155 avsnitt • Längd: 35 min • Månadsvis
Securing the future of DevOps and AI: real talk with industry leaders.
The podcast The Secure Developer is created by Snyk. The podcast and the artwork on this page are embedded on this page using the public podcast feed (RSS).
Episode Summary
Are you ready to revolutionize your coding experience with cutting-edge AI tools? In this episode of The Secure Developer, host Danny Allan is joined by Jeff Wang, Head of Business at Codeium, to take a deep dive into the transformative power of generative AI in software development. Discover how coding assistants have evolved from simple auto-complete functions to sophisticated AI-driven tools, the significant impact these advancements have had on productivity and innovation, and how Codeium is addressing some of the security challenges they pose. Tuning in, you’ll learn how you can stay ahead in the rapidly changing tech landscape and supercharge your development process.
Show Notes
In this insightful episode of The Secure Developer, host Danny Allan sits down with Jeff Wang from Codeium to explore the rapidly evolving world of AI-powered coding assistants. As organizations increasingly look to harness the power of Generative AI in software development, Jeff provides a comprehensive overview of how these tools transform the coding landscape.
The conversation starts with a journey through the history of coding assistants, from early autocomplete features to today's sophisticated AI-driven tools. Jeff explains how Large Language Models (LLMs) have revolutionized code generation, offering unprecedented levels of accuracy and efficiency. He delves into the various features of modern coding assistants, including chat functions for code understanding and debugging, highlighting how these tools cater to both junior and senior developers.
Security concerns are a key focus of the discussion, with Jeff addressing how Codeium tackles data privacy and protection. He outlines strategies such as air-gapped deployments and local data processing to ensure that sensitive code remains secure. The episode also touches on the challenges of measuring the impact of these tools, with Jeff sharing insights on how companies are quantifying success through metrics like code generation percentage and developer productivity.
Looking to the future, Jeff and Danny explore the potential trajectories of AI in software development. They discuss the possibility of more complex, multi-step AI processes and the integration of AI across the entire software development lifecycle. The conversation concludes with thought-provoking insights on how AI coding assistants are improving productivity and enabling developers and organizations to "dream bigger" and tackle more ambitious projects.
This episode offers listeners a deep dive into the cutting-edge world of AI-assisted coding, providing valuable insights for developers, technology leaders, and anyone interested in the future of software development. Tune in to understand how these tools reshape the industry and why they're becoming essential to modern development practices.
Links
Follow Us
Episode Summary
In this episode of The Secure Developer, David Imhoff, Director of DevSecOps and Product Security at Kroger, shares insights on implementing DevSecOps in large organizations. He discusses balancing regulatory compliance with business objectives, fostering a security culture, and the challenges of risk mitigation. David also explores the importance of asset management, security champions, and the potential impact of AI on cybersecurity practices.
Show Notes
In this episode of The Secure Developer, host Danny Allan speaks with David Imhoff, Director of DevSecOps and Product Security at Kroger, about implementing security programs in large organizations. David shares his experience transitioning from blue team operations to engineering and back to security, emphasizing the importance of understanding both security and engineering perspectives to create effective DevSecOps programs.
The conversation delves into the challenges of starting a security program in a large retail organization, with David highlighting the importance of understanding regulatory requirements, such as HIPAA, and aligning security measures with business objectives. He discusses the use of the NIST Cybersecurity Framework for measuring and reporting security posture to the board, and the process of balancing security needs with business risk appetite.
David explains Kroger's approach to building a security culture, including the implementation of a security champions program and the use of Objectives and Key Results (OKRs) to drive security initiatives. He details the company's strategies for centralizing security policies while allowing flexibility in implementation across different engineering teams. The discussion also covers the integration of security tools into the development pipeline, including the use of GitHub Actions for vulnerability scanning and management.
The episode explores various security technologies employed at Kroger, including Software Composition Analysis (SCA), Static Application Security Testing (SAST), API security, and secrets scanning. David shares insights on the challenges of prioritizing security alerts and the ongoing effort to provide a cohesive view of risk across multiple tools. The conversation concludes with a discussion on the potential impact of AI on security practices, including the new challenges it presents in areas such as data poisoning and model management, as well as the potential for AI to improve threat modeling processes.
Links
Follow Us
Episode Summary
In this special episode of “The Secure Developer,” host Danny Allan interviews Snyk founder Guy Podjarny about the origins and evolution of Snyk. Guy shares his journey from conceptualizing Snyk in the shower to building it into a developer-first security platform. They discuss the challenges and successes of integrating security into the developer workflow, the importance of open-source security, and the impact of AI on the industry. Guy also provides insights into Snyk’s focus on remediation and the future of autonomous developer security.
Show Notes
In this episode of The Secure Developer, host Danny Allan sits down with Guy Podjarny, founder of Snyk, for an engaging conversation about the company's journey and its impact on the DevSecOps landscape. Guy shares the story of Snyk's inception, from the initial idea sparked in a shower to its development into a leading developer-first security platform. He discusses the challenges faced in the early days, including the need to balance depth and breadth in their security solutions and how these experiences shaped Snyk's approach to integrating security seamlessly into the developer workflow.
Guy delves into the pivotal moments that defined Snyk's evolution, such as the decision to focus on open-source security and the subsequent expansion into container and infrastructure as code security. He highlights the importance of making security tools that developers love and can easily adopt, which has been a cornerstone of Snyk’s philosophy. The conversation also touches on the strategic acquisitions that bolstered Snyk's capabilities, particularly the acquisition of DeepCode, which brought innovative AI-driven static analysis into the fold.
As the discussion moves forward, Guy and Danny explore the future of security in the AI era. They consider the potential of AI to revolutionize how vulnerabilities are detected and fixed, envisioning a future where code can be autonomously corrected without developer intervention. Guy emphasizes the need for a holistic approach to security, one that combines static analysis with runtime insights to provide comprehensive protection.
This episode offers a deep dive into the philosophy, challenges, and innovations that have driven Snyk’s success. It provides listeners with valuable insights into the evolution of developer-first security and the role of AI in shaping the future of software development. Whether you're a developer, security professional, or tech enthusiast, this conversation is packed with lessons and foresight that you won’t want to miss. Tune in to hear from one of the leading minds in DevSecOps and learn how Snyk continues to lead the charge in making security an integral part of the development process.
Links
Follow Us
Episode Summary
In this episode of The Secure Developer we're joined by Brian Vallelunga, Founder and CEO of Doppler, to discuss the importance of secrets management in modern application development. Brian shares his journey in creating Doppler, a secrets manager designed for developers and DevOps teams, and highlights the challenges organizations face in managing sensitive data such as API keys, database credentials, and certificates. The conversation explores best practices for secure secret storage, the need for industry-wide adoption of secrets rotation, and the potential impact of AI on the future of secrets management and identity-based authentication.
Show Notes
In this insightful episode of The Secure Developer, we sit down with Brian Vallelunga, Founder and CEO of Doppler, to dive deep into the critical topic of secrets management in modern application development. Brian shares Doppler's unique founding story, which began as a crypto machine learning marketplace but pivoted to address the pressing need for effective secrets management solutions.
Throughout the conversation, Brian and Danny explore the challenges developers and organizations face when managing sensitive data, such as API keys, database credentials, and certificates. They discuss best practices for secure secret storage, emphasizing the importance of encryption, seamless integration with developer workflows, and creating a positive developer experience.
The discussion also touches on the industry's struggle with secrets rotation and the need for standardization across providers to enable effective rotation strategies. Brian and Danny consider the potential role of compliance requirements, such as SOC 2, in driving the adoption of robust secrets management practices.
Looking to the future, the pair explores the impact of artificial intelligence on secrets management and the potential shift towards identity-based authentication. They envision a world where AI agents dynamically provision infrastructure and manage the connections between various services, with secrets managers facilitating seamless authentication.
Tune in to this engaging episode to gain valuable insights into the evolving landscape of secrets management and discover how industry leaders like Snyk and Doppler are working to secure the future of application development.
Links
Follow Us
Follow Us
Episode Summary
Are you curious about the ever-changing landscape of data security? In this episode, we are joined by Danny Allan, the newly appointed Chief Technology Officer at Snyk, to delve into the evolving landscape of data security. In our conversation, we discussed his professional background and how he went from hacking security systems at university to becoming a security expert at Snyk. Hear about his experience in dynamic application security testing and the challenges and opportunities of working for large companies. We unpack how controlling human actions can reduce security vulnerabilities, the nuances of running cloud-hosted services, and how the techniques used for static application security testing have changed. Danny explains the importance of considering security aspects during the early stages of software development and how governance has integrated into data security measures. Gain valuable insights into the ever-changing landscape of data security, AI’s potential role in revolutionizing security practices, and much more.
Show Notes
In this episode, Guy Podjarny is joined by Danny Allan, the new CTO at Snyk. Danny shares his fascinating career journey that has taken him in and out of the application security space over the past 20+ years.
They discuss how application security practices like static analysis (SAST) and dynamic scanning (DAST) have evolved, with SAST becoming much faster and easier to integrate earlier in the development cycle. Danny reflects on what has changed and what has surprisingly stayed the same since his earlier days in AppSec.
