Effective Software Development Invoice Example for Security

Software development invoice example for Security

[Music] welcome to the talking security podcast we will talk about items related to Microsoft [Music] security hello welcome again at a new talking security podcast secop series within the death secop series and uh this the second recording first time we talked about the developer uh security workplace uh the developer workplace and what we should do uh from a security perspective um today we're talking about complete other uh aspect of Def secops So within the secops there are different uh aspects that we want to address in the in the next few recordings so um probably seven or eight or uh the next recording we will uh we will touch that today today we are touching the codebase uh but also security from a developer's perspective uh the developer in house uh s there so um what's your view on uh security uh within within um the developers area I I think that when you're talking about developers um what we're really good at is you know writing code and that's kind of what we're paid to do and I often see that like security from a Developers stand point it's just not there's not enough knowledge in a developer to like actually do this sufficiently there's uh I know how to write secure code you know like validate incoming data stuff like that it's just basic stuff but when we're actually talking about deploying your applications to the cloud or scanning for inv vulnerabilities all scanning for vulnerabilities stuff like this is something that developers often don't really know yeah and this is what you need you know Specialists for like you guys and I think that that is definitely some that is not something that skills nowadays when you're deploying your code maybe multiple times per day when are you actually you know checking if your application is secure you can't just you know ask some security specialist to check that once a week that's maybe not even enough that's a difficult thing yeah and um talking from a developer perspective uh but def SEC Ops it's it the world changes because um you're are developing applications and stuff uh but we are doing with infra infra go we also so uh doing stuff with Cod yeah definitely yeah so that's also a big change I think in the whole developers and the the whole def setups these days is is the change that's not only about application but also our infrastructure how it will be deployed and created on a later moment in Azure or any other cloud provider yeah um which is which is a a big part of the whole def setups and and also what you what you mentioned I think um if you look at the I think from an outside to the developers perspective and see how many stages there are involved within developing a code or application or infrastructure part um that security cannot be just an additional stage that is added to that whole process it's not be afterthought no right it and and I think that's the whole idea behind def setups why they didn't added an addition pilot to it but they said no it's security should be part of every stage in the whole process because I think what the end goal is that and and we will touch that today a little is to find that vulnerability as soon as possible right we and and and I think that's what we are going to talk about in this series uh more the uh shift left uh approach which you are seeing it's coming from developers of course but but it's also now security is adopting that framework yeah so it's like you know you need to um like like you already said it's not like security is not an extra step in the chain we're not adding a little oh we need to do security at some point no every stage of developing an application there's are lots of stages they should all be done securely and all of them need different steps so you're kind of you know Shifting the approach of security more to the left so more to the developer perspective more to the planning perspective when you're planning to build your application when you're designing it what is what do we need we need to build an application that talks to the cloud okay how does security play a role here how are we going to talk about security not something that you do in the end you really take it with you in all stages well of developing it it needs to be integrated in every step and every single piece that that you're thinking of uh security needs to be part of it yeah because we're not nowadays writing like applications anymore and then deploying the files on an FTP server or something like that by hand yeah it's we're doing so much more like we're we're deploying we're we're hosting our code somewhere like in GitHub as devops gitlab stuff like this and then we're using like cicd like build pipelines release pipelines we're doing tests we're doing monitoring there's so many things that this this works really well but there's also so many things that can go wrong and if you just ask a developer to fix all of this you can't do it you need security analyst but you this all needs to be done in a continuous way yeah I think that that approach is adopted by Developers for a really long time right building testing unit testing or other types of testing of your code but um I think less from the what it's security mind like okay are there vulnerabilities in my code or could there be any vulnerability I think that's the the big change right because developers are doing code testing for a really long time um but not always from a security perspective no it is really it is really difficult for developer to to do all of that um like one one important thing is that you need to update your package packages update your dependencies and stuff like that and not a lot of developers like doing that it's it's boring work it's it's just takes very time consuming and often you don't really have any time to do it you know the focus is on building those new features the building it's not on like updating everything that you've already built and if you if if you have an application that you built on your own and it's completely your own code you you could scan your code and you hey you're completely aware of what what's in