In this episode, I sit down with Ian Evans. Ian is a security architect and private contractor who provides a leading role in security architecture, implementation and optimisation projects with over 20 years industry experience.

He is a positive individual that believes there is a justifiable balance to be found in aligning security and technology decisions with business goals. He enjoys novel challenges and has found a passion in the intersections of AppSec, Platform Engineering and Cloud Security as it relates to the enterprise.

Ian shares how he got into cybersecurity, what it’s like managing security in agile environments, and how to balance speed with the need for strong security practices. We also dive into the importance of visibility and observability in building systems that are both secure and easy to manage.

Throughout the conversation, we explore how security can become a natural part of the process—supporting teams and keeping things running smoothly, even in fast-moving, complex environments.

In particular, we dig into a declarative approach for specifying access controls, similar to Otterize's Intent-Based Access Control.

Joining me this time is Jack Kleeman. Jack is a staff engineer at Restate, where they make durable execution just work. Before that, Jack worked at Apple as a Senior SRE and at Monzo as a Senior Platform Engineer. At Monzo, Jack led projects on secret distribution, certificate management, network isolation, and Cassandra authentication, including the effort to achieve zero-trust on Kubernetes using network policies at Monzo, which we'll be digging into in this episode, including the motivations - PCI and zero-trust, and how they tackled scaling it from one sensitive service, the ledger, to the entire organization, as well as Jack's experiencing moving from writing primarily in Go to Rust.

Monzo blog post mentioned in the episode: We built network isolation for 1,500 services to make Monzo more secure

Apple Pkl: https://github.com/apple/pkl

You can get in touch with Jack on LinkedIn, or his preferred medium, Twitter!

Joining me for this second episode is Andrew Moore. Andrew is a Staff Software Engineer leading the Platform Authentication team at Uber and sits on the SPIFFE Steering Committee. Prior to Uber, Andrew was a Software Engineer for various US and foreign Defense and Civil contracts with Lockheed Martin, Leidos, and Earth Resources Technology. Outside of work, Andrew homebrews beer, mead, kombucha, and Dungeons and Dragons campaigns.

In this episode, we’ll be talking about Uber’s use of SPIFFE/SPIRE and Charter for Workload Identity and Authorization. Learn about the design choices, motivations, and lessons learned that led to this setup. Plus, we’ll chat about Kubernetes, how to keep an abstract design mindset over a particular tech choice, and fads and fashion in software fads, and sprinkle in some hot takes and anime references for fun! ;)

Uber blog posts mentioned in the podcast:

https://www.uber.com/blog/our-journey-adopting-spiffe-spire/
https://www.uber.com/blog/attribute-based-access-control-at-uber/
https://www.uber.com/blog/go-monorepo-bazel/

You can get in touch with Andrew on the SPIFFE Slack, or on LinkedIn.