The conversation digs into the intersections between application security, data security, cloud security, and how these domains are becoming more interconnected as the same teams take on responsibilities across these areas. Danny draws insights from his recent experience at Veeam, highlighting how practices like data immutability and multi-person authorization grew in importance to combat ransomware threats.
Looking ahead, Danny and Guy explore the potential impact of AI/ML on application security. From automating threat modeling to personalizing vulnerability findings based on developer interests to generating rules and fixes, Danny sees AI unlocking many opportunities to transform AppSec practices.
Overall, this episode provides a unique perspective spanning Danny's 20+ year career in security. His experiences illustrate the evolution of AppSec tooling and processes, the blurring of domains like app/data/cloud security, and how AI could radically reshape the future of application security.
Links
Follow Us
Follow Us
Episode Summary
Explore the role of consolidated platforms in software development with our guest, John Delmare, Global Application and Cloud Security Lead of Accenture. This episode dives into the growing complexity in the developer space and how these platforms streamline processes and foster collaboration among distributed teams. We discuss balancing application and cloud security, the financial and time-saving benefits of integrated platforms, and the role of best-of-breed technology in an evolving tooling landscape. Tune in for a preview of future secure development practices and practical advice on navigating this dynamic space.
Show Notes
In this engaging episode of The Secure Developer, host Simon Maple chats with John Delmare, Managing Director of Accenture and Global Application and Cloud Security Lead, about the movement towards platform consolidation in the field of DevSecOps.
They dive into an in-depth exploration of the potential advantages and barriers that emerge from the reduction of tool sprawl. Using his extensive experience and insights, Delmare sheds light on how this development can enhance efficiency for developers and, at the same time, benefit companies by making processes more streamlined, cost-efficient, and effective.
Not losing sight of the role of best-of-breed tools, the conversation takes a turn into how such tools fare in the current scenario, whether they still hold relevance, or if the consolidation trend is set to overshadow them. More intriguingly, Delmare and Maple delve into the potential implications of emerging technologies like General Artificial Intelligence (GenAI) on the strategies for security tooling.
Further enriching the conversation, they emphasize the critical need for a common ground between security and development teams. Platform consolidation comes into play here by offering shared data views and aligning the teams towards unified goals, making the perfect case for seamless DevSecOps practices.
This episode is packed with insights that would cater to developers, security professionals, and decision-makers in the IT industry, offering them a clearer view of the current trends and allowing them to make strategically sound decisions. Tune in to be part of this insightful conversation.
Links
Follow Us
Follow Us
Episode Summary
In this episode of The Secure Developer, Guy Podjarny and guest Sean Catlett discuss the shift from traditional to engineering-first security practices. They delve into the importance of empathy and understanding business operations for enforcing better security. Catlett emphasizes utilizing AI for generic tasks to focus on crafting customized security strategies.
Show Notes
In this episode of The Secure Developer, host Guy Podjarny chats with experienced CISO Sean Catlett about transforming traditional security cultures into a more modern, engineering-first approach. Together, they delve into the intricacies of this paradigm shift and the resulting impact on organizational dynamics and leadership perspectives.
Starting with exploring how an empathetic understanding of a business's operational model can significantly strengthen security paradigms, the discussion progresses toward the importance of creating specialized security protocols per unique business needs. They stress that using AI and other technologies for generic tasks can free up teams to concentrate on building tailored security solutions, thereby amplifying their efficiency and impact on the company's growth.
In the latter part of the show, Catlett and Podjarny investigate AI's prospective role within modern security teams and lay out some potential challenges. Recognizing the rapid evolutionary pace of such technologies, they believe keeping up with AI advancements is crucial for capitalizing on its benefits and pre-empting potential pain points.
AI-curious listeners will find this episode brimming with valuable insights as Catlett and Podjarny demystify the complexities and highlight the opportunities of the current security landscape. Tune in to learn, grow, and transform your security strategy.
Links
Follow Us
Follow Us
Episode Summary
In this special episode, our guest host, Liran Tal, interviews Snyk's Staff Security Researcher, Rory McNamara, about newly discovered high-impact container breakout vulnerabilities. Liran and Rory go deep into the vulnerabilities and cover everything you need to know, how the vulnerabilities were discovered, and much more.
Show Notes
In this informative episode of The Secure Developer, guest host Liran Tal chats with Snyk security researcher Rory McNamara about his ground-breaking discoveries related to Docker vulnerabilities. McNamara's diligent investigations have spotlighted significant container breakout weaknesses, prompting a deep-dive exploration of the complexities of Docker’s security scene.
Refreshingly candid about the intricacies involved in tracking down these vulnerabilities, McNamara shares the detective-like processes he uses to trace the connections between key components and functionalities. As they discuss the eye-opening potential for exploitation, Rory highlights how using strace helped him decode the problematic underbelly of Docker.
Listening to this episode opens up a world of understanding about software supply chain security and the wider implications of these emerging vulnerabilities. Ideal for both security leaders wanting to stay on the cutting edge and developers interested in the nitty-gritty, this conversation not only reveals the problems but also offers solutions. McNamara drives home the importance of timely updates, adopting the principle of least privilege, and layering security measures for optimal protection. This is a must-listen for anyone wanting to deepen their understanding of today's vital security challenges.
Links
Follow Us
Follow Us
Episode Summary
Laura Bell Main, CEO at SafeStack, discusses the two-fold implications of AI for threat modeling in DevSecOps. She highlights challenges in integrating AI systems, the importance of data verifiability, and the potential efficiencies AI tools can introduce. With guidance, she suggests it's possible to manage the complexities and ensure the responsible utilization of AI.
Show Notes
In this intriguing episode of The Secure Developer, listen in as Laura Bell Main, CEO at SafeStack, dives into the intricate world of AI and its bearing on threat modeling. Laura provides a comprehensive glimpse into the dynamic landscape of application security, addressing its complexities and the pivotal role of artificial intelligence.
Laura elucidates how AI has the potential to analyze vulnerabilities, identify risks, and make repetitive tasks efficient. As she delves deeper, she explores how AI can facilitate processes and significantly enhance security measures within the DevSecOps pipeline. She also highlights a crucial aspect - AI is not just an enabler but should be seen as a partner in achieving your security objectives.
However, integrating AI into existing systems is not without its hurdles. Laura illustrates the complexities of utilizing third-party AI models, the vital importance of data verifiability, and the possible pitfalls of over-reliance on an LLM.
As the conversation advances, Laura provides insightful advice to tackle these challenges head-on. She underscores the importance of due diligence, the effective management of AI integration, and the necessity of checks and balances. With proactive measures and responsible use, she affirms that AI has the potential to transform threat modeling.
Don't miss this episode as Laura provides a thoughtful overview of the intersection of AI and threat modeling, offering important insights for anyone navigating the evolving landscape of DevSecOps. Whether you're a developer, a security enthusiast, or a tech leader, this episode is packed with valuable takeaways.
Links
Follow Us
Follow Us
In this engaging episode, hosts Simon Maple and Guy Podjarny delve into the transformative role of AI in software development and its implications for security practices. The discussion starts with a retrospective look at 2023, highlighting key trends and developments in the tech world. In particular, they discuss how generative AI is reshaping the landscape, altering the traditional roles of developers and necessitating a shift in security paradigms.
Simon and Guy explore AI-generated code challenges and opportunities, emphasizing the need for innovative security strategies to keep pace with this rapidly evolving technology. They dissect the various aspects of AI in development, from data security concerns to integrating AI tools in software creation. The conversation is rich with insights on how companies adapt to these changes, with real-world examples illustrating the growing reliance on AI in the tech industry.
This episode is a must-listen for anyone interested in the future of software development and security. Simon and Guy's expertise provides listeners with a comprehensive understanding of AI's current development state and offers predictions on how these trends will continue to shape the industry in 2024. Their analysis highlights the technical aspects and delves into the broader implications for developers and security professionals navigating this new AI-driven era.
Links
Follow Us
Follow Us
Episode Summary
Guy explores AI security challenges with Salesforce's VP of Security, Henrik Smith. They discuss the fine line between authentic and manipulated AI content, stressing the need for strong operational processes and collaborative, proactive security measures to safeguard data and support secure innovation.
Show Notes
In this episode, host Guy Podjarny sits down with Henrik Smith, VP of Security at Salesforce, to delve into the intricacies of AI and its impact on security. As the lines between real and artificially generated data become increasingly blurred, they explore the current trends shaping the AI landscape, particularly in voice impersonation and automated decision-making.
During the conversation, Smith articulates the pitfalls organizations face as AI grows easier to access and misuse, potentially bypassing security checks in the rush to leverage new capabilities. He urges listeners to consider the importance of established processes and the responsible use of AI, especially regarding sensitive data and upholding data governance policies.
The episode also dives into security as a facilitator rather than an inhibitor within the development process. Smith shares his experiences and strategies for fostering cross-departmental collaboration at Salesforce, underscoring the value of shifting left and fixing issues at their source. He highlights how security can and should act as an enabling service within organizations, striving to resolve systemic risks and promoting a culture of secure innovation.
Whether an experienced security professional or a tech enthusiast intrigued by AI, this episode promises to offer valuable insights into managing AI's security challenges and harnessing its potential responsibly.