it if you're using a library or stuff like for example look for look for J the issue that we have seen if you're using some other components like Lo forj yeah then could you you are relying on other stuff and then it's more harder to check if you are um Haven have any V vulnerability or not exactly because like nowadays I I mean I don't think any developer is building an application without any dependencies it is probably possible if you're just writing like HTML CSS maybe some JavaScript yourself it is possible but I would say that like 80 90 even more percent of applications nowadays are built using a framework in a front end like react angular view or you're building a server application in Java or net doesn't really matter anything is using libraries and keeping them up to date is one thing right but like also what dependencies you're using a one package and that package in like in the front end land in JavaScript land has like a thousand dependent IES which have dependencies which have dependencies if one of them in the like in the chain gets a vulnerability somewhere like all the packages above are also vulnerable yeah and it's you know I need to build this feature you know I need to build this new checkout page but I also need to ensure that vulner like dependency 6,000 is still you know valid it's impossible for me to do that alone I cannot do that in the time that I have yeah put on if if you look at if you look at application development uh dependencies are playing a big role uh what about infra code uh if we are deploying um infra on on on the Azure platform of on AWS or whatever um do we have that sort of dep dependencies also well not so the dependency to libraries uh when it when it comes to INF infrastructures code it's mainly where we focus is to find the Mis configurations right um something we can do on multiple levels right we can do that uh when deploying the resources to our Azure Cloud for example we can do that with Azure policies these days where we can say okay we are allowing um users to create a FAL machine in Western Europe uh they need to have certain dis encryption models uh configured and they are not allowed to have a public IP address so that's something we can do but that's on the Azure side and we when we start doing infrastructure scode so the developer has done all the configuration uh build the templates um commit that code that code is merged and deployed and at the deployment you find out that there's some resrictions and um and I think that's something that's also a little too late because you want to find that misconfiguration much earlier uh like developers like from my understanding is that developers want to find uh preferably the the bug or the or the misconfiguration in the code on Eda not even in the build and validation phase well I mean that would I guess be the best thing and you definitely have like code analyzers that check like hey you're writing code here that might be insecure or you're missing validation um and then something in your ID would be very great but the thing is if you only do it in the IDE uh and you just kind of you know don't make all of this like validation of your dependencies vulnerability scanning if you don't make that a part of your pipeline and you only do it in your IDE then a developer on your team that doesn't use that IDE or doesn't have the configur is still going to let vulnerable packages in so I think it should be on two faces right both guess I guess I I've see I see it m most of the times I see it just happened in the pipelines itself and for me that works enough you do nowadays have it integrated in Visual Studio like you get a warning when it says like hey uh when the net package manager new yet when it finds out that there's a vulnerable package you actually get a notification nowadays which is really really useful I never really thought about it and like I like last week I started my fual studio instance and I saw that nuga told me hey you have vulnerable packages like that's extremely useful as a developer to know and then you can just you know make work of it or you can tell your team hey next week or next Sprint we really need to start focusing on this uh on these packages and we need to update them yeah because France for example you mentioned look for G if you look at look for G and I think you had a similar experience like where did when when the customers called or when we were proac proactively searching customer environment if you look we were looking more on the infrastructure side right to find that uh Defender uh firewalls uh Sentinel um it was on the infra in on on the infra site but the infra site was detecting the applications that are using that Lo forj so the the detection was uh realized on the infra components but the vulnerability was in the applications so it's some somewhat hard uh to to search all the applications to see the vulnerabilities and then you need a vulnerability scanner um on on a network or um on an application server whatever to to find if a certain library is installed and um and and and and be used in that area but that's the side from a customer perspective that we have on the side of a developer a developer needs to know where his dependencies are so um if look for J for if if we take that example look for Jake is coming up and there is a vulnerability in a specific package then S as a developer he needs to check and he needs to needs to know which applications do I have with that dependency so I need to update that once yeah exactly one thing that's really funny when we're talking about like uh package vulnerabilities is when I talk to developers or like managers and stuff like that about we need to improve our security because it's insecure and they're like yeah but we're just a small company you know no one is no one is going to hack us you know they don't have anything to gain here and that is maybe true in like the olden days where you know hackers could just Target companies and stuff like this but nowadays like when we're saying log for J or when we're saying like a package that has a dependency on a package y yada y keep going like that and somewhere in that chain is a is