The Security Repo Mackenzie Jackson & Dwayne McDaniel

In this episode of The Security Repo, we are thrilled to welcome Sonya Moisset, a Senior Advocate at Snyk and a renowned expert in DevSecOps, cybersecurity, and AI. With a wealth of experience as a public speaker, mentor, and top contributor to the tech community, Sonya shares her deep insights into the evolving landscape of AI in cybersecurity.

Join us as we dive into the pressing issues surrounding generative AI and large language models (LLMs), including the concept of shadow AI, the risks of using AI tools without proper oversight, and real-world examples of security breaches involving AI. Sonya discusses the importance of implementing robust security policies and fostering an open dialogue within organizations to mitigate these risks.

We also explore fascinating topics such as prompt injection attacks, the role of AI in both offensive and defensive cybersecurity strategies, and the emerging frameworks guiding ethical AI use. Whether you're a security professional, a developer, or simply curious about the intersection of AI and cybersecurity, this episode offers valuable knowledge and practical advice.



.Show Links

Sonya Moisset social media links

Linkedin: https://www.linkedin.com/in/sonyamoisset/

X (Twitter): https://x.com/SonyaMoisset

Introduction: 0:00

What are the security risks with AI and LLMs: 1:10

Prompt Injection Car Dealership: 6:39

Prompt Injection: 8:46

Guardrails for AI: 16:00

Using AI for Red Teaming: 25:19

Regulations for AI security 32:16

Best and Worst: 34:10

In this episode of The Security Repo, Dwyane McDaniel and Marc Boorshtein delve into the intricacies of Kubernetes dashboard security. Marc, the CTO of Tremolo Security, brings his extensive experience in identity and access management to the table, discussing the challenges and best practices for securing Kubernetes dashboards. The conversation explores the importance of dashboards, common security pitfalls, and innovative solutions to enhance user access and safety. Tune in for valuable insights on navigating the complex landscape of Kubernetes security.

Show Notes
Learn more about Tremolo - https://www.tremolosecurity.com/
Follow Marc
Linkedin - https://www.linkedin.com/in/marc-boorshtein-5979a82
Twitter (X) - https://x.com/mlbiam

Intro: 0:00
Kubernetes dashboards, why?: 0:45
Why don't we talk about k8 dashboard: 3:50
Security concerns with Dashboards: 10:37
The value of dashboards in k8: 12:37
What is Tremolo: 18:55
Common pitfalls for K8 security: 26:10
Besta and worst: 34:46

Join us this week as we host Eric Fourrier, co-founder and CEO of GitGuardian. Discover the journey of GitGuardian from a side project to a leading code security platform. Eric shares insights on the startup's growth, the integration of AI in security, and the future of protecting digital assets. Tune in for an engaging discussion on advancing code security in our digital world.

Show Notes:
GitGuardian https://gitguardian.com
State of Secrets Sprawl Report https://www.gitguardian.com/state-of-secrets-sprawl-report-2024
GitGuardian Blog https://blog.gitguardian.com

Eric Fourrier Socials
Linkedin: https://www.linkedin.com/in/ericfourrier/

inro: 0:00
Origin of GitGuardian: 0:55
Why wasn't secrets detection a big problem: 5:08
State of Secrets Sprawl Report: 09:50
Can we solve secret leakage: 18:08
Finding secrets outside source code: 22:22
The evolution of GitGuardian: 25:18
Single pane of glass: 30:15
The problem of remediation: 32:55
The role of AI in security tools: 36:10
Best and Worst: 42:25

Today we dive into the challenges of securing modern IT infrastructures, focusing on "Secret Zero" and its implications for authentication practices. Our guest, Mattias Gees of Venify, discusses the SPIFFE framework and its role in transitioning from traditional security methods to dynamic workload identities. We explore practical strategies for implementing SPIFFE to enhance digital security across cloud environments. Join us for a comprehensive look at evolving cybersecurity measures and the future of identity management.



Show Notes:

Mattias Social Links

Linkedin - https://www.linkedin.com/in/mattiasgees/

Twitter (X) - https://twitter.com/MattiasGees



You also might like our episode with Uri Sarid - https://www.youtube.com/watch?v=reKbGE1c5Ig

Introduction: 0:00
What is secret zero: 1:39
Why is machine identity so hard: 4:15
The machine identifies vs user identities: 11:06
What is SPIFFE? (Secure Production Identity Framework for Everyone): 14:20
SPIFFE fundamentals/architecture: 17:15
GitGuardian: 20:08
How to implement SPIFFE: 21:00
Why we aren't leveraging identify best practices: 26:40
Will SPIFFE be the future? 27:27
Secrets Managers vs SPIFFEE: 31:05
Venify and identify management: 32:38
Best and worst security advice: 38:28
Wrap up: 41:00

This week, we dive deep into the world of Kubernetes with John Dietz, co-founder of Kubefirst and a seasoned IT professional with over two decades of experience. John shares his extensive insights into the transformative power of Kubernetes and infrastructure as code (IaC) in modern cloud environments. Reflecting on his personal journey from skepticism about containerization to embracing Kubernetes. John discusses the critical role of governance and security in successfully deploying and managing cloud-native technologies. We also explore challenges and strategies for integrating security practices into DevOps, ensuring robust governance, and leveraging IaC for efficient and secure infrastructure management. Whether you're an IT veteran or new to the field, join us as we unpack the complexities of Kubernetes, security through governance, and the future of cloud-native platforms.

Show Notes:
Kubefirst: https://kubefirst.io/
Johns articles on The News Stack https://thenewstack.io/author/john-dietz/

John Dietz sociales
X (Twitter): https://twitter.com/vitamindietz
Linkedin: https://www.linkedin.com/in/jd-k8s/

Introduction: 0:00
Kubernetes skeptic to advocate: 1:09
Governance in Kubernetes & IaC: 8:30
Who owns security with IaC and K8: 24:36
Common K8 mistakes: 32:16
Why care about Kubernetes: 38:23
Best and worst: 47:15
Links and show notes: 54:22

In this episode we dive deep into the world of authorization with Emre Baran, CEO and co-founder of Cerbos. As a seasoned entrepreneur and software expert, Emre brings over 20 years of experience to the table, discussing the subtle yet significant distinctions between authorization and authentication, and why these concepts are pivotal in today's cloud-based and development environments.

In this discussion, Emre explains why many organizations still grapple with these issues in 2024, highlighting common pitfalls in security practices and offering insights into the sophisticated challenges of implementing fine-grained access control. He also shares his views on the evolving landscape of regulatory standards and introduces us to "Cerbos," his solution designed to streamline and secure authorization processes efficiently.

Show Notes
Learn about Corbos: https://www.cerbos.dev/
Cerbos GitHub: https://github.com/cerbos/cerbos

Follow Emre Baran
X / Twitter - https://twitter.com/emre
Linkedin: https://www.linkedin.com/in/emrebaran/

Time Stamps
Intro: 0:00
Why are we still struggling with authz: 1:12
Difference Authentication &Authorization: 6:16
What is Cerbos?: 9:35
The auth trap: 11:58
Is it scalable: 13:20: Scaling Auth
Who owns auth: 16:31
Regulation and compliance: 20:32
GitGuardian: 22:12
What is ZSP (Zero standing Privileges): 23:00
Best and Worst: 28:00
Links and followup: 32:00