DevSec For Scale from Akeyless

One of the absolute most important items on any security team's agenda is Secrets Management. Nobody knows this more than Conor Mancone, Lead App Security Engineer at Cimpress.
Conor is a power user of Akeyless, as they are a customer, and in this episode he details how Cimpress came to understand their needs for credential management, with 13 subsidiaries, and what compelled them to find a centralized platform for managing secrets.
Check out Conor's work at https://blog.cmancone.com/ where he shows his work creating and deploying credential-less infrastructure and applications.

We all know about Identity Providers today. But where did they come from and why are they so important to security? In this episode, Dan Moore, solutions architect and head of DevRel at FusionAuth, answers questions on a variety of auth related questions, and helps us understand the ways developers are impacted by things like IAM, SSO, and more.
-----
https://www.w3.org/community/fed-id/ - W3C group mentioned
https://martinfowler.com/articles/agile-threat-modelling.html - threat modelling
https://owasp.org/www-project-top-ten/ - OWASP top ten

If you could create a cybersecurity advocacy position, what would it look like? In this latest episode of the DevSec for Scale Podcast, Ashish Rajan, CISO at PageUp People and host of the Cyber Security Podcast (cybersecuritypodcast.tv), talks with Jeremy about why cybersecurity needs advocates the way developers have. He also speaks about the how a cybersecurity and cloud security advocacy program could help the industry immensely.

Why choose open source tools and products over closed-source enterprise ones?
In this episode, Liran Tal, Director of Developer Advocacy at Snyk and open source champion talks to us about the importance of OSS in the world. We get into specifics about things like supply chain security as well as how developers should think about the health of their code and packages.

How do you ensure authentication and authorization of users and machines in a microservices environment? And then add on the complexity of multi-tenancy architecture?
In this episode, Yuval Yogev, Chief Architect at Sygnia, talks with me about the challenges he faces when dealing with migration of a single tenant to multi-tenant architecture and ensuring all authentication and authorization is handled in the most secure way possible.

Are you accounting for the human element of security in your business?
In this very interesting episode, we have Cybersecurity Leader and Security Researcher, Nick DiPasquale talk with us about the human attack vector into any business. This applies to developers and non-developers.
He recounts some of his own experience using open source intelligence (OSINT) to find gaps in security for his clients, how to do your best to stop bad actors, and other tips to harden your security.

Are DevOps engineers really thinking about security in their daily activities?
In this episode, I talk with Hila Fish, Senior DevOps Engineer at Wix, about her experience with security-first DevOps and why it is such an important practice. She walks us through her philosophy on being a security-conscious engineer and how she manages teams to be more thoughtful when working on any project, not just for the organization, but for personal growth as well.

How do companies secure themselves against supply chain attacks as well as internal pipelines?
In this episode, Ant Weiss, self-described Software Delivery Futurist and Founder of Otomato Software, a DevOps consultancy, talks to us about what he believes is the biggest supply chain threat when it comes to shipping code.
He also gives us some of his personal experiences with the internal workings of DevOps pipeline security from a supply chain perspective, and we get into dealing with open source packages as well.

Why is access so difficult to secure? This and many other questions are answered by our guest, Yoav Turgeman Levi, Senior DevOps at a startup called Harmonya.
Yoav was the first DevOps engineer at the company and brought on to build the processes from the beginning. He talks to me about his experience dealing with developer access and security at large organizations and applying it to the startup he is currently working at.

It seems like security is mostly a passive game as developers usually think about fixing issues rather than building security into their applications and development lifecycles.
In this episode, I talk to Josh Grossman, CTO at Bounce Security and OWASP Israel Board Member about the Top 10 Proactive Controls project by OWASP (The Open Web Application Security Project). Josh walks us through how to think about security risks as well as understand what controls need to be put in place to ensure your applications are secure from day one.
-----
Ways you can reach out to Josh: Twitter: https://twitter.com/JoshCGrossmanEmail: josh(at)bouncesecurity.com
The training mentioned about tool processes: https://twitter.com/JoshCGrossman/sta...
OWASP Links:
Main page: https://owasp.org/
Upcoming events: https://owasp.org/events/
OWASP Top Ten Proactive controls project: https://owasp.org/www-project-proacti... (Credit to Katy Anton, Jim Bird and Jim Manico who are the project leaders)