DSO Overflow

DSO Overflow S5EP1Security the Software Supply ChainwithFrancois ProulxIn this episode, featuring Francois Proulx, a senior product security engineer, we discuss software supply chain security, particularly the security of build pipelines and dependencies. Francois shares insights on defining supply chains, identifying vulnerabilities, threat modeling, and strategies to improve security. The conversation explores topics like the SALSA framework, risk factors in CI/CD pipelines, and reducing complexity in dependencies. The discussion emphasizes threat awareness, holistic approaches, and the importance of isolating critical processes in software development. Practical tools and insights on research and AI’s role in security were also touched upon.Resources mentioned in this podcast:Francois' LinkedIn profileBoost blog siteBoost on GitHubSLSA websiteDSO Overflow is a DevSecOps London Gathering production. Find the audio version on all good podcast sources like Spotify, Apple Podcast and Buzzsprout.This podcast is brought to you by our sponsors:  Prisma Cloud, Tigera and ApiiroYour HostsSteve Giguere linkedin.com/in/stevegiguereGlenn Wilson linkedin.com/in/glennwilsonJessica Cregg linkedin.com/in/jessicacregg

DSO Overflow S4EP10Threat ModellingwithAshley WardIn this month's episode, Steve and Glenn chatted with Ashley Ward to discuss topics around threat modelling.Ashley is a highly experienced CTO at ControlPlan with expertise in cloud-native architectures and cybersecurity, known for leading transformative initiatives across startups and large enterprises, including as Group CTO for a €4.5 billion company. He excels in scaling organisations through agile, FinOps, and DevSecOps, while inspiring teams and engaging with stakeholders at all levels. As a Justice of the Peace since 2017, Ashley brings additional strengths in decision-making, public speaking, and community-focused leadership.In this episode of DSO Overflow, Ashley Ward, CTO at Control Plane, discusses threat modelling in cloud-native environments, security challenges, and the impact of emerging technologies like AI. Ward explains that threat modeling should start with existing knowledge and highlights the benefits of collaborative, iterative approaches. He emphasises involving various teams in the process to account for application, platform, and infrastructure layers. Ward also discusses practical frameworks, such as the CIA triad and STRIDE, and points out the specific challenges in cloud-native threat modelling, like microservices and fast-paced release cycles. Regarding AI, he cautions about the heightened risks, as AI democratises hacking capabilities. Ward advocates for using AI thoughtfully in threat modelling and encourages companies to adopt proactive security strategies. He concludes by encouraging organisations to embrace threat modelling as an evolving, essential practice.Resources mentioned in this podcast:Ashley Ward's LinkedIn profileControlPlane websiteDSO Overflow is a DevSecOps London Gathering production. Find the audio version on all good podcast sources like Spotify, Apple Podcast and Buzzsprout.This podcast is brought to you by our sponsors:  Prisma Cloud, Tigera and ApiiroYour HostsSteve Giguere linkedin.com/in/stevegiguereGlenn Wilson linkedin.com/in/glennwilsonJessica Cregg linkedin.com/in/jessicacregg

DSO Overflow S4EP9Open Source IntegritywithLuke HindsIn this month's episode, Jessica and Glenn chatted with Luke Hinds to discuss topics around Open Source integrity and provenance.Luke is a co-founder and the CTO at Stacklok who loves building open source software and communities, as well as leading talented engineering teams to develop innovative cutting edge security technologies at scale.In this episode, Luke talks about the challenges of ensuring open source software integrity and provenance using cryptographic technologies and automated signing of software within the CICD pipeline using a non-profit software cryptographic signing service. He talks about managing developer expectations and how security should enable software development. We briefly discuss the dangers of putting too much trust into AI and the data that supports GenAI models.Resources mentioned in this podcast:Luke Hind's LinkedIn profileStacklok on LinkedInStacklok's websitesigstore on LinkedInsigstore websiteslsa websiteMinder websiteMinder on GitHubDSO Overflow is a DevSecOps London Gathering production. Find the audio version on all good podcast sources like Spotify, Apple Podcast and Buzzsprout.This podcast is brought to you by our sponsors:  Prisma Cloud, Tigera and ApiiroYour HostsSteve Giguere linkedin.com/in/stevegiguereGlenn Wilson linkedin.com/in/glennwilsonJessica Cregg linkedin.com/in/jessicacregg