Links
Follow Us
Follow Us
Episode Summary
In this episode of The Secure Developer, our co-hosts Simon Maple and Guy Podjarny discuss the rise of AI in code generation. Drawing from Snyk's 2023 AI Code Security Report, they examine developers' concerns about security and the importance of auditing and automated controls for AI-generated code.
Show Notes
In this compelling episode of The Secure Developer, hosts Simon Maple and Guy Podjarny delve into the fascinating and fast-paced world of artificial intelligence (AI) in code generation. Drawing insights from Snyk's 2023 AI Code Security Report, the hosts discuss the exponential rise in the adoption of AI code generation tools and the impact this has on the software development landscape.
Simon and Guy reveal alarming statistics showing that most developers believe AI-generated code is inherently more secure than human-written code, but they also express deep-seated concerns about security and data privacy. This dichotomy sets the stage for a stimulating discussion about the potential risks and rewards of integrating AI within the coding process.
A significant point of discussion revolves around the need for more stringent auditing for AI-generated code and much tighter automated security controls. The hosts echo the industry’s growing sentiment about the importance of verification and quality assurance, regardless of the perceived assurance of AI security.
This episode challenges conventional thinking and provides critical insights into software development's rapidly evolving AI realm. It's an insightful listen for anyone interested in understanding the interplay of AI code generation, developer behaviors, and security landscapes.
Links
Follow Us
Follow Us
Episode Summary
In this episode, Tomasz Tunguz of Theory Ventures discusses the intersection of AI, technology, and security. We explore how AI is revolutionizing software development, data management challenges, and security's vital role in this dynamic landscape.
Show Notes
In this episode of The Secure Developer, Guy Podjarny engages in a deep and insightful conversation with Tomasz Tunguz, founding partner of Theory Ventures. They delve into the fascinating world of AI security and its burgeoning impact on the software development landscape. Tomasz brings a unique investor's lens to the discussion, shedding light on how early-stage software companies are leveraging AI to revolutionize market strategies.
The conversation navigates through the complexities of AI in the realm of security. Tomasz highlights key trends such as data loss prevention, categorization of AI-related companies, and the significant security challenges in this dynamic space. The episode also touches on the critical role of data governance and compliance in the age of AI, exploring how these elements are becoming increasingly intertwined with security concerns.
A significant part of the discussion is dedicated to the future of AI-powered software development. Guy and Tomasz ponder the evolution of coding, predicting a shift towards higher levels of abstraction and the potential challenges this may pose for security. They speculate on the profound changes AI could bring, transforming how software is developed and the implications for developers and security professionals.
This episode provides a comprehensive look into the intersection of AI, technology, and security. It's a must-listen for anyone interested in understanding AI's current and future landscape in the tech world, especially from a security standpoint. The insights and predictions offered by Tomasz Tunguz make it an engaging and informative session, perfect for professionals and enthusiasts alike who are keen to stay ahead.
Links
Follow Us
Follow Us
Episode Summary
In this episode, Dr. Christina Liaghati discusses incorporating diverse perspectives, early security measures, and continuous risk evaluations in AI system development. She underscores the importance of collaboration and shares resources to help tackle AI-related risks.
Show Notes
In this enlightening episode of The Secure Developer, Dr. Christina Liaghati of MITRE offers valuable insights on the necessity of integrating security considerations right from the design phase in AI system development. She underscores the fact that cybersecurity issues can’t be fixed solely at the end of the development process; rather, understanding and mitigating vulnerabilities require continual iterative discovery and investigation throughout the system's lifecycle.
Dr. Liaghati emphasizes the need for incorporating diverse perspectives into the process, specifically highlighting the value of expertise from fields like psychology and human-centered design to grasp the socio-technical issues associated with AI use fully. She sounds a cautionary note about the inherent risks when AI is applied in critical sectors like healthcare and transportation, which calls for thorough discussions about these deployments.
Additionally, she introduces listeners to MITRE's ATLAS project, a community-focused initiative that seeks to holistically address the challenges posed by AI, drawing lessons from past experiences in cybersecurity. She points out the ATLAS project as a resource for learning about adversarial machine learning, particularly useful for those coming from a traditional cybersecurity environment or the traditional AI side.
Importantly, she talks about the potential of AI technology as a tool to improve day-to-day activities, exemplified by email management. These discussions underscore the importance of knowledgeable and informed debates about integrating AI into various aspects of our society and industries. The episode serves as a useful guide for anyone venturing into the world of AI security, offering a balanced perspective on the potential challenges and opportunities involved.
Links
Follow Us
Follow Us
This week, we're rewinding to play one of our favorite episodes from the archive! We'll be back with a brand-new episode in two weeks!
Today’s guest is someone we have wanted to have on the show for a long time, and we are so happy to finally welcome him. Dev Akhawe is the Head of Security at Figma, the first state-of-the-art interface design tool that runs entirely in your browser. Before that, Dev worked at Dropbox, as Director of Security Engineering, leading application security, infrastructure security, and abuse prevention for the Dropbox products. He also holds a Ph.D. in Computer Science from UC Berkeley, where his thesis focused on web application security. In this episode, Dev pulls back the curtain and gives us a look at what security at Figma looks like. The relatively small organization has a culture where the security team earns their trust and works openly. This has resulted in far greater cohesion between the security team and developers. We also hear about Dev’s time at Dropbox, and how working on an application with many products exposed him to the gamut of security issues that companies can face. Along with this, we discuss some of the positive changes in how startups are thinking about security, the value of exposing people to different parts of an organization, the place of security champions, and having a curious mindset as a security professional. Dev's approach to security is empathetic, collaborative, and solution-driven, and if you would like to hear more, be sure to tune in today!
Follow Us
As AI adoption continues to grow, it's important that effective risk management strategies and industry security standards evolve along with it. To discuss this, we are joined by Royal Hansen, the VP of Engineering for Privacy, Safety, and Security at Google, where he drives the overall information security strategy for the company’s technical infrastructure (and keeps billions of people safe online).
Royal cut his teeth as a software developer for Sapient before building a cyber-security practice in the financial services industry at @stake, American Express, Goldman Sachs, and Morgan Stanley. In this episode, he explains why adhering to a bold and responsible framework is critical as AI capabilities are integrated into products worldwide and provides an overview of Google’s Secure AI Framework (SAIF), designed to help mitigate risks specific to AI systems. Royal unpacks each of the six core elements of SAIF, emphasizes the importance of collaboration, shares how he uses AI in his personal life, and much more.
Today’s conversation outlines a practical approach to addressing top-of-mind AI security concerns for consumers and security and risk professionals alike, so be sure to tune in!
Follow Us
Security is changing quickly in the fast-paced world of AI. During this episode, we explore AI safety and security with the help of David Haber, who co-founded Lakera.ai. David is also the creator of Gandalf, an AI tool that makes Large Language Models (LLMs) accessible to everyone. Join us as we dive into the world of prompt injections, AI behavior, and its corresponding risks and vulnerabilities. We discuss questions about data poisoning and protections and explore David’s motivation to create Gandalf and how he has used it to gain vital insights into the complex topic of LLM security. This episode also includes a foray into the two approaches to informing an LLM about sensitive data and the pros and cons of each. Lastly, David emphasises the importance of considering what is known about each model on a case-by-case basis and using that as a starting point. Tune in to hear all this and more about AI safety, security, and play from a veritable expert in the field, David Haber!
Follow Us
On episode 126 of The Secure Developer we had a fascinating conversation with Guy Rosen, who is the current CISO at Meta. In our chat, we are able to mine Guy's vast experience, expertise, and perspective on what being CISO at a huge tech company in today's climate requires, focusing on how security and integrity concerns come together and play out. In his role at Meta, Guy oversees both of these areas, and listeners will get to hear how he distinguishes the two worlds, and also where they overlap and intersect. We spend some time talking about human and technological resources for these fields, how Guy thinks about skills and hiring, and of course the impact of AI on the field right now. We also hear from our guest about issues such as privacy, account takeover, and the complexity of the policies that govern online abuse. So join us to catch it all in this great conversation!
Follow Us
Artificial Intelligence is innovating at a faster than ever before. Could there be a better response than fear? Sam Curry is the VP and Chief Information Security Officer at Zscaler, and he joins us to share his perspective on what AI means for cyber security. Tune in to hear how AI is advancing cybersecurity and the potential threats it poses to data and metadata protection.
Sam delves into the nature of fearmongering and a more appropriate response to technological development before revealing the process behind AI integration at Zscaler, why many companies are opting to build internal AI systems, and the three buckets of AI in the security world. Sam shares his opinion on eliminating the offensive use of AI, touches on how AI uses mechanical twerks to get around security checks, and discusses the preparation of InfoSec cycles. After we explore the possibility of deception in a DevOps context, Sam reveals his concerns for the malicious use of AI and stresses the importance of advancing in alignment with technological progress. Tune in to hear all this and much more!
Follow Us
At the rate at which AI is infiltrating operations around the globe, AI regulation and security is becoming an increasingly pressing topic. As external regulations are put in place, it’s important to ensure that your internal compliance measures are up to scratch and your systems are safe. Joining us today to discuss the security of ML systems and AI applications is Ian Swanson, the Co-Founder and CEO of Protect AI. In this episode, Ian breaks down the five pillars of ML SecOps: supply chain vulnerabilities, model provenance, GRC (governance, risk, and compliance), trusted AI, and adversarial machine learning. We learn the key differences between software development and machine learning development lifecycles, and thus the difference between DevSecOps and ML SecOps. Ian identifies the risks and threats posed to different AI classifications and explains how to level up your GRC practice and why it’s essential to do so! Given the unnatural rate of adoption of AI and the dynamic nature of machine learning, ML SecOps is essential, particularly with the new regulations and third-party auditing that is predicted to grow as an industry. Tune in as we investigate all things ML SecOps and protecting your AI!
Follow Us
In this episode of The Secure Developer, we delve into the subject of supply chain security across various ecosystems and languages, guided by industry experts Liran Tal and Roy Ram from Snyk. Liran is the Director of Developer Advocacy at Snyk and has a background working particularly in Node.js and JavaScript. Roy is a Senior Product Manager serving as part of the product team for Snyk Code, and has a background in cybersecurity and a solid understanding of C++. With a 20-year background in Java, host Simon Maple moderates the conversation. We discuss the challenges and differences between ecosystems, such as the use of third-party libraries and issues with typosquatting and malicious packages. We also talk about the volume of dependencies that each of our ecosystems pull in, whether you should stay on the latest version or pin to a version, and the importance of software bill of materials (SBOMs). For valuable advice on securing your supply chain in different languages and ecosystems, tune in today!
Follow Us
No one wants to fall prey to a security breach, but in the event that it does occur, it’s important to have systems in place to manage it. In episode 132 of The Secure Developer, we are joined by the CTO of CircleCI, Rob Zuber to discuss the security incident CircleCI announced on January 4th. Rob shares insight into what CircleCI does, how the incident affected customers, and how they communicated it to the public. We find out how the industry responded and adapted to the incident, as well as how it was dealt with internally at CircleCI. Rob opens up about what he learned in the process and shares advice for others facing a security breach. Tune in to find out how best to prevent and manage a security incident, should this happen to you.
Follow Us
In episode 131 of The Secure Developer, you’ll hear from former TikTok CISO Roland Cloutier about the realities of securing user-generated content at scale and his belief that we need to take a strictly data-centric approach rather than a humanistic one to solve many of these privacy-related issues. Tuning in, you’ll gain some insight into what it takes to oversee a social media company's cybersecurity, data protection, and crisis management, and find out why Roland believes that an innate understanding of company culture is key to building a large and fast-growing security team in an increasingly virtual world. We also touch on some of the challenges of user identity management, the need for user-driven authentication methods, increased state-level security regulations in the data space, and more, so don’t miss today’s fascinating conversation with cyber security expert and industry veteran, Roland Cloutier!
Follow Us
In episode 130 of The Secure Developer, we bring cast our focus on cloud security, and to help us examine this subject we welcome Rick Doten to the show! Rick shares his insight on what cloud security is, some of its history, current concerns in the field, and his hopes and ideas for its future. Our guest generously offers some of his vast experience talking about basic controls, how to organise security teams, necessary education and skills development, and the challenges of putting theoretical security into practice. We also get to explore some helpful definitions, how to approach building the best teams for different security goals, and how our understanding of the cloud differs across app and IT spaces. So if you want to hear all this and a whole lot more from GuyPo and Rick, listen in for another great episode of the show.
Follow Us
In this episode, we conclude our miniseries dealing with software supply chain security by considering the next five years in the space, what we need, and what we can hope for. Emily Fox, Aeva Black, Brian Behlendorf, Adrian Ludwig, Lena Smart, and of course Guy Podjarny, join Simon by sharing some insights on the areas in most need of attention, and where we can realistically expect to make progress in the near future. Listeners will hear about trust and tooling, downstream complexities, and qualifying security engineers, with the conversation ending on an optimistic note with an eye to the horizon. For most of our panel, the message of consistent attention and security prioritisation within organisations, as well as from governance is paramount to the health of any of these systems. So to hear it all in this final installment of our special, be sure to press play now!
Follow Us
Continuing our mini-series on supply chain security, as we deep dive into the organisational aspects of this charge and hear from a number of our experts about solutions and initiatives to better prepare for supply chain risks and visibility issues.
Simon and Guy are joined by Adrian Ludwig, Aeva Black, Jim Zemlin, Emily Fox, and Eric Brewer as we start thinking about securing the supply chain as an organisation. Guypo breaking down the four fundamental steps for doing this, and how to tackle the subject of SBOMs or Software Bill of Materials. Our guests share fascinating perspectives on how these areas relate to a company's overall preparedness and particularly to the open source space. We also cover some general advice about raising security awareness at a company, so for all this and a whole lot more, make sure to join us. Next week is our miniseries finale, where we will tackle the future of software supply chain security, so make sure you tune in for that !
Follow Us
When we stop to think about the software running in our production environments, a large proportion of it is very likely open source. Are there effective mechanisms to truly understand and have visibility into all of these libraries? How do you ensure that these libraries are secure? To answer these questions, we feature input from Guy Podjarny, Lena Smart, Brian Behlendorf, Aeva Black, Emily Fox, Jim Zemlin, David Wheeler and Simon Maple as we dissect some key terms and promising projects in the software supply chain security space. Tuning in, you’ll learn what the term SBOM means, why the problem of securing the open-source pipeline is such a complex one, and what organizations like the Open Source Software Foundation (SSF) and Open Source Initiative (OSI) are doing to address it. We also introduce some key players that can provide you with assistance as you work to improve your own open-source security or software supply chain security posture. For all this and more, you won’t want to miss part two of The Secure Developer’s software supply chain security series!
Follow Us
In this episode we are defining the key pillars of software supply chain security. This episode is part 1 of a 4 part software supply chain series where our hosts Guy Podjarny and Simon Maple combine their analysis of this space of supply chain security with a series of interviews that we’ve had a chance to do with other supply chain security experts like Eric Brewer, Google Fellow, Adrian Ludwig, Chief Trust Officer at Atlassian, Jim Zemlin, Executive Director at Linux Foundation, Nicole Perlroth, NY Times Bestselling Author, Lena Smart, CISO MongoDB, Eli Hooten, CTO CodeCov and many more.
And we are going to try and create a clearer picture of what this topic involves, and what’s the state of the land. And try to help you understand what you should be doing about it.
In this first episode, we’ll focus on defining the problem. We’ll break up the key pillars of Supply Chain Security, and talk about what you should care about most - and why.
The second episode will get specific, covering the key terms you should know and players you should track, as well as talk about some of the most prominent or promising projects in this space, so you can deep dive.
In the third episode, we’ll give examples from practitioners actually implementing supply chain security in their organizations so that you can learn and choose which of these practices you want to adopt, and we’ll talk a bit about maturity levels, how you get started vs how you continue.
Then lastly, in the fourth episode we’ll cast our eyes forward, and talk about industry motions, what can and is being done to help the ecosystem deal with this problem, and what key changes you might expect to come down the road.
Follow Us
As we look forward into a new year 2023, we wanted to recap some of the most important developments we saw, and conversations we had during 2022. This episode features a look back at the key events and moments from the past twelve months before we share some of the expectations and predictions we have for the year ahead. Simon and Guypo sit down to discuss market corrections, the war in Ukraine, and also the tumultuous time that the crypto space has endured, before getting into some thoughts on the biggest lessons that can be garnered from these events. The ever-present message of better preparation is obviously a strong theme, and some time is spent reflecting on a few of the great guests and their insights on the show. Guypo underlines his excitement about the possibilities he sees in the authorisation space, and we also consider the managing of potential zero days in 2023. So to hear all this, and a whole lot more, press play now!
Follow Us
Today our focus shifts towards products for a change, and we welcome the CEO and Co-Founder of Project Discovery, Rishiraj Sharma, to talk about their story, as well as the genesis of the Nuclei project. With some wide-ranging experience in the worlds of engineering and product management, before he entered into the security space, Rishiraj has a unique story and brings a personal perspective and philosophy to his work, and we get to unpack that a bit before discussing his approach to putting tools in the hands of developers, increasing the reach of engineers, and ultimately the big goal of making Nuclei a completely community-driven ecosystem! We get into some of the more technical aspects of their work and value offer, as Rishiraj shares how their tools have been used by different parties so far, their inclusion of manual code contributions, and how they are overcoming hurdles in CI/CD. So to hear all about and learn much more about this exciting work being done by our guest and his team, tune in!
Follow Us
Malicious attacks are a real threat, especially with the essential role of open source in mind. Today’s guest, Liran Tal, is the director of developer advocacy at Snyk and. Github Star, and he is here to share a plethora of tips you can implement today to see a marked improvement in general posture and company safety.
Tune in to hear Liran’s perspective on the state of malicious attacks today in comparison to previous years, how third-party dependencies can be problematic, and how a single attack can impact thousands of users, developers and CI machines. He believes that open source is an essential tool today and that the solution lies in better security. Listeners will also learn how security sanitization is different for each ecosystem, and hear some advice for security-conscious companies cautious not to restrict innovation by tightening up their security plan. Join us to hear all this and more from today’s expert voice from Snyk.
