we rapidly grow our development environments to the latest and greatest in infrastructure orchestration and application security.
25:32 9/28/22
Secrets Management Pt 1: Trends w/ Jeroen Willemsen, OWASP Project Lead
What is the importance of Secrets Management and how has it evolved to where it is now? In this episode of the DevSec For Scale podcast, Jeroen Willemsen, one of two project leads for the OWASP WrongSecrets project, gives us a short history of secrets management in the OWASP universe and goes into how he sees the future of secrets in the enterprise. Check out the WrongSecrets Project: https://owasp.org/www-project-wrongsecrets/
25:27 9/13/22
From DevOps to DevSecOps w/ Gil Zellner, HourOne
What's it like to go from a DevOps engineer in large organizations with expert security engineers, to a small startup that requires you to be the security engineer? In this episode, Gil Zellner, Infrastructure Lead at HourOne.ai talks about his personal experience being thrown into the deep end of security as a developer. He discusses some of the changes he had to make on his journey from companies like Oracle, AppsFlyer, and Wix to his current early stage employer. Gil also brings some interesting stories about things he has learned becoming a de facto security engineer.
25:10 9/6/22
Threat Modeling For Developers w/ Maran Gunasekaran, Practical DevSecOps
How has threat modeling evolved and how can security help make it easier for developers to implement that practically into their code? In this episode, Maran Gunasekaran, Principal Security Consultant at Practical DevSecOps gives us a rundown of what threat modeling used to mean and how developers can translate threat models into actual threat modeling as code. He also offers real-world examples of how security and developers align on threat modeling when shipping code.
34:50 8/23/22
How to Eliminate Friction in Security Teams w/ Ravid Circus, Seemplicity
Why do security teams and developers clash, and how can we ensure there is better collaboration between them? In this episode, Ravid Circus, Co-Founder & CPO at Seemplicity talks about his experience with security teams and how their requests are handled by the development teams. He also gets into how security teams should track progress and handle backlogs based on priorities.
28:39 8/16/22
Where Sec Meets Dev w/ Duane Gran, Converge Technology Solutions
Why is there still friction between Dev and Sec? How can we bridge that gap better? In this episode, Duane Gran, Corporate Director of Information Security at Converge Technology Solutions dives into how he has seen developers and security butt heads and about his personal journey from dev to sec. Duane offers great advice on getting developer buy-in and making sure security and dev tasks are more aligned.
28:07 8/9/22
Preventing Ransomware Attacks w/ Greg Edwards, CryptoStopper
Is there a simple way to detect and manage ransomware attacks? In this episode, Greg Edwards, CEO of CryptoStopper introduces us to the evolution and basics of ransomware as well as how to get better at detecting sophisticated attacks, such as file-less ransomware, before they can damage your system. He also gives us insights into how developers can ensure they aren't the reason for a ransomware attack through vigilance and preparation.
25:53 8/3/22
Common Kubernetes Security Misconfigurations w/ Rotem Refael, ARMO
If you've ever worked with containers, or specifically Kubernetes, you are probably familiar with the basics of cluster configuration. But are you ensuring your clusters are secured properly? In this episode, Rotem Refael, Director of Engineering at ARMO elaborates on a research study that the company did by scanning tens of thousands of repos to find out if the most obvious security configurations are being adhered to, as well as the more advanced ones. Interestingly enough, they found that 100% of the clusters had at least one misconfiguration. We dive into some of the most frequent misconfigurations Rotem has come by and discuss how this happens and how it can be prevented.
24:32 7/19/22
Securing Development Environments w/ Guy Flechter, Cider Security
Are development environments important enough for us to even care about securing? The answer is a resounding yes. In this episode, Guy Flecther, CEO & Co-Founder of Cider Security goes in-depth into why security is not just a requirement for production, but also development environments. And development environment security also has an impact on the rest of the organization being that we're seeing most teams are using DevOps methodologies. Guy also talks about how to increase visibility into those environments and mitigate risk.
19:51 7/12/22
Development Velocity With Security w/ Harshit Chitalia, Tromzo
How do you ensure secure development while maintaining the release velocity of your applications? In this episode, Harshit Chitalia, CTO & Founder at Tromzo, talks with me about his recent research study where he asked over 400 developers about their biggest Application Security challenges. We get into some of the interesting findings of the report and also discuss how vulnerabilities are found and fixed as well as tooling developers can use to do just that. -- State of Modern Application Security: https://www.tromzo.com/resources/state-of-modern-application-security Voice of the Modern Developer Research: https://www.tromzo.com/resources/voice-of-the-modern-developer
34:14 7/5/22
Common Startup Security Mistakes w/ Dan Yelovitch, develeap
Whether it's leaving a database on a public IP or waiting to put proper VPN access in place, there are many security issues startups can sometimes fall victim to. In this episode, Dan Yelovitch, Chief DevOps Architect at develeap, wows us with stories about actual clients he works with that have made mistakes that have been costly. We learn about the problem, fixes, and ways to ensure your small organization can install automation and cultural practices to stay more secure.