DSO Overflow S4EP8Cloud Native and KuberneteswithSteve Wade and Michael FosterIn this month's episode, Steve met with Steve Wade  and Michael Foster to talk about the  Cloud Native Club and new and future developments in Kubernetes.Steve Wade founded The Cloud Native Club, a global community for cloud-native enthusiasts. He is also a maintainer of the Flux Terraform Provider. As an experienced conference speaker, independent cloud-native consultant, and trainer, Steve shares his expertise worldwide. He has held platform leadership roles across various industries, including real estate, gaming, fintech, and the UK Parliament. With a BSc in Computer Science, Steve is passionate about cloud-native software development and distributed computing.Michael Foster regards himself as a passionate tech enthusiast and open-source advocate with a multidisciplinary background. Understands the importance of community and being a good communicator. Great problem solver, quick thinker, constant learner, and someone who is process-orientated. Able to conceptualize, coordinate, and implement by paying attention to detail while seeing the big picture. I am continually working to bridge the gap between tech and business.In this episode, Steve Wade introduces his new community called the Cloud Native Club while Steve Giguere and special guest host Michael Foster (Red Hat) introduces The State of Kubernetes Security report as an anchor to pick Steve Wade’s brain on everything from how we secure cloud native to AI’s influence on Kubernetes now and in the future.Cloud Native Club:The Cloud Native Club is a global community I founded in July 2024, dedicated to connecting cloud-native enthusiasts from all walks of life, no matter where they are in the world. Inspired by my journey transitioning from a football career to the tech industry, I quickly realised the immense value of community in fostering growth and success. However, I also saw that many people, especially those in remote areas, lacked access to the supportive networks that can be crucial for learning and development. The Cloud Native Club was created to bridge that gap. It’s a place where anyone—from beginners to seasoned professionals—can come together to learn, share, and grow in the cloud-native space. Through our forum, weekly hangouts, and YouTube series like "My Journey" and "Project Spotlight," we aim to make cutting-edge cloud-native knowledge accessible to everyone while fostering a strong, supportive, and inclusive community.Resources mentioned in this podcast:Steve Wade's LinkedIn profileSteve Wade's Twitter profileThe Cloud Native Club on LinkedInThe Cloud Native Club on TwitterThe Cloud Native Club on YouTubeMichael Foster's LinkedIn ProfileDSO Overflow is a DevSecOps London Gathering production. Find the audio version on all good podcast sources like Spotify, Apple Podcast and Buzzsprout.This podcast is brought to you by our sponsors:  Prisma Cloud, Tigera and ApiiroYour HostsSteve Giguere linkedin.com/in/stevegiguereGlenn Wilson linkedin.com/in/glennwilsonJessica Cregg linkedin.com/in/jessicacreggDev