a vulnerability you are you are suddenly vulnerable and they did not Target you they just targeted one little package and suddenly like millions of companies could be vulnerable yeah and I think from a hacker perspective uh it doesn't doesn't matter what what you're doing if you have a so a small piece of of software that is used by lots of other vendors application uh developers and so on then you have potential uh there's a potential more a bigger impact uh in in in the world and you have access to more machines if if you can can realize that that that way yeah it makes sense for a hacker perspective as well like why would you target one little company if you could potentially know oh this company this website is built in in react or something like that or they're hosting their server with net so we're just going to grab some popular net packages and we're going to try finding vulnerabilities in those and get some bad stuff going on there and I know that the company will my package yeah you know it's so much easier if if you're talking about risks um what are from your opinion what are the common security risk and challenges that developers have developers I think number one would be um from the code perspective how you're managing your secrets so you're writing code to connect to services in Azure or just to connect to services from an external service like I don't know an invoice service or payment service which you see of nowadays uh how do you make sure that those credentials are kept safe lots of developers just you know they don't really think about it much and it can be a difficult topic I see it often just you know you see often that there are still being leaked in 2019 I I read that there was like 100,000 Secrets or something were uh like leaked from GitHub yeah like 100,000 and that's just not going to stop that is just going to keep going we know a scenario in the Netherlands a couple of yeah well it's a year ago almost uh of an IT admin which uh which from my understanding uh he wanted to do something good and he wanted to share his what he built it on on a code page and he published it on GitHub and to so that others can use it and it contained username password of an admin highly privileged admin account oh this was and then I have a great story to tell on this so it was a few years ago on uh there was um there was a in the Dutch tax services so like part of the Dutch government there was a um an employee there had a GitHub account and some some Dutch citizen uh found that GitHub account and was just looking around at it and in there he found some credentials to that employees private git lab account so he was like okay I'm just going to have a little look and take a look at those take a look at that g gitlab account and what he found was like a plain text file with like all the usernames and passwords of the Dutch Tax Services like Azure admin account nice so what he did he went in there he went to the azzure portal he logged in with username and password and it was correct but luckily of course there was two Factor authentication installed uh so he was like you know it's out of luck well of course he didn't want to log in he's he was a nice guy um and a few seconds later he was logged in so some employee at the Dutch tax company uh actually like clicked on yes it is me it's trying to log in and this guy was logged in as the global admin in aure and it's just you can just see like even with these big governments it is so easy to just leak a secret it is it is very easy to do and developers definitely need help we need to integrate this this security perspective all the way into the the development of the code and everything else yeah yeah and did this guy was a white hacker so he informed the tax services uh that he was able to log in yeah but one thing I want to highlight on on on the story that you are describing is there was MFA yeah there was MFA yeah and someone because someone gets a put a notification on his on his phone and he put on aove and hacker is in so MF MFA fatigue uh that we are facing in this area so I get a there was one notification probably but how many times our admins are facing with a uh a notification or an approval prompt that is that comes in multiple times and then in the end I'm I'm up I'm click on yes exactly and then you you have a potential big impact on no it was a test environment so it was not not that big it was a test I'm pretty sure it was prod I I thought it was let's just say it was test to let's hope it was there there was a a there was an an EXA of a big big environment of a big company um a public company yeah um and that was it's it's potential yeah crucial that you have uh secured uh that sort of uh of of of user credentials so this brings us to I think a really nice summary of what what is happening right because we started with some code some username password in in a code which is published on a repository and uh all through the whole process that on the upside somebody used that account to log in right and that's I think the whole Gap that is there so on the left side we had that code which contained the password and on the all on the right side we had the active trory MFA whatever in place to try to stop it or try to detect it with things like s Sentinel or defend of identity impossible that kind of stuff we have that in place yeah but we shouldn't and and I think that's when it comes if you see at the market everybody's so focused on that side everybody's trying to say okay uh how do I find uh anomalies in user logins yeah um or how do I monitor my firewall how do I monitor all kind of operations and we should also ask ourselves that's good that we do that but it's it's a complete blind spot for us or for companies often they that they don't see where the formability started yeah that's a good point and that's I think what brings us to the whole def set Ops and and let's touch on that for today and but that's going to be the um that's going to be a topic that returns I think every session we have and that's that's the whole shift left model in Fr the security because on the right side we shouldn't detect we we should have everything in place to