Follow Us
Cloud Security is a evolving and so are the attacks in this space. The landscape is becoming increasingly complex, so the question remains how do we tackle cloud security in organisations, who owns it and how do we best prepare?.
In this episode, we provide listeners with an overview of Snyk’s report on cloud security and unpack some unsettling statics. To walk us through the report, we're joined by Drew Wright, the primary author of the report, and Simon Maple, Snyk’s Field CTO. In our conversation, we delve into the main findings, how data was collected, and essential lessons from the report. We discuss the differences between the IT cloud and the app cloud, adopting an infrastructure-as-code approach, what businesses are most at risk, and why cloud security is vital for all businesses. We also talk about the recent cultural shift regarding the responsibility of security and the nuanced perspectives on why cloud security is vital. Hear about a fantastic open-source resource, how to prevent security breaches, common mistakes businesses make, and more. Tune in to ensure you are up to date on the latest developments in the space as we navigate The State of Cloud Security report with experts Drew Wright and Simon Maple.
Follow Us
In this Ask Me Anything episode we Guypo, we put Guy Podjarny in the guest chair, and had him field a bunch of really interesting guest-submitted questions.
In this Ask Me Anything session, you can expect to hear a few bits about Guypo's taste in books, how he likes to unwind, before we dive into some industry-specific content, and some rather interesting insights on the history of Snyk. We take a journey down memory lane for what started this podcast, and what has enabled it to keep growing and stay relevant.
Guypo talks about the subjects that have persisted through the last five years and the topics that will continue to grow in relevance in the future. He also shares some reflections on the hurdles of running a startup, and the pivotal moments that really made the difference. So to hear all this and more, from the one and only GuyPo, make sure to press play now!
Follow Us
A successful bug bounty program can play a pivotal role in the security strategy for a company but defining and running such a program requires structure and maturity within an organisation. Sean Poris, Senior Director of Cyber Resilience at Yahoo knows all about the anchor elements that you need in a bug bounty program and how to drive maturity of such a program. In this fascinating conversation, Sean goes deep into how bug bounties fit into their security philosophy, and how this program has been developed and adapted over time. From there, we turn to the actual structure of the security team, with our guest shedding some light on what is required from the different roles on the teams. He explains what the Deputy Paranoids stay busy with, and how they approach hiring and educating for this position.
Follow Us
The software supply chain is anything and everything that touches an application or plays a role in its development, from the beginning to the end of the software development life cycle (SDLC). As you might imagine, this makes software supply chain security a somewhat complicated task! Today, we are joined by returning guest, Adrian Ludwig, formerly of Nest and Android and now Chief Trust Officer at Atlassian, to discuss what ‘software supply chain security’ actually means, why it matters, and how you can help secure the supply chain of your product. As a self-described hacker in his early years, he was recruited by the Department of Defense at just 16-years-old, and worked with them for several years to find security flaws in cryptographic and computer network systems. He has a fascinating lens through which he views today’s topic and, as you’ll discover in this episode, he has a real talent for clearly and efficiently explaining very complex problems. To learn more about Adrian’s interesting take on SBOMs and find out which processes, tools, and practices to invest in, make sure to tune in today!
Follow Us
Nicole is a cyber security journalist and has covered many high-profile cases, such as the Russian hacking of nuclear power plants, North Korea’s attacks on movie studios, and Chinese government-sanctioned cyber-attacks around the globe. She is also the author of This Is How They Tell Me the World Ends, which provides readers with details about the most secretive, government-backed market in the world, cyberweapons.
In this conversation, we learn why cybersecurity is such an essential topic for non-technical people, cyber security threats that exist within global supply-chain markets, and the definition of cyber hygiene. Hear some examples of high-profile cyber attacks, steps companies should take regarding cyber security, why cyber security stories rarely make headlines, and the human-behaviour element behind the problem. We also learn ways in which society and governments can act to overcome the challenges of cyber security, and what advancements are needed within the space. Tune in to learn everything you need to know about the undercover cyber threat and what you can do about it, with expert Nicole Perlroth!
Follow Us
In this episode, we are digging into Shift Left, what it really means, and how to accomplish it successfully. Sharing her insight is Rupa Parameswaran, head of security at Amplitude, and a security and privacy expert with 20 years of knowledge behind her.
She works closely with business leaders to create relevant secure by design and secure by default controls that help businesses run efficiently, but also be secure. She shared with us how she has really successfully transformed the security mindsets in the engineering teams at Amplitude.
Learn why Rupa wants developers and business owners to grow their understanding of security, and which metrics she uses to assess security success. Tune in to learn all about the evolving list of capabilities essential to security teams, and Rupa shares her thoughts about the future of security and standardization.
Follow Us
The Cloud Native Computing Foundation (CNCF) hosts critical components of the global technology infrastructure and has played a huge part in elevating the industry standard for security. They bring together top developers, end-users, and vendors, and also run the world’s largest open source developer conferences. Today on the show we’re thrilled to welcome Emily Fox, a Security Engineer, who also serves as the co-chair of the CNCF Technical Oversight Committee (TOC), and is involved in a variety of open source communities. In our conversation with Emily, we unpack the intricacies of Open Source security and vulnerabilities, as well as what she’s learned during her time with the CNCF. We discuss what participants can expect from the Global Security Vulnerability Summit, how you can get involved, and the project that Emily is most excited about. Finally, Emily shares her passion for ensuring that women join the technology sector and breaks down the crucial steps that will get us there. Tune in for a fascinating conversation on open source securities, vulnerabilities, and more!
Follow Us
Thanks for tuning in to a brand new episode of the Secure Developer! Joining us in conversation today is Peter Oehlert, Chief Security Officer at Highspot. We hear about Peter’s journey with Facebook, Smartsheet, and Microsoft, learn the difference between establishing a new security practice when there is an existing security culture and when there isn’t, and find out why taking ownership is more important than having all the necessary information. Peter is passionate about every aspect of product security, and tells the story of modeling for threats at Highspot, where he attributes one of his biggest challenges at any company to working with and educating people. Hear about the hurdles attached to dealing with the cloud, what has surprised him moving from security to CSO reality, and why it has been so important to have open communication in order to build the necessary bridges to navigate this change. Find out what he would do differently, what has changed within SaaS and product security over the past few years, and what direction he would take if he had access to unlimited resources. Tune in to hear all this and more today!
Follow Us
Join Guy Podgarny, the Founder of Snyk, for another exciting season of The Secure Developer Podcast, where he will be interviewing leaders and practitioners from a diverse array of industry-leading companies. The conversations will cover how to stay safe and secure in the competitive contemporary market and turn DevOps into DevSecOps! You can expect detailed discussions with insider perspectives, pragmatic tips, and insightful reflections that could be just the thing to take you and your company to the next level.
Follow Us
We’re switching it up in this episode and putting Guy Podjarny in the hot seat to answer all of your most pressing security questions! Following his astute prompts, Guy comprehensively explains everything from how startups can build in security with limited resources to how security teams need to transform going forward. We discuss the balance of security and usability, the security implications of quantum computing, and the role developers are predicted to play in DevSec. We also speculate how NoOps might affect DevOps and the potential of achieving zero trust for application security. For all of this and so much, tune in for an in-depth AMA with Guy as he answers all of your unanswered DevSecOps-related questions!
Follow Us
Today on the Secure Developer we speak with Lena Smart, Chief Information Security Officer (CISO) at MongoDB. Lena has extensive cybersecurity experience and has worked in the security space for over 20 years. We talk with Lena about how she first got started in security, why she gets so much satisfaction from being the first CISO at a company, and what she has loved most about working at MongoDB. In our conversation, we discuss core principles around supply chain security as well as supply chain risk and what these definitions mean for practical applications. We delve into the latest executive order from the current administration and discuss some of Lena’s insights on the topic. She explains why the government wants to move into automation and continuous monitoring, as well as what that process will entail. Tuning in you’ll learn more about the Information Technology — Information Sharing and Analysis Center (IT-ISAC), why Lena is such a big proponent of theirs, in addition to how they are helping private and public industries work together in a trusted environment. Lena also describes her Security Champions Program and some of the exciting developments that have occurred as a result of the program. To learn more about MongoDB, how to create a thriving security culture, and more, make sure you tune in today!
Follow Us
If you are interested in improving diversity in security, this is the episode for you! Over the years we have had some very wise guests come on this show and share their views on diversity, why it matters, and how it can be improved. In this episode, we bring you a collection of insights, techniques, and approaches that may help you on this front. Tuning in, you’ll hear how Nitzan Blouin from Spotify built a team that is 75% female, information about Tad Whitaker’s Day of ‘Shecurity’ and the innovative way he trains women for jobs in security, as well as insight into the internship program at Snyk and how it improved diversity. We also hear some great tips from Vandana Verma from Snyk, Tanya Janca from We Hack Purple, and Rinki Sethi from Twitter. Tune in for all this and more!
