Episode 24: Putting The Sec Into DevOps

Episode 24 August 19, 2020 00:37:14
Episode 24: Putting The Sec Into DevOps
SilverLining IL
Episode 24: Putting The Sec Into DevOps
/

Hosted By

Moshe Ferber Ariel Munafo

Show Notes

Attendees

Guest: Dima Revelis

Guest title: Senior Devops engineer

Company: MoonActive

Abstract

DevsecOps is accelerating fast as the new buzzword for modern information security practices. In this episode we use the expertise of Dima Revelis in order to dive deep into understanding DevOps practices, what is CI/ CD pipeline and which security tools are relevant for all of those new practices.

Timing:

0:00 - Introducing our guest

2:50 - What is devops

7:50 - What is deployment pipeline

14:20 - What is CI and which security testing can be implemented

17:20 - What is CD and which security consideration 

18:40 - Dive deeper into security testing - QA, code review, static & dynamic   analysis

20:45 - So much automation, do we still need manual testing? 

22:30 - Additional security aspects: using Jenkins, authentication and authorization, secret management

26:40 - Availability considerations and disaster recovery

33:30 - Summary and final words

Other Episodes

Episode 16

February 12, 2020 00:56:21
Episode Cover

Episode 16: Merging Cloud Based Startup Into Financial Giants

Attendees Guest: Ori Troyna Guest title: Global head of product security at Payu Company: Payu Abstract Payu, a global fintech gaint acquired Zooz , a small payment startup.  In this episode we talk with Ori Troyna, Global head of product security at Payu about the challenges that such a merger between two very different companies with different engineering methodologies and how they cope with those challenges. Timing: 1.14 Ori introduce himself 11.40 challenges of merging small companies into financial giants. Integrating different technologies stacks into one.   18.33 how to build the organizational structure the consolidate the different companies and technology stacks  21.30 understanding the acquisition considerations of PayU and its effect on security considerations   27.0 solving the consolidation challenges - the people angel. Moving to tribes and clans and providing security goals  34.30 the difference between product security and IT security   36.0 solving the consolidation challenges - the process angel. How to integrate different tribes and clans to create one joint development backlog and mature devops   46.40 solving the consolidation challenges - the technology angel. Building global infrastructure that support multiple projects  53.22 summary and last words ...

Listen

Episode 28

November 11, 2020 00:29:02
Episode Cover

Episode 28: Analyzing Cloud Attack Vectors - SaaS Marketplaces and Office 365 BEC

Attendees Guest: Ofer Maor Guest title: Co-Founder & CTO  Company: Mitiga Abstract The recent increase of cloud based attacks gives us an opportunity to examine new attack vectors and how attackers exploit new services. In this episode we talked with Ofer Maor, Co-Founder at Mitiga, about new attack vectors in cloud computing and how attackers exploit new services such as marketplaces, community repos and other examples. Timing: 0:00 Introducing our guest and Mitiga 3:32 Preparing for cloud incident response  7:15 Cloud attack vector - malicious AMI 11:00 More attack vectors on marketplaces 13:18 Github attack vectors 18:15 attack vector - Business email compromise on 365 25:44 how to mitigate cloud incidents 27:58 Summary and last words ...

Listen

Episode 8

September 24, 2019 00:27:26
Episode Cover

Episode 8: Securing The World of IoT

Attendees Guest: Beau Woods Guest title:  Member Company:  We-Are-The-Cavalry, Atlantic Council Abstract IOT devices such as Medical embedded devices, autonomous vehicle and smart homes are currently the Achilles heel of information security. The technology is advancing fast, but the security frameworks are not advancing at the same pace. In this episode we talk with Beau woods, founder for I-am-the-cavalry, about the steps governments, regulators and vendors should take in order to produce safer IOT devices. Timing   0:00 Intro and introducing our Beau activities and I-AM-The-Cavalry community   5:20 What are the unique challenges of IOT security?  9.05  It is not a question of connectivity 11:35   How do better engineer IOT devices - fail fast, detect failure and maintain an ability to fix failures 17.15 Engineering is not enough - how the IOT consumers should be trained for and aware of 22.20 Summary and conclusions   ...

Listen