detect it there but we should also have our processes and our tooling and our yeah things in place to detect that more on the left side yeah prevention is better than healing right you know you want to prevent all of these things from happening yeah but we know we cannot prevent everything and that things like for La for so we need to have that detection as well on on our operations SES yeah but also processes in that area that if something happens um what is the next step that we that we're going to do uh so there there is something that we do not have detected up front so there is an issue later on so what are the steps MH to to take um I I want to get back at at the security risk uh the first thing that you mentioned was managing Secrets yeah and then uh we had a whole discussion are there any other topics um from a security risk perspective I think definitely well we already touched upon that I think that's definitely the the dependencies y dependencies are a big thing uh another one that is still sadly still very common I think like uh the oasp you know I does anyone know here what it stands for on top of their head no I don't remember on top of my head but it's the oas.org I think it's like you know it's the list of all the top 10 uh the top 10 vulnerabilities that are still found and like number one that is still found I think every year uh is like sequel injections and stuff like that that is really we're talking about code here and how and like hackers can just get cross injections that kind of stuff uh stuff like that as well that's also on the list yeah and Bing is helping me on that is the open web application security project exactly I'm not going to remember that but exactly that yeah so um stuff like these these are definitely um things that uh are are happening more often and things like the O fil durabilities they did like you already mentioned like your your programming environment they are still they're getting better and better in helping you detect these issues um but when we're like looking at like number one and two like vulnerabilities and um like leaking secrets that's something that is you know that is something that is currently not uh like normal for developers yet to think about like OAB stuff is stuff that you learn it is stuff that you you know kind of developers quickly learn when they're becoming a programmer because it's very important but all of these other things that we just mentioned are newer you know they're they they're modern problems for the things that we're building nowadays and we you need to use some products and stuff like that you need to use tools to improve upon these processes do do we have any uh examples how we can address these kind of risks that we have um well tools spot yeah tools yeah so for example you have uh you have like things like the the Bender bot is very FOC very uh very it's very model very often used is what I'm trying to say sorry on GitHub so that's a that's a tool that you can use to like automatically get like package updates and first of all it's it's great because it makes your thing more secure and second of all it's going to save you so much time so developers and security people should just absolutely love using tools like this so every day you get like a pull request or it's even automatically merged into your code like hey these these packages should be updated or hey these packages contain vulnerabilities you should update them or you should even migrate to a new package stuff like this yeah so maybe to explain a little for the for the listeners I think the pen bot what it does is it looks you can Define which libraries you are using in your code I think it it those automatically it does it even automatically oh perfect and based on that it looks if there are any new versions available exactly and when if so it will indeed as you said automatically integrated or create a pool request for you so that you know okay I need to change that to go to so that that's a really it's really GI only feature I believe right it's not depender bot only runs on GitHub yes but there's a thing called renovate bot I learned about it like only like two or 3 weeks ago and I still need to I need to start implementing that in the codebase where I work um the renovate bot is the same idea so you can self host that and you can use that I think even if you wanted to on like gitlab or aure develops and stuff like that so that's the same idea you could you know get um vulnerability updates uh package updates all that kind of stuff so we we're talking about tools that can be helpful to address certain certain vulnerability certain things and misconfigurations yeah um but that are tools what can we do regarding awareness uh on the developer side itself on the on the people what can we do to improve the um the awareness and expertise on on on that side I guess people should listen to this podcast yeah definitely um that's a difficult one that's like I I feel like like a lot of these awareness things it's a Time driven thing it takes time for people to learn more about this um now do we need do we need to educate them uh because we have security Awareness on the end user side giving people a training materials and so we have that also uh from a from from a management perspective so consultants and uh people who are managing um it systems have also training uh training stuff for that but especially for developers I don't have I don't think it's that that much so um we had a great talk on this with David of course the regarding Defender for cloud focus on devops um and I think David Rano yeah um and I think the key is is is uh based it's part in training in thej people but I think it's mainly to bring those people together exactly yeah um and I think that's that's that would be the best approach like if you look on um like Technologies like Defender for devops right part of the defender for cloud stack um depends on what kind of code scanning you have enabled but regarding of that is you have features like pool request uh annotations so what it does is it automatically scans your code based on the passwords or anything else and uh that shows an alarm it goes to