Defense In Depth Means Writing More Tests To Make Sure You Don't Regress - John Poulin

In this episode of the Security Repo Podcast, we sit down with Alex Scheel, staff back-end engineer at GitLab and chair of the OpenBao Technical Steering Committee, to discuss the origins and future of OpenBao, a fork of HashiCorp Vault. Alex explains the implications of HashiCorp's licensing change, the technical advantages OpenBao brings to the table, and the importance of open-source governance under the Linux Foundation. We also dive into interoperability in security tooling, secrets management best practices, and how developers can get involved in contributing to OpenBao.Alex Scheel is a Staff Backend Engineer at GitLab and the Chair of the OpenBao Technical Steering Committee. He has built a career on open source contributions, previously working at Keyfactor on Bouncy Castle, at HashiCorp on Vault, and at Canonical and Red Hat. You can find him under the nickname cipherboy most places. In his free time, he likes playing the violin and taking photography trips.https://www.linkedin.com/in/alexander-scheel-807514105/https://openbao.org/

In this episode of the Security Repo Podcast, we sit down with Edna Jonnson, a cybersecurity engineer and SOC analyst, to discuss their journey from web development to security operations. Edna shares insights on the value of Capture the Flag (CTF) competitions for skill development, recounting their recent victory at Wild West Hacking Fest. We also dive into their day-to-day work in a SOC, the importance of credit freezes for personal security, and their involvement in cybersecurity communities like DEF CON and B-Sides Orlando.Edna Jonsson (they/them) is a cybersecurity engineer and SOC analyst with a strong foundation in web development and technical education. Their journey began as a web developer and coding bootcamp instructor, equipping them with a unique blend of technical expertise and a passion for mentorship.Edna is an active leader in the cybersecurity community, serving as the Volunteer Coordinator for BSides Orlando and an organizer for Career Village and Social Engineering Adventure Village. They also play a pivotal role in DEATHCon, both as the main conference organizer and Orlando site lead. They also help organize meetings for the local DC407 chapter.Previously, Edna hosted Security Chipmunks, a podcast dedicated to guiding early-career cybersecurity professionals. They were also instrumental in the launch and rapid growth of the WGU Cybersecurity Club, helping expand its membership to over 8,000 students. Edna coined the club’s motto, “No Owl Left Behind,” emphasizing their commitment to ensuring every student—whether in academics or competitions—received the support they needed to succeed.With a deep passion for cybersecurity, education, and community building, Edna continues to empower the next generation of security professionals.https://www.linkedin.com/in/ednajonsson/https://bsky.app/profile/ednas.bsky.social https://x.com/ednashttps://dc407.com/https://deathcon.io/https://bsidesorlando.org/

In this episode of the Security Repo Podcast, we dive into the concept of defense in depth with guest John Poulin, who shares insights on secure code reviews, architecture design, and threat modeling. We discuss the importance of integrating security tests into development workflows, the role of security headers in assessing a company's security posture, and the challenges of implementing robust audit logging. Plus, John recounts the day GitHub logged out all users due to a security bug and offers advice on avoiding over-reliance on web application firewalls.John Poulin leads Cloud Security Partners' technology and platform development. He is an experienced application security practitioner with over 10 years of experience in software development and security. Over his tenure, John has worked with many Fortune 500 companies and startups to perform secure code review, architecture, and design discussions, as well as threat modeling.Previously, John served as a staff manager of product security engineering, a role in which he and his team focused on performing secure code review of features and services, performing threat modeling, and helping to ensure that Cloud Security Partners' software ecosystem moves toward security maturity. John has also served as the director of engineering, where he focused on leading engineering teams through multiple stages of security-focused product development.John has given talks or training at many industry conferences, such as DEF CON, LASCON, DevSecCon, CactusCon, and Source, as well as various Ruby and OWASP events about practical application security.In his free time, John enjoys spending time with his family, traveling, playing adult league softball, and making hot sauce.https://www.linkedin.com/in/johnmpoulinLogs wall of shame https://Audit-logs.taxSSO wall of shame https://sso.tax/

