Dec 5, 2022
Guests:
- John Speed Meyers, Security Data Scientist, Chainguard
- Todd Kulesza, User Experience Researcher, Google
Topics:
- How did you get involved with this year’s Accelerate State of DevOps Report (DORA report)?
- So what is DORA and why did you decide to focus on supply chain security for the 2022 report?
- What are the big learnings from this year’s report?
- What’s the difference between SLSA and SSDF? Is one spicy and the other savory? How’re companies adopting these and how is adoption going?
- Are there other areas that DevOps can be a contributor in the overall security landscape?
- How can CISOs rope DevOps fully into their security gang?
- Operationally, how should security and developers and DevOps come together to keep vulnerabilities out in the first place?
- How should security and developers and DevOps come together to respond quickly to vulnerabilities when they’re discovered?
- How do security and developers and DevOps come together to prove to their auditors and customers that they’re doing a good job of the above?
Resources:
- 2022 Accelerate State of DevOps Report
- SLSA.dev site
- Secure Software Development Framework at NIST
- “Linking Up The Pieces: Software Supply Chain Security at Google and Beyond” (ep24)
- “Sharing The Mic In Cyber with STMIC Hosts Lauren and Christina: Representation, Psychological Safety, Security” (ep92)
- Go vulncheck tool
- “Reflections on Trusting Trust” paper (1984)