This past December I got the chance to attend and participate in DevSecOpsDays Austin 2019. It was had an incredible line up of speakers that I really look up to. Before we even got to the first morning break we heard from Andrew Clay Shafer, Shannon Lietz, Kat Sweet and Matt Tesauro. In the afternoon it didn’t stop with tons more awesome speakers.

The organizers James Wickett, Ernest Mueller, and Karthik Gaekwad and all of the volunteers did a tremendous job and put on an excellent show.

In the afternoon I got to talk about using Shodan in the Pipeline, a little side project I have been working on:

Over the last few years I have done several talks on Shodan. Because I believe that the bad guys know how to use this tool, so I should help to teach my friends how to protect their assets and their companies assets. In the talk I try to build off of other things I heard at the conference about making sure you prioritize which CVE’s you work on. These CVE’s are the ones that are advertised to the world that you have. These are the type that get you on the list of emails of people that have interacted with the a Nigerian Prince email scam. Having CVE’s on this list is not a good look.

For this talk I open sourced a very simple pipeline on Gitlab at

In this project you would go to the only merge request to see how it works:

The Merge Request has a pipeline attached to it:

Each of the jobs have output that should be easy to read to show the failure.

I did this work in about 2x2 hour sessions and tried to keep the best notes I could here:

Please reach out if you have any questions. What is here is pretty rudimentary. I would love to see someone build on this and for the number of CVE’s for you and your company or city go down.

Any please reach out if you think one of my Shodan talks would be good for your user groups, your conference or your company.

People had some nice things to say about the talk in Austin: