Ken and Mike discuss supply chain security, including software composition analysis (SCA) and software bill of materials (SBOM). They highlight the importance of understanding the components that make up your software and the risks associated with using third-party libraries. They also discuss recent supply chain failures, such as the XZ library hack and the SolarWinds attack. The hosts emphasize the need for organizations to stay up to date with software patches and to consider the security of commercial off-the-shelf software. They caution against placing too much focus on any one security tool or approach, including SBOM, and instead advocate for a well-rounded approach to security.

In this episode Mike and Ken dive into the wild world of SaaS products in DevSecOps. From vendors to security tooling hygiene they cover an often overlooked ecosystem of cloud and software services that may be rotting in the sky of your workloads. Join up for a listen on SaaS Security!

With pep and full youtube energy Ken and Mike discuss the findings of the IBM "Cost of a Data Breach" report and its implications for DevSecOps. They highlight the importance of integrating security into every phase of the software development life cycle and the positive impact it can have on reducing the cost of a data breach.

Ken and Mike discuss their new year's resolutions related to application security. They also reflect on the impact of AI and its adoption in the industry. The hosts share their experiences attending conferences and highlight interesting talks on topics such as zero-day vulnerabilities and fuzzing LLM models. They discuss the OWASP LLM Top 10 and the evolving perception of AI in the industry. The conversation concludes with a discussion on the definition of DevSecOps and how it has evolved over time, as well as their predictions for DevSecOps in 2024.

We are joined by incredible guests Mikhail Chechik and Marcus Hallberg as they help us define DevSecOps and emphasize the importance of a security mindset throughout the development process. These two incredible folks explore common misconceptions about shifting left and discuss the challenges of triaging and validating vulnerabilities early in the development lifecycle. We enter in the wild world of this wonderful shifting buzzword and how it applies to incident response, design, people, and the general development process.

On this episode of R2DSO Mike and Ken dive into their takeaways and experiences from LASCON 2023 in Austin, TX where AI was both a problem child and praised bringer of salvation in security. Vendors and companies alike are embracing AI with wide eyes and there was no shortage of talks, presentations, and hallway conversations about the topic. Beyond that security is fast accepting that they can't be the department of "No" a consistent theme here on the podcast. The team had a fantastic time at LASCON and we're happy to see where the industry is going!

In this episode Ken and Mike dive directly into the meat with solutioning and mitigation. All too often security professionals finding themselves falling into the trap of focusing on vulnerability counts, evangelizing findings, and playing the age old game of red, yellow, green. We jump straight into the why of this focus in the industry and offer some ideas on how to get out of it successfully. If you're interested in a conversation about solving problems rather than just identifying them, hop on in!

In today's episode, we untangle the web of alphabet-soup technologies: CSPM, VM, SIEM, and Log Aggregators. We go beyond the buzzwords to give you a no-nonsense look at how these tools fit together, complement each other, or might even replace one another in specific use-cases. Selecting the right tool can be overwhelming, and we're here to guide you through the when, where, and how of leveraging these technologies effectively. Whether you're encountering overlapping features or unique challenges, we'll help you make a savvy, informed choice for your workloads. Tune in for a practical guide to navigating the complex landscape of cybersecurity tools.