In this episode of the Security Repo Podcast, Dwayne and Kayssar dive into Kayssar's role as a security leader at GitGuardian, exploring his responsibilities, challenges, and the balance between proactive and reactive security work. They also discuss the evolution of security tools, the importance of relationship-building in security roles, and share insights on vulnerability management and security awareness training. Kayssar offers a unique perspective on what the security industry is getting right, as well as areas that need improvement, especially regarding VPNs and vulnerability prioritization. Kayssar Daher is a systems security & data privacy enthusiast specializing in securing SaaS platforms. If you'd like to know more about what he do, check out his blog: https://the.secure.engineer https://www.linkedin.com/in/daherk/

In this episode of the Security Repo Podcast, Dwayne and Kayssar sit down with Dustin Lehr, co-founder and chief product and tech officer at Katilyst , to explore the power of Security Champions programs. Dustin shares insights from his journey as a software engineer turned cybersecurity leader and explains how security champions can bridge the gap between security teams and developers. The conversation covers trust-building, best practices for implementing a successful champions program, and how to measure its impact in ways that resonate with executives. Dustin Lehr is an accomplished software engineer turned executive cybersecurity leader who designs security programs that reinforce proactive behavior to avoid security incidents. He is the Co-founder / Chief Product and Technology Officer at Katilyst, a company dedicated to helping organizations enhance their culture by building engaging security champion programs. Dustin is also the driving force behind the Security Champion Program Success Guide and possesses a wealth of experience in application security, providing innovative coaching and consulting services. In addition, he is a prominent community thought leader, speaker, and founder of the "Let's Talk Software Security" monthly open discussion meetup group. https://www.linkedin.com/in/dustinlehr/ Katilyst - https://www.katilyst.com/ Security Champion Program Success Guide - https://securitychampionsuccessguide.org/ "Let's Talk Software Security" - https://www.meetup.com/lets-talk-software-security/

In this episode of the Security Repo Podcast, we dive into the world of ISACs (Information Sharing Analysis Centers) with Cherie Burgett. Cherie shares insights into the nuanced field of cyber threat intelligence, discussing how interpretation techniques like hermeneutics can enhance understanding of threat actor behavior. The conversation also explores practical approaches to information sharing, intelligence delivery, and the importance of balancing concise communication with actionable insights. Since its inception, Cherie Burgett has worked with the Mining and Metals ISAC. As the Director of Cyber Intelligence Operations. Cherie is responsible for researching and analyzing the ever-changing threat landscape affecting the mining and metals sectors. With a unique philosophy and approach to cyber threat intelligence incorporating lessons learned from studies in the arts and humanities, she brings a nuanced perspective to the ethics and human condition relating to both threat actor groups and the people defending our critical infrastructure. Recent Articles about Hermeneutics Applied to Cyber Threat Intelligence - https://www.linkedin.com/pulse/hermeneutics-cyber-threat-intelligence-part-1-tactical-cherie-burgett-x8ime/?trackingId=n33uyXThS%2FCcMkPYyNMCVQ%3D%3D https://www.linkedin.com/pulse/hermeneutics-cyber-threat-intelligence-part-2-why-cherie-burgett-8xmfe/?trackingId=n33uyXThS%2FCcMkPYyNMCVQ%3D%3D https://www.linkedin.com/pulse/hermeneutics-cyber-threat-intelligence-part-3-planning-cherie-burgett-xgzwe/?trackingId=n33uyXThS%2FCcMkPYyNMCVQ%3D%3D