defend for cloud and that syncs back to your devops pool request and it points out like on line three you have used certain parameter or you used a password or we found that and that and that with more information click here read more on that Y and and what it does is it it creates a platform where security can take a look in the developer ecosystem finds vulnerabilities that could be there and and give them feedback on their platform instead of saying no you developer you need to go to a security portal to see the information no bring that information back to where the developer works exactly it's like you're you're getting taught automatically right like definitely learning about this is is important but like you know getting taught about it is important it's even even like easier for everyone the developer gets a notification likey hey you did it wrong I just want to touch upon that product like you you said the vendor for devops is what you said it yeah sorry yeah is it is it still the defender for devops it's part of the defender for cloud uh security I think it was something with security now in the name right like they're they're renaming it every month yeah so it's it's still something that says there that was something at ignite yeah there was something watch that so so what I saw is uh like there's also you know like an let's let's talk about talking to an service like send Grid or something to send emails and you use an API key send it that way what I learned some time ago is that that uh send gits API key is a very specific API key it's like starts with SG and then something else so when GitHub detects when GitHub detects a push to your repo and it contains a send grid API key it will automatically go and do a call to send grid to invalidate that API key I find that a very very interesting approach even if you leak a secret like it is automatically invalidated so it cannot be used by hackers anymore I believe GitHub has that also for yourself so you can publish your keys in a certain list and it will automatically scan all the other repositories if it finds the key outside of your repository it will give you a sign as well that is interesting because that shows if your key is leaked or not exactly that's really good like but you know it being invalidated is um like the next step compared to like getting a notification like getting a notification and you're you're on holiday for 3 weeks then you might have you know you might got three weeks ago when you come back yeah like it getting invalidated immediately and stuff like that it's I think like the next big thing the next question that I have was uh regarding collaboration and communication between developers and security analyst and you already touched a little bit on that but if if we are uh touching a bit more on that perspective um sending the sock analyst to to the developer portal uh so they can communicate with each other and get feedback uh give feedback on uh the code is that the only thing that they can do or are there uh multiple information barriers that needs to be um between both both of these groups because um a security analyst is mostly involved if something happens or or afterwards a developer is at a very very very beginning there is a lot of things in between but how can we bring them more and more together yeah yeah that's of course like the entire you know the entire death zops thing and that's that's really important um yeah I mean I feel like for it I feel like the tools are definitely important but that's of course not the the human you know you want more human communication about this as well yeah because you need to know you know there's also a security person working behind the scenes and stuff you need to you know know them kind of what what do they find important what do I find important what you know kind of what we're doing right now so what what kind of problems do I see what kind of things do you guys know what kind of things do you guys recommend to solve this issue um I've seen some places where they actually like really make a security person kind of part of the team like kind of part of this part of the scrum team so they it's not like they're actually like you know SEC like analyzing the product every you know every hour of the day but they they do they do uh actually kind of you know participate in what the team is doing so when there's a question they can always go to that security analyst and they can have a they can have a look around is that is that a security analyst is there or is that more engineer security engineer I don't know the if it's part of the part of the team it's often an engineer yeah is that a is that a suck there a an operating Center analyst or engineer or is that more or less a security consultant that is is involved into projects uh to bring the security analyst and the developers together so I think the security analyst is the person that reacts when it is when there is an incident yeah um and a security engineer consultant is the one that guides the project uh and takes constantly with the security so it's more a different role in my opinion but so but because if you look let's for example um if you look at def devop starts with planning right the first stage is before you do any code you have done anything you start with planning and created a design diagram uh which that's your proposal right without saying talking about any code like okay this is the application um so to give you an example I did a a project with a with with with a really big Financial in the Netherlands and um before we even started doing doing any resourc in Azure or any line of code we needed to get an approval for our design like the technical design the functional design all from the cloud competence team uh from from the security team um and I believe from the operations team and uh everybody like the cloud competence was looking like did do are we using the right resources are we deploying it the right way and security was challenging okay you are doing what kind of data are you processing So based on that you have this classification so you need to do that kind of encryption at a minimum and operation was like