Follow Us
Security as a field is constantly evolving. As a result, it requires a high degree of awareness, including staying up to date with the latest developments in potential new threats. It was the challenge of working in security that drew Patrick O'Doherty to the field in the first place. Today on the show, we speak with Patrick about his time as a Senior Security Engineer at Intercom, his current role at Oso as an Engineer, and what he has discovered on his security journey. Patrick shares what he learned while being part of the security solutions team at Intercom and how they built common infrastructure and coding patterns. We also discuss the role of empathy in security, why it’s essential for your goals to be aligned with the people you’re trying to help, and why we should all work to be more aware of third-party threat exposures. Tune in today!
Follow Us
Supply chain security is a multifaceted, complex, and currently unsolved problem, and today’s guest is determined to change that. Jonathan Meadows has worked for major industry players throughout his career, and is currently the Head of Cloud Cybersecurity at Citigroup. As you’ll discover in more detail today, the issues that exist within supply chain security can only be solved by a group effort on behalf of all enterprises involved at all levels of the chain. Without open source collaboration, everyone is left vulnerable. In this episode, Jonathan shares the various open source communities that he is involved with, the numerous different elements of supply chain security that need to be addressed, and where and how to start, as well as how he feels about the future of this sector that he is so invested in. Tune in today!
Follow Us
Being passionate about security at a time when industry hadn’t caught on yet, Bryan D. Payne found himself working for the National Security Agency (NSA). During his time there, and in the years that followed where he focused his efforts on research, he learned a number of valuable lessons which he was able to take with him first to a small start up and then to the giant that is Netflix. In today’s conversation, Bryan and I discuss what his role as the Engineering Director of Product and Application Security at Netflix consisted of, the company culture, and how the teams within the company work together to achieve the most effective results. We also get into Bryan’s thoughts on detection methods, data integrity, and how to deal with mistakes that are inevitable when working in the security sphere.
Follow Us
Today’s guest is the CISO at Carta, a software company that helps other companies manage their valuations, investments, and equity plans. Garrett Held has many years of experience in many different arenas within the security space, as well as a degree in business and economics; the combination of these passions led him to develop the program which forms the basis of today’s conversation. Frustrated with the traditional risk assessment model, Garrett came up with a new one, built around the idea of credit card balances and credit scores. In this episode, he explains how the model works, why it is beneficial, the process that went into creating it, and how you can do something similar in your own organization. Tune in today to hear from a true security pioneer!
Follow Us
Today we have a fun episode lined up for you! Over the last year of 2021, we’ve been honored to have some incredibly smart people on the show to share their views and practices in the DevSecCon space with us all. And in each episode, they were asked a slightly open-ended question: if you took out your crystal ball and you thought about someone sitting in your position or your type of role in five years’ time, what would be most different about their reality? For this special installment, we’ve put together some highlights of these brilliant answers! Hear perspectives that cover everything from changes on the data, AI, and ML front to the idea of ownership when it comes to security. We also touch on the increased fragmentation in the DevOps scene that we’re going to need to work with, bigger picture concerns about how regulation might be different in five years, and some final optimistic predictions on ways we could all be in a much better place! We hear some golden nuggets from the likes of Robert wood from CMS, cybersecurity influencer Ashish Rajan, Liz Rice from eBPF pioneers Isovalent, our very own Simon Maple who weighs in with his concrete expectations of what will happen, Dev Akhawe, Daniel Bryant, Rinki Sethi, and so many more! So to hear what these top industry professionals have to say about the future, join us today!
Follow Us
As the year of 2021 draws to a close, we use this episode to look back on the last 12 months, and Guy is joined by Simon Maple to go through some reflections on the major themes, lessons, and takeaways from the show! Simon takes on the role of host, turning the microphone around and probing Guy for his highlights from the 22 episodes we aired during the year. We are so happy to have been able to have these conversations, hosting interesting chats with experts from many different backgrounds and positions, and as we see in this year-end review, there are so many exciting and inspiring changes happening in the DevSec world! Guy talks about hiring people with development experience for security work, the need for empathy, how to adapt education about security for developers, and more. We also have time to look forward to the new year, imagining some of the challenges and key areas we will encounter together. A big thank you to all our listeners for tuning in this year, and here's to another year of insightful conversations and progress in the space!
Follow Us
Today on The Secure Developer, we look at how to modernize security in DevSecOps. To guide us through this, we are joined by Tim Crothers, Senior Vice President and Chief Security Officer at Mandiant. Tim is a seasoned security leader with over 20 years of experience building and running information security programs, large and complex incident response engagements, and threat and vulnerability assessments. He has a wealth of experience in cyber threat intelligence, reverse engineering, and computer forensics. He has authored 17 books to date and presents regular training and speaking engagements at information security conferences. As someone who has been in the world of IT since the 80s, Tim explains how he has seen DevSecOps evolve over time, how security has changed its approach over the years, and what DevSecOps means to him. We discuss the differences between controls and guardrails, how often developers are allowed to override guardrails, and to what degree these are left to the decisions of development teams. To find out what Tim considers to be the optimal setup for the split of responsibility between development teams and security teams, what he looks for when hiring new people into his product security team, and what his top three KPIs are, tune in today!
Follow Us
Welcome back to another installment of The Secure Developer, where we have another fascinating conversation lined up! Today your host Guy Podjamy sits down with Rohit Parchuri, Chief Information Security Officer at Yext, to pick his powerhouse brain about DevSecOps frameworks. Rohit is an accomplished security leader with an established record building, structuring, and institutionalizing security principles and disciplines in the cloud hosting, network hardware, cloud software, and healthcare domains. In this episode, the listener hears a comprehensive understanding of the differences between a health platform and a tech platform, the crucial component of building a culture or security mindset across a company, and the challenges of weaving security into fast-paced and leading-edge organizations. We then touch on the 3 frameworks which Rohit delineates before he starts building a program, before diving deep into the different approaches needed for more heavily regulated industries versus the less regulated spaces. Plus, you'll get a sneak peek into Rohit's favorite interview question, and his hard-won take on the need for dual skills in security as well as the programming landscape. Finally, we look to the future and hear some exciting and pretty accurate projections into what cybersecurity will look like in 5 years time. Press play to hear all this and more!
Follow Us
Welcome to another episode of the Secure Developer! During today’s conversation, Guy Podjarny, founder of Snyk, speaks with Liz Rice, Chief Open-Source Officer with eBPF pioneers Isovalent, where she works on the Cilium project, which provides cloud native networking, observability and security. They touch on plenty of current and relevant topics, with a focus on eBPF and the CNCF and its role in security. You’ll hear all about her role and her journey into the world of cyber security, and what it was like to transition into the sometimes intimidating world of security. We touch on why containers are essentially just processes, and Liz gives us an introduction to eBPF, how it benefits security, and the renaissance it is currently experiencing. Liz tells us all about her work at CNCF and the Technical Oversight Committee, and how it is building much of the foundation for cloud native computing. Join us today to hear all this and more!
Follow Us
In early 2021, Codecov experienced a serious security breach, and today on the show we are joined by their CEO and CTO to get an insider's perspective on the events! We have an enlightening conversation with Jerrod Engelberg and Eli Hooten about what exactly happened, how they reacted, and the important foundations that were already in place that allowed them to handle it in the way that they did. This extra special episode is jam-packed with useful reflections and lessons for listeners from all backgrounds, and just hearing how it all played out is worth the admission alone. Our guests talk about the central importance of the human element to security work, how conversations with the internal and external network connected to the company were key to their process, and why transparency trumps all other concerns for Codecov. We also get into some of the ethics and important conversations that need to happen before any danger is even detected! So to hear all this, and a whole lot more, on a vital, first-hand experience, join us today!
Follow Us
Today we have a great conversation with DJ Schleen, who is the Vice President of Infrastructure and Developer Operations at VillageMD! DJ is an experienced DevOps practitioner, currently working as a security advocate, in his role at VillageMD in the healthcare industry. We get to have a very interesting conversation about the broad state of security and hear about his route into the professional world. DJ transitioned from the early days of hacking into web design, and then brought these skills to his career in security! We talk about some of his best practices for keeping a team on track, how he goes about improving and increasing security, and the end goal of working towards a proactive approach instead of a reactive one. DJ has an impressive track record providing thought leadership to organizations looking to integrate security into their DevOps practices, and his background as a practitioner has provided him with a strong foundation for this. DJ specializes in building progressive apps for security programs, automating security in DevOps environments, and breaking down organizational silos that inhibit the delivery of safer software. So to hear all about his work and thoughts on the field in general, listen in with us today!
Follow Us
When we started this show, we set out to create a stage for security leaders and practitioners to share their learnings and perspectives. It was our hope that we could all learn from one another and have open conversations that are not commonly had in the security community. So, to celebrate our 100th episode, we have compiled some incredible pearls of wisdom from previous guests. At the end of each show, Guy always asks guests to share one piece of advice for those looking to level up their security teams. From focusing on current threats to having a diverse team to putting effort into your personal development, there is a wide range of themes that guests have touched on. We are so incredibly grateful to everyone who has given us their time, and helped us see the positive side of security!