DSO Overflow S4EP7Managing the risks that really matterwithSam WatkinsIn this month's episode, Glenn and Jessica speak with Sam Watkins to talk about a new paradigm for managing risks.Sam Watkins is an accomplished engineer working at BT in the UK. Sam is driven by a passion for driving change through the implementation of technological solutions, possessing the expertise in impacting organisational capability and performance, catering to business needs by early adaption of futuristic technological trends, and enabling organisations to meet the business needs.In this episode, Sam reveals to Jess and Glenn the exciting work she is doing at BT, a major telecommunication company in the UK to improve the organisation's application security posture. You will hear Sam talk about challenging the current paradigm of managing vulnerabilities to a paradigm of managing weaknesses. Sam discusses the risks that really matter while remaining empathetic to the needs of everyone within the organisation including compliance, engineering and risk management.Resources mentioned in this podcast:Sam's LinkedIn profileSam's personal websiteCommon Weakness EnumerationDSO Overflow is a DevSecOps London Gathering production. Find the audio version on all good podcast sources like Spotify, Apple Podcast and Buzzsprout.This podcast is brought to you by our sponsors:  Prisma Cloud, Tigera and ApiiroYour HostsSteve Giguere linkedin.com/in/stevegiguereGlenn Wilson linkedin.com/in/glennwilsonJessica Cregg linkedin.com/in/jessicacreggDevSecOps - London GatheringKeep in touch with our events associated with this podcast via our website.For more about DevSecOps - London Gathering check out https://dsolg.com

DSO Overflow S4EP6Security in front-end application developmentwithDavid MyttonIn this month's episode, Glenn speaks with David Mytton to talk about how to make sure front-end development is secure.David Mytton is the CEO of Arcjet, a devtools software startup that helps developers protect their apps. He also writes the weekly Console.dev devtools newsletter which helps developers find the best tools.He's an angel investor in >30 early-stage developer-first startups and is working towards an Engineering Science PhD in sustainable computing at the University of Oxford. His research has been featured in The Times, WSJ, Financial Times, Fast Company, Computer Weekly, and Sky News..In this episode, David and Glenn cover the main security challenges and security hygiene affecting front-end application development. They discuss a broad range of topics including software dependencies, input validation, securing environment variables, and many other security related topics that all developers should consider when developing front-end applications.Resources mentioned in this podcast:David's LinkedIn profileDavid's blogConsole.devDSO Overflow is a DevSecOps London Gathering production. Find the audio version on all good podcast sources like Spotify, Apple Podcast and Buzzsprout.This podcast is brought to you by our sponsors:  Prisma Cloud, Tigera and ApiiroYour HostsSteve Giguere linkedin.com/in/stevegiguereGlenn Wilson linkedin.com/in/glennwilsonJessica Cregg linkedin.com/in/jessicacreggDevSecOps - London GatheringKeep in touch with our events associated with this podcast via our website.For more about DevSecOps - London Gathering check out https://dsolg.com

DSO Overflow S4EP5LLM and GenAI securitywithJohn BoeroIn this month's episode, Jess and Glenn speak with Field CTO at TeraSky John Boero to talk about LLMs and GenAI.John lives in London and has 20 years in the IT industry developing and consulting for Red Hat, Puppet, HashiCorp, and more with emphasis on performance and security.In this episode, John talks about the inherent risks of using LLMs and GenAI and provides some hints on how to benefit from using them effectively. He discusses the technical details involved in LLMs to give listeners a better understanding of what's under the hood of GenAI models.Resources mentioned in this podcast:John's LinkedIn profileTerraSky's websiteDSO Overflow is a DevSecOps London Gathering production. Find the audio version on all good podcast sources like Spotify, Apple Podcast and Buzzsprout.This podcast is brought to you by our sponsors:  Prisma Cloud, Tigera and ApiiroYour HostsSteve Giguere linkedin.com/in/stevegiguereGlenn Wilson linkedin.com/in/glennwilsonJessica Cregg linkedin.com/in/jessicacreggDevSecOps - London GatheringKeep in touch with our events associated with this podcast via our website.For more about DevSecOps - London Gathering check out https://dsolg.com