okay have you your uh backup in place so and I think that's the first stage where it starts like communication and talking to each other like reviewing that design okay this is the solution that we're are going to work on um from that three different uh perspectives I I definitely agree um I mean the one thing is that I do as a developer I do see a bit of an issue there where I'm designing an application right I'm going to build um I don't know a web shop API or something like that so you know it's important that we store our data securely because it's real customer data Maybe we're handing credit card info stuff like this that's really important to know like I I like learning about security so I notice all this kind of stuff but and I like focusing on like how do we store like uh gdpr data um a lot of developers don't not because they don't know whatever they just don't really have that knowledge so talking to those people is very important I do think that when we're building this application over time it's going to get new features right and we're going to have new requirements and then you I definitely see people slipping and just you know still at that point implementing something insecurely because they didn't involve all of these teams again you know it was something that you did at the beginning but doing that every time costs too much time or there is no time and stuff like that so for that I mean I guess I'm a program and I guess I just love automating so much things so I I really feel like using tools at least for the future here is is like is going to help us the most using all of these tools like GitHub Advanced security Microsoft the vendor for cloud security devops I don't R know the name anymore um stuff let's go with Defender for cloud Defender for cloud we're going to call Defender for cloud that that's what we agreed with David right yeah yeah definitely definitely great I think using all of these tools to make you know to set up a with actual with those teams they really know what fits the company the best and you know you need to use this product because that is what we use everywhere so that's a good fit stuff like that and then we're going to start using these tools during development to get to get like a signal like hey you're doing this wrong hey this is insecure your code has vulnerabilities you committed a secret you shouldn't have this package has vulnerabilities here's a PR to automate them I think that is something you can do to for a developer to really keep your code secure over the time that you're working on it yeah um to finish this recording up because we have touched a few different parts um to finish up we talk still talking about co-pilot within the Microsoft area um co-pilot security co-pilot what's helping us within uh Defender for cloud Defender for uh for Defender what is it Defender xdr within uh yeah all all that names but just say it by by date right today it's the fender x today yeah and the recording is uh in the beginning of December so um but we have also co-pilot for Windows co-pilots for productivity and so on so there are different co-pilots do you think that co-pilot or AI will will will play a role within the stuff what we're talking about I hope it does having cpilot yeah I'm already using it like every every day yeah yeah but that's GitHub co-pilot but also when talking about um defining uh of finding vulnerabilities and and stuff so we are using software or solutions that scans uh code and and and much more but does AI also play a role in that area to detect um I'm not in other ways for developer I mean I know that there's now this security co-pilot I don't really know yet what it is um maybe that's a topic for later because we you know maybe it's a topic for new episode because it I think it definitely can play a big role but I think for developer perspective when we're using co-pilot maybe it could learn you know from your code based from your company's security policies and then when you ask it to generate code or when you when it's running in your program it's like hey you're writing code here that violates company policies or this stuff like this so during development you get the notification this what we already said in the beginning instead of later on in the pipeline right when you're writing the code yeah a new developer day one immediately gets to know oh I'm doing something here that's insecure and I think definitely there's a a future in that I think it's going to happen pretty soon I believe and and I think you can already in your Eda for example in F code already when you have Cod pilot and then get a co-pilot then you can already when you have a code you you can already ask it Analyze This code to see if there are any vulnerabilities in there that kind of future is already there so it's not maybe fully automated that's I think the answer to the question yeah but if the future is there I think yeah yeah it will it will play a big and bigger and bigger role in my opinion so it it will help it doesn't replace anything uh because we still need to um realize stuff and create stuff um AI can help but it doesn't take over in my opinion hopefully not otherwise we have we are still um starting a podcast so probably we can extend that one well maybe the next episode will be AI generated I heard the Bing already a couple of times today so yeah exactly yeah that's being being Enterprise and being helps also in generating questions and doing stuff with so so have a a smooth conversation with that so do do do we did we touched every single piece that we want to touch I think I I think we talked about some tools and uh I think I just want to call out a couple more tools for developers at least to start using like you from the I think that's more from the operations perspective is she Defender for cloud right I think that a bit more for the operation side on the right side so it's it it gives um uh the right side so the operation side visibility into the uh into the left side right because you can suddenly see the code scan the code see what vulnerabilties all there you can uh you can do it on multiple layers so it and that's I think something we didn't