Follow Us
An initial passion for networking and telecommunications led today’s guest on a journey into the world of security. After gaining experience building security from the ground up in a few companies, he is now working as the chief information security officer (CISO) at LinkedIn. Geoff Belknap, in his second appearance on The Secure Developer, dives into the elements which he believes are key to a successful security organization, and a successful company as a whole (hint: flexibility and adaptability are non-negotiable!). We discuss the process of identifying security problems, who owns the risks, and why security is such a difficult thing to measure. Geoff also shares his perspective on changes that he expects to see happening in the CISO realm in the future, and offers some advice for any CISO’s trying to decide which company to work for.
Follow Us
The security of your software all starts with the code. If you’re wondering how we better educate developers on security and teach them to develop more secure code, well, this is the episode for you! Guy Podjarney sits down with Jet Anderson from Nike to discuss education, specifically security education, why it matters, and how to get it right. Jet is a secure software architect, writer, speaker, and evangelist of DevSecOps. A former software engineer on a mission to teach today’s developers to write secure code as part of modern DevOps pipelines, at speed and at scale, he is also the host of a weekly podcast and training program at Nike, known as Code Doctor. Tuning in, you’ll find out why Jet considers himself a developer advocate at Nike, why he chose to invest in security education for developers, and some core principles for training success, as well as the value of informal learning and whether or not gamification is a game changer. Make sure not to miss this episode!
Follow Us
In episode 97 of The Secure Developer, Guy Podjarny speaks to Joshua Gamradt, director of rugged DevOps at UnitedHealth Group, to discuss how Joshua’s work aligns with his desire to foster greater collaboration across departments, using gamification and empathy. We dive into Joshua’s approach to customer-centric security solutions and how their company is using empathy and gamification to pursue that. One fundamental element of his approach is investing in individuals across departments to create a holistic language and understanding of security, and Joshua explains the necessity of classroom learning for engineers and how gamification is applied to generate excitement around learning. Joshua has already seen tremendous results thanks to the improved communication, empathy, and enthusiasm across departments! For all this and more, join us today!
Follow Us
In today’s episode, Guy Podjarny speaks with Johnathan Keith, the Director of Information Security/CISO for ViacomCBS Digital. With over 20 years of experience in information security, cybersecurity, cloud security, and cloud architecture, Johnathan has worked as a subject matter expert across several industries, including banking and finance, government agencies, and media and entertainment. His areas of expertise are in container security, infrastructure as code, application security, and network security. He has a Master’s degree in Science and Information Systems with an emphasis on cybersecurity as well as several industry-leading certificates. He is currently managing an InfoSec team of security architects and security engineers, with initiatives to advance container security and zero trust throughout the entire ViacomCBS Digital organization. In today’s episode, Johnathan shares his cloud-first approach, how his organization came to embrace DevSecOps, and the importance of establishing trust. Tune in today!
Follow Us
How do you protect sensitive healthcare information for millions of people while at the same time keeping up with fast-paced development demands? On today’s episode of The Secure Developer, we speak with Robert Wood who has been grappling with this question over the past year. Robert has an established career in the private cybersecurity sector having worked for a range of startups of varying sizes, from teams as small as six to numbering well over a hundred people. He has since been driven to public service and for the past six months, he has been working at The Center for Medicare & Medicaid (CMS) as their chief information security officer.
In our discussion, we look at the intersection between government and security to interrogate how to make modern security approaches thrive in an environment that poses unique challenges but essentially functions from a place of integrity and good intentions. Robert shares how he’s had to adjust to working at a government agency after his history working in startups, like becoming accustomed to the decentralized goals in government versus the singular focus of product development at a startup. He explains how risk aversion can cause stagnation, which in turn causes its own vulnerabilities and risks, and how he would like to see this issue addressed in the future. Tuning in you’ll hear why Robert is a big proponent of the security champions model and how CMS has been able to utilize an information system security officer. Join us today for a fascinating peek behind the curtain of how CMS is run and how it has the potential to innovate!
Follow Us
Having worked at large and small companies, Rinki Sethi has a range of product security perspectives. She was the VP and CISO at Rubrik, has been at the forefront of developing cutting-edge online security infrastructure at companies like IBM, Palo Alto Networks, Intuit, and eBay, and she is currently the Vice President and Chief Information Security Officer at Twitter. In today’s episode, Rinki shares her journey into cybersecurity and what piqued her interest at a young age. We then gain insights into some of the work that she has done and what she has learned about security champions in the different organizations she has worked at. While there is not a universal approach to embedding security within a company, Rinki shares some of the core principles. We talk about Twitter, what it has been like there for her, and the direction she sees the company going. Rounding off the conversation, we touch on another one of Rinki’s passions: inclusivity and diversity in cybersecurity. She talks about the work that leaders have to do to move the needle to make spaces more representative. Be sure to tune in today to hear more!
Follow Us
Cloud native technology is agile, flexible, distributed, and like anything new, it can be scary. But nothing worth doing is ever too easy, right? Today’s guest, Simon Maple, Field CTO at Snyk, has recently co-authored a report called The State of Cloud Native Application Security, and he joins us on the show to share some of the main findings that came out of the survey which formed the basis of the report. Almost 600 people took part in the survey, with a good mix of roles amongst the respondents. We discuss the reasons that people are choosing to move over to cloud native technologies, and the major concerns that they have with regard to adopting the new technology. The results from the survey reveal the significant impact that a company’s level of automation has on security, and we explore why this is the case. This conversation also covers the types of companies which are utilizing cloud native technology, the different opinions of developers and security people in terms of who should be dealing with security related issues, and Simon and Guy’s projections about what security is going to look like in the future.
Follow Us
In today’s episode of the Secure Developer, Guy Podjarny is joined by Ashish Rajan, who is currently the Global Head of Security for a forward-thinking product company called PageUp in Melbourne, Australia. Ashish has been described as something of a cybersecurity influencer, due in large part to his very successful Cloud Security Podcast, which is on the cusp of hitting the 40,000-download mark. He also has a passion for building communities by speaking and organizing meetups and conferences in the cybersecurity space. In today’s conversation, Guy and Ashish talk about the challenges of starting in a new security position when working remotely during the COVID pandemic and how to build trust and validity. Ashish expands on the concept of security champions and why this title can be given to anyone in a company with an interest in incorporating security into their day-to-day tasks, so tune in today for an in-depth discussion on cloud security and what the future holds!
Follow Us
In today’s episode of The Secure Developer, Guy Podjarny is joined by Dr. David A. Wheeler, an expert in both open source and developing secure software. David is the Director of Open Source Supply Chain Security at the Linux Foundation and teaches a graduate course in developing secure software at George Mason University. He has a PhD in information technology, a masters in computer science, and a certificate in informations security, all from GMU, and he is also a Certified Information Systems Security Professional (CISSP) and Senior Member of the Institute of Electrical and Electronics Engineers (IEEE). Today’s discussion revolves around open source security (or OSS), in which David is an expert, not just from the perspective of consuming open source but also creating and even governing open source. Tuning in, you’ll learn about some of the primary security concerns in open source and the necessity to educate developers about secure software, and David shares some of the tools, tests, and initiatives that you include in your security arsenal. Ultimately, David believes that knowledge is critical, and this episode will educate users and developers alike about common OSS vulnerabilities and how to counter them. Tune in today!
Follow Us
With experience in many different facets of the tech world, Daniel Bryant makes for a very interesting guest. Daniel started out as an academic, with the hopes of becoming a lecturer, but it didn’t take long for him to realize that he preferred being involved in the practical side of things. He is currently working for Ambassador Labs, and in this episode, we pick his brain regarding all things development! Daniel shares his opinion on ethics in the field and no code/low code platforms. We discuss what he believes are the most important elements in ensuring optimal development and where the biggest obstacles lie. We also dive into Europe’s new General Data Protection Regulation and the influence it is having on the development world, the changes that Daniel is seeing in the level of interest being shown for certain topics at the conferences he attends, and what he thinks the future of development looks like! Don’t miss out on this informative episode.
Follow Us
Today's guest, Justin Cormack, comes from the DevOps side of things. Justin is the CTO at Docker and is passionate about security, software development, and the open source community. He also sits on the CNCF Technical Oversight Committee, where he helps projects and communities grow. In this conversation, we hear more about what Justin's position as CTO involves and how Docker is getting back to its roots as a developer-focused company that concentrates on developers' needs. We also discuss what Justin has seen in terms of how companies use containers. Given that containers are still relatively new, their problems require unique solutions, and Justin unpacks some of the security-related concerns that Docker clients face. He acknowledges that they have not always prioritized security. However, with continued feedback from users, they can manage risks more effectively. Our conversation also touches on public and private images in Docker, updates and vulnerabilities, the value of not having to opt-in to security when using Docker, and building software from open source components. This was an insightful conversation, so be sure to tune in today!
