In this episode, we dive deep into the SLSA (Supply-chain Levels for Software Artifacts) framework, the definitive standard for securing your software supply chain. With software supply chain attacks increasing by 742% between 2019 and 2022, understanding frameworks like SLSA—pronounced "salsa"—is no longer optional; it is an operational reality.

We explore the origins of SLSA, which began at Google as "Binary Authorization for Borg" before being contributed to the Open Source Security Foundation (OpenSSF) in 2021. We break down what SLSA provides: a common vocabulary for security maturity, verifiable provenance metadata, and incremental security levels that align with NIST SSDF and EO 14028 requirements.

Join us as we dissect the four SLSA security levels, from Level 0 (the default state of no provenance) to Level 3, which mandates hardened builds with isolated and ephemeral environments. We discuss how these Level 3 protections could have potentially stopped major breaches like the SolarWinds attack by preventing persistent access to build environments and isolating signing keys. We also touch on other high-profile incidents like Codecov and Log4Shell that highlight the urgent need for artifact integrity.

The episode also covers the technical mechanics of SLSA, specifically "provenance"—the tamper-evident metadata that answers who built an artifact, what sources were used, and how it was constructed. We examine the Sigstore toolchain, including Cosign, Fulcio, and Rekor, which enables the "keyless" cryptographic signing essential for modern supply chain security.

For those ready to move from theory to practice, we outline a implementation roadmap starting from Level 1 (fully scripted builds) to Level 3 (enforced verification in production), a journey that typically takes between three to six months. We also highlight the critical roles of different stakeholders, from developers signing commits to organizations establishing policy enforcement at deployment boundaries.

Finally, we address the limitations of the framework—noting that it focuses on build integrity rather than code quality or runtime security—and point you toward the Certified Software Supply Chain Security Expert (CSSE) course for those ready to master these concepts through hands-on labs.

Whether you are an AppSec engineer, a security professional, or a cybersecurity analyst, this episode provides the practical, research-backed insights you need to defend against source tampering, dependency poisoning, and provenance forgery.

Key Topics Covered:

Defining SLSA and its role in the OpenSSF.

The 742% increase in supply chain attacks and lessons from SolarWinds.

The roadmap from Level 0 to Level 3 "Hardened Builds".

The power of Sigstore and cryptographic provenance.

Common implementation mistakes, such as skipping Level 1 or ignoring verification.

How to get certified as a Software Supply Chain Security Expert.

Upgrade your security career today by mastering the framework that secures the world's most critical workloads.

https://www.linkedin.com/company/practical-devsecops/
https://www.youtube.com/@PracticalDevSecOps
https://twitter.com/pdevsecops

In this episode, we explore the explosive growth of the DevSecOps market, which is projected to reach between USD 8.58 billion and USD 10.88 billion by 2026. Driven by cloud-native transitions, AI integration, and intensifying regulatory pressures, the industry is witnessing a compound annual growth rate (CAGR) of up to 22.10%.

Course Page:

https://www.practical-devsecops.com/certified-devsecops-professional/

What You’ll Learn in This Episode:

• The Financial Landscape: Why DevSecOps engineering has become a high-demand career with massive salary potential. We break down the 2026 salary benchmarks, where entry-level roles average $100,000 and senior-level experts earn up to $210,000.

• The Rise of AI & Emerging Threats: How AI-generated code is expanding attack surfaces and why 75% of organizations are now using or planning to use AI/ML bots for code reviews.

• Skills That Move the Needle: Discover the high-value expertise in Kubernetes security, Terraform, Infrastructure as Code (IaC), and CI/CD automation that can lift your pay by 20-40% over traditional roles.

• Market Dynamics: A look at why North America holds a dominant 36.5% market share, fueled by federal SBOM mandates, while the Asia-Pacific region emerges as the fastest-growing market with a 22.7% CAGR.

Deep Dive into Education & Certification:

We discuss the critical importance of specialized training to stay competitive. The sources highlight essential certifications like the Certified DevSecOps Professional (CDP), which focuses on securing the SDLC, and the Certified AI Security Professional (CAISP), covering the OWASP Top 10 for LLMs and MITRE ATLAS defenses. We also examine the role of Certified Cloud Native Security Experts (CCNSE) and Threat Modeling Professionals (CTMP) in building resilient, "shift-smart" workflows.

Strategic Insights for 2026:

• The Speed vs. Risk Tradeoff: Why nearly half of development teams still deploy vulnerable code under time pressure despite achieving 60% faster release cycles.

• Vulnerability Trends: An analysis of why infrequently deployed services have 47% more outdated dependencies, often leaving them vulnerable to unpatchable CVEs.

• The Shift to Managed Services: Why organizations are increasingly turning to managed services for AI tuning and red-teaming support.

Whether you are looking to break into the field or are a seasoned professional aiming for the top 1% of cybersecurity engineers, this episode provides the research-backed insights and practical roadmaps needed to navigate the 2026 DevSecOps landscape.

Tune in to learn how to integrate security into every stage of your workflow and secure your place in this multi-billion dollar industry.

https://www.linkedin.com/company/practical-devsecops/
https://www.youtube.com/@PracticalDevSecOps
https://twitter.com/pdevsecops

In this episode, we dive deep into one of the most pressing financial and security threats facing organizations in 2026:

Featured Resource: If you are responsible for securing AI infrastructure, this episode highlights the technical controls covered in the Certified AI Security Professional (CAISP) course, which includes hands-on labs for defending against the OWASP Top 10 LLM vulnerabilities and mastering the MITRE ATLAS framework.

LLM Jacking. While many security discussions focus on prompt injection or model poisoning, LLM jacking is a different beast entirely—it is a direct infrastructure compromise where attackers hijack your cloud credentials to consume your expensive AI resources.

A single hijacked Large Language Model can cost an organization over $46,000 a day in fraudulent charges. We break down why this has moved from a theoretical risk to a daily reality for security architects and AI developers.

In this episode, we cover:

• Defining the Threat: Understand why LLM jacking is an infrastructure failure, distinct from model manipulation like prompt injection.

• The 3-Stage Anatomy of an Attack: We trace the attacker’s journey from the Initial Compromise (often through leaked API keys or unpatched software) to Discovery and Weaponization, where stolen access is sold or used to generate malicious content.

• The "Smoking Gun": Learn the technical indicators of compromise (IoCs), such as specific ValidationException errors in AWS Bedrock or unusual geographic spikes in API traffic.

• Real-World Case Study: We examine a fintech startup’s nightmare scenario—how a single static AWS key committed to GitHub led to a 700% cost overrun in just two weeks.

• Defense & Incident Response: From architecting Zero Trust AI pipelines to a 15-minute containment playbook, we provide actionable strategies to protect your environment.

• The Future of AI Security: Why the rising cost of model inference and the move toward proprietary, fine-tuned models make AI infrastructure a high-value target for 2026 and beyond.

Tune in to learn how to ensure security is a foundational part of your AI strategy, rather than a costly afterthought.

https://www.linkedin.com/company/practical-devsecops/
https://www.youtube.com/@PracticalDevSecOps
https://twitter.com/pdevsecops