touch we um because when we are talking about repositories right where you store your code it's it's fil that can come um you can experience there but you can also have like misconfiguration on your repository side like um that you can do push to the main bran for example that's something we did so Defender for cloud and and in combination definitely with gab fan security of course has multiple layer it's partially the infrastructure set your configuration like do you have your project PRS do you have like code validation that kind of stuff configured and partially it's like um your code scanning your code and bringing the output to Defender for cloud where often uh a security analyst is uh you can look at these results yeah exactly so so your security and your operation is completely on the right is seeing okay this is coming towards the production yeah right you are aware of what's coming and so then you can CH choose to interact with things like pool request uh um Integrations and then send okay on line three we see this and that and that yeah and uh and that way create that bring those two worlds together yeah so like stuff like you know like you already set so GitHub security or the greatly named GitHub uh GitHub security no GitHub Advanced security for a your devops depender Bot is what we talked about renovate all of these tools will help you like finding your vulnerabilities it will help you like it will stop you from pushing code that that contains leaked secret and stuff like that but something that's really interesting what you like said it's like it would also like send signals to these Defender like applications and really you know what we kind of started talking about to wrap I guess kind of things up it really brings these things to together right the devel the developers are you know we automatically now stopping vulnerabilities but we're still analyzing them we're still integrating the the monitoring side with it and you know at least what is coming from the security side and the operation side right and and those days a lot what you see is that Security operation is surprised because there was a coaching there was something there was a vulnerability in the code which where they weren't aware of yeah no that's that's true and now you can still go with that pability to production it's it can be an accepted risk for for example yeah exactly but at least you know what's you know what is happening yeah exactly so friends that that was all yeah I think that's all nice um I want to uh mention one thing uh not from this recording but from the previous recording uh to finish up um we mentioned Defender for WSL uh last time uh what what happens with that because um there was no support pre whatever and probably there was a preview uh that was the thing I mentioned but what happens after our recording yeah so last time of course we talked about containers and way sell and and that it creates a black hole WSL yeah WSL sorry um and yeah I think the same day the same evening uh they announced that it's going to public uh I think it's not GA it I think it's public preview public preview right so what it does is it creates Defender for endpoint so if you have Defender for Endo your machine your server or your uh server it also now scans your Vel environment to see what you are doing there so if you are doing some scary stuff and you think that's isolated there's now visibility in that space as well so this is I think a huge uh step for Microsoft so if if I'm activating WSL on my Windows machine Defender can take care of that WSL exactly it can see what you're doing in there and take use all of these you know Defender features St like that yeah but we have Defender for Linux uh but no also the integration on Windows sub subsystem for Linux so that's great right so that to to make that in order that we talked about the last probably the next time there are more changes that we are discussing today does anyone want to do any predictions and then next episode they'll be out um yeah I what we already said in the beginning of this recording we tried to touch uh some some pieces of the de def Sops uh framework so um today we talked more or less about code and code scanning uh but also a security perspective from uh from a developer um what pieces do we have on the in the def subop framework puan yeah so we started a little bit on the left side right we are we started with the endpoint of the developer we started with the code repository and I think we are going to partially build that up uh towards the operation side um so I heard you telling identity and authorization is going to be I think an awesome topic to to discuss like how do you authenticate and how do your applications authenticate like your micro uh uh uh Services mhm yeah and co-pilot can can be different recording in my opinion something like that like and also if we're going to talk more you know about this how we we're planning an application or you know I have a laptop here how do we get the stuff that I built in it to prod right so that the stages that you mentioned like building testing releasing um monitoring there's like loads of stages there and operations all of these things I can I think deserve their own topic deserve their own episodes so lots of topics to cover in the next uh in the next few months uh because we want want to try every month to do a recording um so keep posting did and see if you if you can realize that and if not you can challenge us so reach out to us at the different social media channels we're on LinkedIn on uh X is it today uh but also on Reddit uh and other the social media platforms um so reach out if you have questions or want to be part of this um if you like this recording uh subscribe uh or uh do do some uh don't tell them to ring the bell no no no not ring the bell but if if you are uh giving a giving feedback uh on the on a comment on the different platforms that helps to spread uh this podcast in in the world so uh that really helps us um and for now thanks for for listening and hopefully uh until another time and that was probably next year so 20 what is it 20124 y see you next year thank you thank you [Music] he