Cloud Security Podcast

In this episode of the Virtual Coffee with Ashish edition, we spoke with Jim Bugwadia (Jim's Twitter) about policy management and compliance as code for Kubernetes and how you can use open source tools like Kyverno and OPA for policy management Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Jim Bugwadia (Jim's Twitter)  Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (03:20) https://snyk.io/csp (05:23) What is Kubernetes Control Plane? (06:51) What is an admission controller? (08:01) What do you need policy management in Kubernetes? (10:13) Pod Security and Policy management (11:57) Policy Management in Managed Kubernetes (13:54) Scaling Policy Management for Kubernetes (19:34) Common use cases for policy management (25:30) Compliance in Kubernetes (32:04) Levels of Maturity in Kubernetes Policy Management (36:47) Future of policy as code (38:46) Kyverno vs OPA (43:39) Kyverno vs gatekeeper (45:15) Where to start with policy management? (46:11) Where you can find Jim

In this episode of the Virtual Coffee with Ashish edition, we spoke with Luke Hinds (Luke's Twitter) the open source Sigstore project and how it is helping with software signing and protecting the software supply chain Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter:  Luke Hinds (Luke's Twitter)  Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (01:39) https://snyk.io/csp (05:21) What is the software supply chain and why is it important? (08:20) Common supply chain attacks in Kubernetes (09:53) Codecov attack (11:14 )Kubernetes and API (14:10) Vulnerability scanning tools (16:38) Explaining the importance of supply chain security (19:19) What is a signing service (19:56 )The SLSA framework (20:42) Importance of signing service (23:35) What is Sigstore? (27:57) What is Lets Encrypt (31:48) The aim of sigstore (34:39) What is Co-Sign (36:40) Co-Signing and non-repudiation (46:29) Where to start

In this episode of the Virtual Coffee with Ashish edition, we spoke with Jimmy Mesta (Jimmy's Twitter) about OWASP Kubernetes Top 10 and best practices for securing Kubernetes  Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Jimmy Mesta (Jimmy's Twitter) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (01:39) https://snyk.io/csp (03:55) What is Kubernetes? (05:15 )Kubernetes vs Containers (06:38) Kubernetes and Docker (09:08) Unmanaged Kubernetes (11:14) Managed Kubernetes (13:39) Security for Kubernetes Clusters (15:42) OWASP top 10 Web Application (17:59) Starting to build Kubernetes Cluster or Pod (23:09) Security Misconfigurations in Kubernetes (28:42) Supply Chain Vulnerabilities in Kubernetes (32:06) RBAC and Policy Enforcement (33:32) Logging and Monitoring in Kubernetes (34:30) Broken Authentication (35:17) Missing network segment approach (36:07) Secrets Management Failure (37:09) Misconfigured Cluster Components (38:15) Outdated and vulnerable kubernetes component (42:37) Asset Inventory for Kubernetes Cluster (44:53) Threat Modelling in Kubernetes (46:20)Cert management in Kubernetes (48:02) Learn more about securing Kubernetes

Modern Cloud Security Programs hire for builders who can develop tools that help developers walk down a Paved road where security is not a blocker but at the same time prevents developers from making security mistakes. In this episode we spoke with Travis McPeak who shared his experience from his time at Netflix to talk about Modern Cloud Security Teams look like and work on day to day at scale for a large development team and how others can take some insights from this for their own Cloud Security Programs. This episode is better on video - YouTube Link Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Travis McPeak Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy

Azure Cloud Security Architecture (Day 0) ,Custom Azure Role definitions, Azure Privilege Access Management etc can be complex to build. Continuing from part 1 In the part 2 of our This is My Cloud Security Architecture Series Episode we have Sai, a Cloud Security Architect walking us through how to start with an Azure Security Architecture on Day 0 of your Cloud Security Architect role. Part -2 of the episode will go into Day 1+ of managing and scaling what we have created in Day 0. This episode is better on video - YouTube Link - Part 2 Part 1 of the This is My Cloud Security Architecture Series is here - YouTube Link - Part 1  Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Sai Gunaranjan (Sai's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy

Data Lakes as an asset to collect and build threat actors or hiring for Data Scientists/Analyst are not typical things in Cloud Security well unless the organisation is dealing with PetaBytes of data. At a large scale company these are data problem not a security problem at that point even if the problem is in security team. In this episode with Jonathan Rau, CISO of Lightspin we spoke about his previous experience of creating and growing a SecDataOps team with Cloud Security and Ops in IHSMarkit. We spoke about what is this SecDataOps, What is Security Data Lake and if Cloud Native tools are enough for these problems. This episode is better on video - YouTube Link Cloud Security Meetup Amsterdam - Tech Fashion Theme - Sep,2022  Cloud Security Meetup NewYork - Tech Fashion Theme - Sep,2022 Host Twitter: Ashish Rajan (@hashishrajan) Guest Linkedin: Jonathan Rau Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy

Azure Cloud Security Architecture, Azure Policies can be complex to build. In the part 1 of our This is My Cloud Security Architecture Series Episode we have Sai, a Cloud Security Architect walking us through how to start with an Azure Security Architecture on Day 0 of your Cloud Security Architect role. Part -2 of the episode will go into Day 1+ of managing and scaling what we have created in Day 0. This episode is better on video - YouTube Link Cloud Security Meetup NYC - Cloud Security Meetup NewYork - Tech Fashion Theme Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Sai Gunaranjan (Sai's Linkedin) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy

In this episode of the Virtual Coffee with Ashish edition, we spoke with Jack Naglieri (Jack's Twitter) about what Security Monitoring can look like for a Cloud Native Company  Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Jack Naglieri (Jack's Twitter)  Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (02:40) https://snyk.io/csp (02:51) Corey's professional background (03:34) Jack's introduction (06:15 )What is Cloud Native? (07:41) What is a modern security stack? (09:50) Why Cloud Native Security Monitoring? (12:36) The current market for security monitoring (15:45) Cloud Native monitoring for on-prem (18:10) How to start with Cloud Native Security Monitoring? (21:01) Security monitoring in cloud vs traditional (22:51) Challenges with Cloud Native Security Monitoring (25:25) How can SMBs tackle Cloud Native Security Monitoring? (26:52) Are cloud native tools more cost effective than traditional ones? (28:30) Heterogeneous log correlation (30:09) What is a security data lake? (35:25) Does the modern security team need data skills?

In this episode of the Virtual Coffee with Ashish edition, we spoke with Corey Ball (Corey's Twitter) about what does API in a modern software stack looks like and how these can be attacked and protected Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Guest Twitter: Corey Ball (Corey's Twitter) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp for Interview Questions (00:00) Ashish's Intro to the Episode (02:40) https://snyk.io/csp (02:51) Corey's professional background (03:11) Corey's journey to be cybersecurity author (04:36) What is API and why its important in 2022? (06:44) Is API is the backend or frontend pf applications? (08:36) What are people doing wrong with APIs? (12:16) Best Practice for API Security? (13:20) Most surprising things being seen in API Security? (14:35) How do you find API keys? (16:07) API gateway as a security control point (18:25) OWASP Top 10 API Security (20:00) Monitoring and detecting for API Security (20:57) How to approach pentesting APIs? (22:35) Learn about API hacking (25:22) API Security in the Cloud (29:05) Rest API vs GraphQL (34:27) Pentest  by consuming application documentation (36:10) Which APIs should be public?

Special Episode by Shilpi and Ashish sharing their recap, highlights, big takeaways, Cloud Talks and Training from Hacker Summer Camp - Blackhat Defcon Diana Initiative BSides Vegas 2022. Blog with links: Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv Host Twitter: Ashish Rajan (@hashishrajan) Podcast Twitter - @CloudSecPod @CloudSecureNews If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security News  - Cloud Security Academy Spotify TimeStamp (00:00) Intro (00:43) What is Hacker Summer Camp (01:24) Who should attend Hacker Summer Camp (02:00)  Black Hat 2022 KeyNote Recap (07:48) Cloud Themes at Black Hat 2022 (14:41) Buzzword Bingo at Black Hat 2022 (20:11) Black Hat 2022 Recap - CISO Perspective (22:23) SBOM in Cloud at Black Hat 2022? (23:31) Black Hat 2022 Recap - Cloud Perspective (30:27) Zero Trust in Cloud at Black Hat 2022? (33:15) Defcon 30 2022 Recap (43:17) Defcon 30 Cloud Village Talks Recap (45:49) Ashish reacts to 10yrs of people failing default best practice (48:57) Defcon 30 Cloud Village Talks Recap Contd (52:32) Cloud Talks from other Defcon 30 Villages - Red Team, Recon Village, AppSec Village (55:11) BSides Vegas 2022 Recap (58:26) Diana Initiative 2022 (58:58) Are things getting worse before they get better (comment below) (1:00:24) Ashish Conclusion