@clintgibler watched, analyzed, and summarized every talk from AppSec Cali 2019 and wrote detailed summaries for each one of them. This post is a great source of information covering DevSecOps, scaling security, threat modeling, building a security program, & more. All from one of the best security conferences currently in the industry.

Here's a YouTube playlist of some great talks for you to get up to speed.

A micro-services approach may be appropriate when the culmination of an application’s architecture has become a bottleneck (as a result of the various people/process/tech factors) for making changes and "going faster", but it is not the only approach.

Learning how to monitor the Kubernetes API server is of vital importance when running Kubernetes in production. Monitoring kube-apiserver will let you detect and troubleshoot latency, errors, and validate the service performs as expected. This post covers how you can collect the most important metrics from the kube-apiserver and use them to monitor this service.

ElasticCloud on Kubernetes (ECK) is now generally available. With ECK, users have a seamless way to deploy, manage, and operate the ElasticStack on Kubernetes.

Aqua Security announced the general availability of CloudSploit for Google Cloud Platform (GCP). This release also includes a Center for Internet Security (CIS) benchmark certification for GCP (more on this in the CSP-related section).

The Kubernetes Product Security Committee is launching a new bug bounty program, funded by the CNCF, to reward researchers finding security vulnerabilities in Kubernetes.

Kube-OIDC-Proxy is an open source reverse proxy that enables OIDC authentication to various backends. In the case of EKS, it can be used for OIDC authentication to multiple EKS clusters using the same user identity given by a third party provider. This post will explore how Kube-OIDC-Proxy works, how to deploy it into multiple EKS clusters and how to leverage other open source tooling to provide a seamless authentication experience to end users.

Google released a CIS GKE Benchmark (a subset of the Kubernetes Benchmark) that removes what you're not responsible for and is specific to GKE. For the CIS GKE Benchmark, there's Security Health Analytics, a security product that integrates into Security Command Center and that has built-in checks for several CIS GCP and GKE Benchmark items.

Microsoft released an open source code analyzer called Microsoft Application Inspector to identify "interesting" features and metadata, like the use of cryptography, connecting to a remote entity, and the platforms it runs on.