Security Icon

Security

InfoSec, DevSec, Penetration Testing, etc.
254 episodes
All Topics

Changelog Interviews Changelog Interviews #557

Attack of the Canaries!

This week we’re joined by Haroon Meer from Thinkst — the makers of Canary and Canary Tokens. Haroon walks us through a network getting compromised, what it takes to deploy a Canary on your network, how they maintain low false-positive numbers, their thoughts and principles on building their business (major wisdom shared!), and how a Canary helps surface network attacks in real time.

JS Party JS Party #282

The massive bug at the heart of npm

Darcy Clarke, former GitHub Staff Engineering Manager and founder of vlt, joins us to discuss a major bug in the npm ecosystem that he recently disclosed. We cover the bug’s timeline, nuances, and impact, all while setting some important context on npm packages, clients, and registries. Tune in to learn how to protect your codebase and gain a deeper understanding of this crucial part of the JavaScript ecosystem.

Practical AI Practical AI #201

Protecting us with the Database of Evil

Online platforms and their users are susceptible to a barrage of threats – from disinformation to extremism to terror. Daniel and Chris chat with Matar Haller, VP of Data at ActiveFence, a leader in identifying online harm – is using a combination of AI technology and leading subject matter experts to provide Trust & Safety teams with precise, real-time data, in-depth intelligence, and automated tools to protect users and ensure safe online experiences.

Ship It! Ship It! #76

Container base images with glibc & musl

In today’s episode, we talk about distroless, ko, apko, melange, musl and glibc. The context is Wolfi OS, a community Linux OS designed for the container and cloud-native era. If you are looking for the lightest possible container base image with 0 CVEs and both glibc and musl support, Wolfi OS & the related chainguard-images are worth checking out.

Ariadne Conill is an Alpine Linux TSC member & Software Engineer at Chainguard.

Ship It! Ship It! #58

How to keep a secret

Rob Barnes (a.k.a. Devops Rob) and Rosemary Wang (author of Infrastructure as Code - Patterns & Practices) are joining us today to talk about infrastructure secrets.

What do Rosemary and Rob think about committing encrypted secrets into a repository? How do they suggest that we improve on storing secrets in LastPass? And if we were to choose HashiCorp Vault, what do we need to know?

Thank you Thomas Eckert for the intro. Thank you Nabeel Sulieman (ep. 46) & Kelsey Hightower (ep. 44) for your gentle nudges towards improving our infra secrets management.

Changelog Interviews Changelog Interviews #490

Schneier on security for tomorrow’s software

This week we’re talking with Bruce Schneier — cryptographer, computer security professional, privacy specialist, and writer (of many books). He calls himself a “public-interest technologist”, a term he coined himself, and works at the intersection of security, technology, and people.

Bruce has been writing about security issues on his blog since 2004, his monthly newsletter has been going since 1998, he’s a fellow and lecturer at Harvard’s Kennedy School, a board member of the EFF, and the Chief of Security Architecture at Inrupt. Long story short, Bruce has credentials to back up his opinions and on today’s show we dig into the state of cyber-security, security and privacy best practices, his thoughts on Bitcoin (and other crypto-currencies), Tim Berners-Lee’s Solid project, and of course we asked Bruce to share his advice for today’s developers building the software systems of tomorrow.

Ship It! Ship It! #53

Securing K8s releases (KubeCon EU 2022)

Today we are at KubeCon CloudNativeCon EU 2022, talking to Adolfo García Veytia about securing Kubernetes releases. Adolfo is a Staff Software Engineer at Chainguard, and one of the technical leads for SIG release, meaning that he helps ship Kubernetes. You most likely know him as Puerco, and have seen first-hand his passion for securing software via SBOMs, cosign and SLSA. Puerco’s love for bikes and Chainguard are a great match 🚴‍♂️

Ship It! Ship It! #46

A simpler alternative to cert-manager

Nabeel Sulieman, Senior Software Engineer at Vercel, talks about KCert, a simpler alternative to cert-manager that he built. Gerhard tried it out, and he thinks that Nabeel is onto something. If you want to see the video that they recorded, ping us on Twitter or Slack.

We love this story, especially the long-term approach of working on something that one truly believes in, and the only reason is because it’s fun. The world needs more people like Nabeel, and we hope that this episode inspires you to go all out, and do just that.

Changelog Interviews Changelog Interviews #482

Securing the open source supply chain

This week we’re joined by the “mad scientist” himself, Feross Aboukhadijeh…and we’re talking about the launch of Socket — the next big thing in the fight to secure and protect the open source supply chain.

While working on the frontlines of open source, Feross and team have witnessed firsthand how supply chain attacks have swept across the software community and have damaged the trust in open source. Socket turns the problem of securing open source software on its head, and asks…“What if we assume all open source may be malicious?” So, they built a system that proactively detects indicators of compromised open source packages and brings awareness to teams in real-time. We cover the whys, the hows, and what’s next for this ambitious and very much needed project.

JS Party JS Party #210

What's in your package.json?

Tobie Langel, Open source strategist and Principal at UnlockOpen, joins Chris, Feross, and Amal to discuss recent widespread incidents affecting the JavaScript community (and breaking CI builds) around the globe. Two widely used npm libraries were self-sabotaged by their single maintainer, yet again, highlighting the many gaps in our OSS supply chain security, sustainability and overall practices. We explore all these topics and solution on what our ecosystem needs to be more resilient to these types of attacks in the future.

Player art
  0:00 / 0:00