19:37 6/29/22
Securing Your CI/CD Pipeline w/ Zan Markan, CircleCI
What are best practices for protecting your production pipeline? In this episode, we welcome Zan Markan, Senior Developer Advocate at CircleCI to talk about how he looks at basic security aspects related to continuous deployment as well as common configuration issues that come up. We also discuss code and dependency scanning as well as policy enforcement. --- Follow Zan at: https://twitter.com/zmarkan https://circleci.com https://twitter.com/circleci  
29:07 6/22/22
Securing Secrets w/ Conor Mancone, Cimpress
One of the absolute most important items on any security team's agenda is Secrets Management. Nobody knows this more than Conor Mancone, Lead App Security Engineer at Cimpress. Conor is a power user of Akeyless, as they are a customer, and in this episode he details how Cimpress came to understand their needs for credential management, with 13 subsidiaries, and what compelled them to find a centralized platform for managing secrets. Check out Conor's work at https://blog.cmancone.com/ where he shows his work creating and deploying credential-less infrastructure and applications.
29:18 6/14/22
Auth Security (Part 1) w/ Dan Moore, FusionAuth
We all know about Identity Providers today. But where did they come from and why are they so important to security? In this episode, Dan Moore, solutions architect and head of DevRel at FusionAuth, answers questions on a variety of auth related questions, and helps us understand the ways developers are impacted by things like IAM, SSO, and more. ----- https://www.w3.org/community/fed-id/ - W3C group mentioned https://martinfowler.com/articles/agile-threat-modelling.html - threat modelling https://owasp.org/www-project-top-ten/ - OWASP top ten
27:48 6/7/22
Cybersecurity Advocacy w/ Ashish Rajan, cloudsecuritypodcast.tv
If you could create a cybersecurity advocacy position, what would it look like? In this latest episode of the DevSec for Scale Podcast, Ashish Rajan, CISO at PageUp People and host of the Cyber Security Podcast (cybersecuritypodcast.tv), talks with Jeremy about why cybersecurity needs advocates the way developers have. He also speaks about the how a cybersecurity and cloud security advocacy program could help the industry immensely.
32:45 5/31/22
Open Source Security w/ Liran Tal, Snyk
Why choose open source tools and products over closed-source enterprise ones? In this episode, Liran Tal, Director of Developer Advocacy at Snyk and open source champion talks to us about the importance of OSS in the world. We get into specifics about things like supply chain security as well as how developers should think about the health of their code and packages.
28:24 5/24/22
Microservices Authentication & Authorization w/ Yuval Yogev, Sygnia
How do you ensure authentication and authorization of users and machines in a microservices environment? And then add on the complexity of multi-tenancy architecture? In this episode, Yuval Yogev, Chief Architect at Sygnia, talks with me about the challenges he faces when dealing with migration of a single tenant to multi-tenant architecture and ensuring all authentication and authorization is handled in the most secure way possible.
30:10 5/17/22
OSINT and Security w/ Nick DiPasquale
Are you accounting for the human element of security in your business? In this very interesting episode, we have Cybersecurity Leader and Security Researcher, Nick DiPasquale talk with us about the human attack vector into any business. This applies to developers and non-developers. He recounts some of his own experience using open source intelligence (OSINT) to find gaps in security for his clients, how to do your best to stop bad actors, and other tips to harden your security.
22:21 5/10/22
Better Security Awareness for DevOps w/ Hila Fish, Wix
Are DevOps engineers really thinking about security in their daily activities? In this episode, I talk with Hila Fish, Senior DevOps Engineer at Wix, about her experience with security-first DevOps and why it is such an important practice. She walks us through her philosophy on being a security-conscious engineer and how she manages teams to be more thoughtful when working on any project, not just for the organization, but for personal growth as well.
26:17 5/3/22
Software Supply Chain Security w/ Anton Weiss, Otomato Software
How do companies secure themselves against supply chain attacks as well as internal pipelines? In this episode, Ant Weiss, self-described Software Delivery Futurist and Founder of Otomato Software, a DevOps consultancy, talks to us about what he believes is the biggest supply chain threat when it comes to shipping code. He also gives us some of his personal experiences with the internal workings of DevOps pipeline security from a supply chain perspective, and we get into dealing with open source packages as well.
22:38 4/26/22
Securing Developer Access to Sensitive Data w/ Yoav Turgeman Levi, Harmonya
Why is access so difficult to secure? This and many other questions are answered by our guest, Yoav Turgeman Levi, Senior DevOps at a startup called Harmonya. Yoav was the first DevOps engineer at the company and brought on to build the processes from the beginning. He talks to me about his experience dealing with developer access and security at large organizations and applying it to the startup he is currently working at.
16:59 4/19/22
Proactively Building Secure Software w/ Josh Grossman, Bounce Security
It seems like security is mostly a passive game as developers usually think about fixing issues rather than building security into their applications and development lifecycles. In this episode, I talk to Josh Grossman, CTO at Bounce Security and OWASP Israel Board Member about the Top 10 Proactive Controls project by OWASP (The Open Web Application Security Project). Josh walks us through how to think about security risks as well as understand what controls need to be put in place to ensure your applications are secure from day one. ----- Ways you can reach out to Josh: Twitter: https://twitter.com/JoshCGrossman Email: josh(at)bouncesecurity.com The training mentioned about tool processes: https://twitter.com/JoshCGrossman/sta... OWASP Links: Main page: https://owasp.org/ Upcoming events: https://owasp.org/events/ OWASP Top Ten Proactive controls project: https://owasp.org/www-project-proacti... (Credit to Katy Anton, Jim Bird and Jim Manico who are the project leaders)
23:19 4/11/22

Similar podcasts