In this episode of the Security Repo Podcast, we explore the intersection of observability and security with special guest Josh Lee, a developer advocate at Altinity and expert on Clickhouse and OpenTelemetry. We discuss the evolving definition of observability, how context and tagging enhance both security and observability practices, and how databases like ClickHouse® compare to Snowflake for monitoring applications at scale. Josh also shares insights on DevOps culture as a "foreign language" and how to bridge gaps between developers and operators in adopting modern practices. Josh is a seasoned software developer with over a decade of experience, specializing in a broad range of topics including operations, observability, and cloud-native databases. His passion for technology is matched by his enthusiasm for sharing knowledge through public speaking. Currently, Josh serves as a Developer Advocate for Altinity, where he creates educational content on ClickHouse® and OpenTelemetry. Find Josh at https://www.linkedin.com/in/joshuamlee/ @[email protected] @joshleecreates.bsky.social and on the Altinity Slack https://altinity.com/

In this episode of the Security Repo Podcast, we talk with cybersecurity expert Stephanie Honore, about her journey into security, her work with the Freedom of Information Act (FOIA), and her insights on ethical AI and chain of custody in data handling. She shares her experience building software for evidence management and her thoughts on the intersection of security and legal frameworks. We also explore her creative side as a "spycore" musician blending cybersecurity themes with nerdcore music. Stephanie Honore, also known as Scarlett Danger, is a professional programmer, building applications by day, and a volunteer OSINT investigator by night for NGOs that combat human trafficking. She has been a member of WiCyS (Woman of Cybersecurity) since 2016 and attended Hacker On The Hill in Jan 2024.  She began by attending the local hacker meetups and frequently attends cybersecurity conferences such as BSides and Texas Cybersecurity Summit. She recently started joining online chat communities on Discord and IRC where she is getting a lot of exposure to a different side of the security field. Outside of work she likes making nerdcore music about security and intelligence ( a genre she has dubbed spycore) inspired greatly by performers like YTCracker, MC Frontalot, and Yung Innanet.  You can listen to one of my songs here.  https://soundcloud.com/scarlett_danger/hack-the-planet-v2?in=scarlett_danger/sets/internet-feels https://www.linkedin.com/in/smhonore/ https://smhonore.deno.dev/ https://www.wicys.org/ https://www.muckrock.com/news/archives/2024/aug/26/with-a-little-help-from-the-national-archives-nsa-finally-releases-grace-hopper-lecture-watch-it-here/

In this episode of the Security Repo Podcast, we explore the fascinating and complex world of non-human identities (NHIs) with Jody Hunt from CyberArk. We discuss the challenges of authenticating machine workloads, delve into the "secret zero" problem, and consider how frameworks like SPIFFE are shaping the future of secure machine identity. Plus, Jody shares his journey through a tech acquisition and the enduring importance of thinking like an attacker in cybersecurity. Jody has held diverse roles in software development, sales, and marketing. He has been an enthusiastic promoter of DevOps principles since 2010. He became aware of the growing security gap introduced by automation which led him to join Conjur in 2017. Four months later, CyberArk acquired Conjur to extend secrets management and machine identity solutions to DevOps, Cloud and Kubernetes workloads. https://www.linkedin.com/in/jodyhuntatx/ https://spiffe.io/book/ https://blog.gitguardian.com/protect-secrets-with-cyberark-and-gitguardian-integration/

In this episode of the Security Repo Podcast, the team dives into the OWASP Top 10 for Large Language Model Applications with special guest Talesh Seeparsan, an expert in cybersecurity and AI safety. Talesh shares insights into why a specialized top 10 for LLM vulnerabilities is essential, delves into unique challenges like system prompt leakage and AI supply chain risks, and provides practical advice for small companies navigating AI compliance. The conversation wraps up with reflections on security best practices, including collaboration and skepticism about industry norms. With over a decade in cybersecurity, Talesh is a trusted expert in protecting enterprise applications. He has collaborated with the U.S. DoD, developed Appsec training for Adobe, and secured identities for multibillion-dollar firms. Today, he guides companies in building secure, trustworthy, generative AI and LLM applications and volunteers with the OWASP Foundation team working on the OWASP Top Ten for LLMs. His north star is the safe, performant adoption of frontier AI. https://www.linkedin.com/in/talesh https://genai.owasp.org/resource/owasp-top-10-for-llm-applications-2025/ https://owasp.org/www-project-top-10-for-large-language-model-applications/