DSO Overflow S4EP4IoT, AI and DevSecOpswithDarren RichardsonIn this month's episode, Jess and Glenn speak with networking graduate, security enthusiast, coder and giant with a great bushy beard Darren Richardson from Eficode.Darren is an IT graduate specializing in system administration, network operation and information security with experience in Cisco IOS operation and network management. He has a passion for information security with a bias towards offensive security and ethical hacking.In this episode, Darren talks about the inherent security challenges of using IoT devices, and discusses the intersection of AI and DevSecOps and how AI is changing the way we do DevOps.Resources mentioned in this podcast:Darren's LinkedIn profileEficode's websiteDSO Overflow is a DevSecOps London Gathering production. Find the audio version on all good podcast sources like Spotify, Apple Podcast and Buzzsprout.This podcast is brought to you by our sponsors:  Prisma Cloud, Tigera and ApiiroYour HostsSteve Giguere linkedin.com/in/stevegiguereGlenn Wilson linkedin.com/in/glennwilsonJessica Cregg linkedin.com/in/jessicacreggDevSecOps - London GatheringKeep in touch with our events associated with this podcast via our website.For more about DevSecOps - London Gathering check out https://dsolg.com

DSO Overflow S4EP3Paving the Road to Effective Software DevelopmentwithSarah WellsIn this month's episode, Jess and Glenn speak with Sarah Wells an independent tech consultant, author formerly the Technical Director for Engineering Enablement at the Financial Times to talk about how to balance developer autonomy with standardisation.Sarah is a technology leader, consultant and conference speaker with a focus on microservices, engineering enablement, observability and devops. She has over 20 years experience as a developer, principal engineer and tech director across product, platform, SRE and devops teams.She spent over a decade at the Financial Times, leading as it transformed into a true cloud native organisation, releasing code 250 times as often and embracing autonomous empowered teams.In this episode, Sarah shares her experience of transforming a software devlivery programme throgh balancing autonomy with standardisation. She discusses how she moved from monthly releases to multiple releases a day bringing focus, flow and joy to the organisation's engineering community.Resources mentioned in this podcast:Sarah's LinkedIn profileEnabling Microservice Success bookSarah's consultancy websiteDSO Overflow is a DevSecOps London Gathering production. Find the audio version on all good podcast sources like Spotify, Apple Podcast and Buzzsprout.This podcast is brought to you by our sponsors:  Prisma Cloud, Apiiro, and SysdigYour HostsSteve Giguere linkedin.com/in/stevegiguereGlenn Wilson linkedin.com/in/glennwilsonJessica Cregg linkedin.com/in/jessicacreggDevSecOps - London GatheringKeep in touch with our events associated with this podcast via our website.For more about DevSecOps - London Gathering check out https://dsolg.com

DSO Overflow S4EP2Resilient CybersecuritywithKennedy TorkuraIn this month's episode, Steve and Glenn speak with Kennedy Torkura from Mitigant to talk about how to build cyber resiliency into your organisation.Kennedy is a cybersecurity professional, CTO and co-founder at Mitigant who specialises continuous security verification and making cybersecurity resilience a first-class citizen in the cloud. Kennedy holds a doctorate in cybersecurity whose thesis covers continuous security paradigms in cloud-native infrastructure. He is also a contributor to the book Security Chaos Engineering released in 2023.In this episode, Kennedy talks about security chaos engineering and how to build security resilience into your organisation. He tells us wha security security chaos engineering (SCE) is, how to start with SCE, and how SCE builds resilience. We also discuss the concepts around detect and respond and how cyber attack emulation creates a more cyber resilient mindset.Resources mentioned in this podcast:Kennedy's LinkedIn profileKennedy's Mitigant blogKennedy's MediumMitigant.ioSecurity Chaos Engineering (book)Netflix Chaos MonkeyDSO Overflow with Aaron Rinehart and Kennedy TorkuraDSO Overflow is a DevSecOps London Gathering production. Find the audio version on all good podcast sources like Spotify, Apple Podcast and Buzzsprout.This podcast is brought to you by our sponsors:  Prisma Cloud, Apiiro, and SysdigYour HostsSteve Giguere linkedin.com/in/stevegiguereGlenn Wilson linkedin.com/in/glennwilsonJessica Cregg linkedin.com/in/jessicacreggDevSecOps - London GatheringKeep in touch with our events associated with this podcast via our website.For more about DevSecOps - London Gathering check out https://dsolg.com