Friday, April 11, 2025 — Meeting Recap

Security Officers' Open Discussion Meeting

Dave welcomes everyone to an open session of the security officers' meeting. He encourages participants to ask questions or discuss any challenges they're facing in their security, cloud, or infrastructure journeys. Dave mentions that the group includes members with various levels of experience who are willing to help. He also notes that participants can present their work for feedback or discuss CVs if needed. Dave then opens the floor for anyone to raise a topic or ask questions.

Building Cloud Stack for Home Lobbying

Dave and D discussed the challenges of building a cloud stack for home lobbying. D expressed interest in learning from others who have experience in this area. Dave shared his experience of accidentally incurring a large cost due to a simple mistake and emphasized the importance of considering the architecture and cost before building. He suggested using controlled error and setting up billing alerts to avoid unexpected expenses. Connor added that setting up billing alerts can help prevent large bills due to forgotten resources.

AWS and Cloud Technologies Essentials

Connor and Neil emphasize the importance of having a specific project or goal in mind when learning AWS and cloud technologies. They suggest starting with simple tasks like setting up an EC2 instance to host a WordPress site, which provides experience with EC2 and networking components. Connor recommends learning Terraform, as it's versatile and transferable between different cloud environments. He cautions that Terraform is best for standing up resources, while tools like Ansible are better for configuring servers. Matthew adds that Terraform can orchestrate resources after creation using specific providers. Dave mentions using Terraform to capture existing infrastructure as a baseline. Walid asks about tools to convert existing infrastructure into Terraform configurations, and Dave suggests using Terraform's generate-config feature for networking configurations and exploring export options in Azure and AWS.

DLP and AIP Challenges in Azure

Dave and Walid discuss the challenges of implementing Data Loss Prevention (DLP) and Azure Information Protection (AIP) in Microsoft Azure. Walid shares his frustrating experience with deploying these services, particularly with document labeling and access issues across SharePoint, Exchange, and other Microsoft services. Dave suggests a more gradual approach, recommending starting in monitoring mode and working with consultants to establish best practices before full implementation. The conversation highlights the complexity of DLP and AIP integration across different Microsoft services and the difficulties in getting effective support for cross-service issues.

Effective Support for Complex Technical Issues

Dave and Neil discuss the challenges of getting effective support for complex technical issues, particularly from Microsoft. Dave recommends booking dedicated time with consultants or using platforms like Upwork to find experts who can teach and document solutions. Neil shares his experience with a specialized Microsoft support team that was designed to handle difficult cross-product issues. Both agree that paying for external help is often more efficient than relying on standard support channels. They also touch on the importance of proper licensing and documentation for new products like Copilot Studio. The conversation then shifts to a recent article about supply chain vulnerabilities, with Neil emphasizing the importance of security considerations when using code samples from sources like Stack Overflow.

Addressing Software Supply Chain Vulnerabilities

Neil discussed the importance of understanding and addressing vulnerabilities in software supply chains, using the example of a recent supply chain attack. He emphasized the need for organizations to be proactive in identifying and mitigating potential issues, rather than just following compliance requirements. Matthew raised the issue of balancing security with the need for flexibility in software dependencies, and the potential for AI solutions to address this. David B shared his experience of conducting security assessments for large software companies, highlighting the challenges of scaling security measures for smaller companies. The team also discussed the potential of tools like Trivy and Semgrep in identifying vulnerabilities and improving security.

AI Agents for Internal Tasks

Matt is building an AI agent for his company's internal use, similar to the app Gleam but at a lower cost. The agent will be able to assist employees with various tasks such as submitting IT tickets, logging PTO, and providing information about equity and repositories. Matt plans to demo the proof of concept to the CISO in about a week. Meanwhile, Mario shares his experience implementing AI agents in regulated environments, including sales information querying, email issue escalation, and legal document processing. Both discuss the potential benefits and challenges of these AI implementations in their respective fields.

Automation Platform Access Control Discussion

In the meeting, Matt discussed the importance of segregating access to the automation platform to prevent potential issues. He emphasized the need for stringent access control, especially for high-level admin roles. Dave shared his experience with using the platform for its intended purpose and the importance of setting baselines and governance. Mario talked about his personal project involving digital twin creation and the implementation of techniques to de-identify data and reduce hallucination. Paul expressed interest in discussing competition and profitability in the AI agent development space. Dave highlighted the value of human connection in getting projects approved and the importance of understanding the needs of stakeholders. The conversation ended with Dave expressing his need to attend another meeting.