Follow Us
Today’s guest is someone we have wanted to have on the show for a long time, and we are so happy to finally welcome him. Dev Akhawe is the Head of Security at Figma, the first state-of-the-art interface design tool that runs entirely in your browser. Before that, Dev worked at Dropbox, as Director of Security Engineering, leading application security, infrastructure security, and abuse prevention for the Dropbox products. He also holds a Ph.D. in Computer Science from UC Berkeley, where his thesis focused on web application security. In this episode, Dev pulls back the curtain and gives us a look at what security at Figma looks like. The relatively small organization has a culture where the security team earns their trust and works openly. This has resulted in far greater cohesion between the security team and developers. We also hear about Dev’s time at Dropbox, and how working on an application with many products exposed him to the gamut of security issues that companies can face. Along with this, we discuss some of the positive changes in how startups are thinking about security, the value of exposing people to different parts of an organization, the place of security champions, and having a curious mindset as a security professional. Dev's approach to security is empathetic, collaborative, and solution-driven, and if you would like to hear more, be sure to tune in today!
Follow Us
Without connecting people, what are you building? How are you managing the things in your companies versus leading your people? Welcome back to The Secure Developer. Today’s guest is Amanda Honea-Frias, who has a great personal story about how she got into security. Starting off a unique career with roles ranging from construction, DevOps, network engineering, technical support, and pen testing, all the way to building and evolving application security businesses, she has been on the team at several enterprise companies, including Belkin, Amazon Web Services, JIRA security and, most recently, the Cisco Security & Trust organization. Amanda is passionate about being part of the change by bringing good management and leadership into her company. Tuning in today, you’ll hear about the differences between small organizations and big organizations, building empathy and putting it to work through influence and not manipulation. She offers her insight on the differences she’s noted as she moves positions, how teams are working and interacting together, and so much more. You don’t want to miss out on today’s episode!
Follow Us
Welcome back to The Secure Developer. On today’s episode, Guy Podjarny is joined by Nicolas Chaillan. Nicolas is the United States Air Force's first Chief Software Officer, responsible for enabling Air Force programs in the transition from Agile to DevSecOps to establish Force-wide DevSecOps capabilities and best practices, including continuous authority to operate processes and streamline technology adoption. In addition to his public service, Nicolas is a technology entrepreneur, software developer, cyber expert, and inventor who has founded 12 companies and been recognized as one of France's youngest entrepreneurs. He has also created and sold over 180 innovation software products to 45 Fortune 500 companies. In this episode, Nicolas talks about security and DevSecOps at a very large scale and in a highly security conscious surrounding. You’ll hear about his career trajectory, what it means to be a CSO, and his approaches for mitigating risk, “failing fast”, and redefining our understanding of security versus compliance. He also shares some interesting perspectives on the role of open source in government security, transparency with commercial parties, and the importance of continuous learning, as well as his advice and predications for someone in his shoes. Tune in today!
Follow Us
Welcome back to The Secure Developer. On today's episode, Guy Podjarny, President and Founder of Snyk, is joined by James Turnbull. James is an engineering leader, author of 11 books, and open source developer, and is currently the VP of Engineering at Timber, working on the open source observability platform, Vector. He was formerly the CTO-in-resident at Microsoft, CTO and Founder of Empatico, and CTO at Kickstarter. He has held leadership roles at Docker, Venmo, and Puppet and was the chair of O'Reilly's Velocity conference. As someone who has been a core part of the DevOps journey, James is especially qualified to discuss how it's similar or different to security. Tuning in, you’ll hear about James’ journey, why he made the transition from security to operations, and why he considers people a key part of DevOps solutions. You’ll also find out where the lines between the two world meet and how one can benefit from the other. Tune in today!
Follow Us
A secure organization requires a large amount of buy-in from beyond those immediately concerned with security. This can prove a challenge at certain companies and facilitating a shared vision of priorities is something that security leads should know the importance of. Joining us on the show to talk about his role and team at Pearson, is DevSecOps Lead, Nick Vinson. Currently heading up the team of engineers focussing on security, Nick has been a driving force in getting the company up to speed on the security front for the last couple of years. We get to hear from Nick about his longer-term history in DevSecOps and how he landed in his present role. From there, we dive into the ins and outs of general security as well as aspects specific to Pearson. Nick shares his philosophy towards team involvement and embedding security-focussed members, as well as unpacking Pearson's approach to security champions and emphasizing the importance of this work. We talk about the primary goals for Nick and his team, the importance of adoption and investment in this area, and Nick's perspective on the most effective ways to achieve this. Our guest also illuminates some specific practices around tests, challenges, and expectations, and listeners can expect to come away with some great insider knowledge on running forward-facing security. For all this and a whole lot more from Nick and Guy, be sure to listen in!
Follow Us
On today’s episode, Guy Podjarny, President and Co-founder of Snyk, is joined by VP of Developer Relations, Simon Maple. Simon takes the role of hosting this episode and chats to Guy about the key 2020 podcast themes. They discuss the importance of security champions and celebrating success, as well as what we can look forward to in 2021. Measuring security programs will be a hot topic, as well as to adapt cloud security practices to help developers secure their infrastructure as code. Listen in as Guy shares his observations on the impact of COVID on security companies and relationships between development and security teams. Trust is crucial, as is automation and the ability to work well remotely. Find out what Guy has learned from the guests he has interviewed, including some concrete tips and methodologies that you can apply in your own organizations. That’s a wrap for 2020! Make sure to tune in to hear Guy’s reflections on the past year, and some projections for the year ahead.
Follow Us
Today’s guest, Mike Shema, is no stranger to podcasts. As the host of the Application Security Weekly show, he has firsthand insights into the trends and movements in the industry. When he is not on air, Mike works with developers at Square to protect applications, their data, and their users. With a broad range of AppSec experience, from manual security testing to building a commercial web scanner and helping teams build secure products, he has seen it all. In this episode, we hear about Mike’s moderator role at Square and how it ties into the organization’s engineering-biased security approach. We learn about their partnership strategy, how they split up cloud and governance security, and the benefits of specialist teams. Mike candidly shares how his empathy for developers has grown over the years, and as such, he is cognizant of not playing the gatekeeper role. The conversation goes to tooling, where Mike sheds light on his ‘why bother?’ addition to the age-old question of whether to build or buy. Moving away from his work at Square, we then take a look at some of the industry developments he has picked up on as a podcast host himself. He talks about how developers have leapfrogged security teams over the past few years and why this is a good thing for the industry. Be sure to tune in to hear this and much more.
Follow Us
Many developers and publishers serve as unwitting vehicles for malware. Today we speak with Snyk co-founder and Chief Security Officer Danny Grander about SourMint — a malicious SDK that has been integrated into popular apps, seeing a total of 1.2 billion downloads per month. That was before it was exposed by the Snyk research team. We open our conversation by summarizing the scandal and unpacking what SourMint is, with details on how it tracks Android and iOS user behavior while allowing for remote command execution. We then dive into how Mintegral, the creators of the SDK, hid its behavior before exploring the range of apps affected by SourMint. After chatting about the role that Snyk plays in hunting for malicious code, Danny shares insights into how they discovered SourMint. We talk about SourMint’s victims and how we can assign responsibility to both developers and marketplace vendors. Near the end of the episode, we reflect on the challenge of protecting people who are using old versions of apps that still have malicious SDK integrated into them. While the scale of SourMint’s reach seems unprecedented, it's a story that’s becoming increasingly common. Tune in to hear what we can do to protect ourselves from malicious code.
Follow Us
In episode 80 of The Secure Developer, Guy Podjarny is joined by Kyle Randolph, VP of Security, Privacy, Compliance, and Assurance at Episerver (who recently acquired Optimizely, where he was CISO). Kyle was our first ever guest on the show back in episode 1, four years ago, so we thought it a good idea to invite him back on to see how things have changed over these past four years. In this conversation, we reflect on some of the insights Kyle shared on the debut show and how these perspectives have since evolved as well as subjects such as Tool Adoption, Control Streamlining and the Paved Road approach. The show wraps up with a look at the idea of celebration and security championing, where Kyle shares why we can never celebrate security wins enough.
Follow Us
In today’s episode, Guy Podjarny talks to Brendan Dibbell, the application security engineer team lead at Toast, a restaurant technology company based in Boston, Massachusetts. Before moving into security, he spent years as a software developer, building mission-critical systems such as identity management, payment processing, and healthcare platforms, but has always been a vocal advocate for security. Brendan shares how they manage cloud security at Toast and what the interaction between the AppSec and the engineering team looks like, and discusses their security champion program, how it differs from the security training for regular developers, and the benefits of having created their own curriculum. Tuning in, listeners will hear how Brendan and his team measure the success of their programs, focusing on the progress rather than on a set of objectives, and talks about what metrics have and have not worked along the way. Later on, our guest explains why interrupting your workflow to solve every little risk that pops up is problematic and why it is far more important to stay focused on the bigger picture while not neglecting to address the smaller issues as you go.
Follow Us
Today, we’re going to explore approaches to security at companies of different scales with Sacha Faust, Head of Security Intelligence at Amazon Payments. Sacha has held numerous roles in security and development across the industry spectrum, and we kick things off hearing about his journey in the space. The first part of the episode is about the difference between security engineering at startups versus established companies and Sacha weighs in on his experiences at Lyft versus Azure and Amazon. At Lyft, Sacha’s approach was all about empowering teams and taking advantage of the fast-growing environment to build things into the company’s fabric. In contrast, teams are bigger and processes more established at larger firms, and Sacha talks about the depth versus breadth-focused approach required. Here we explore what it means to go deep on a bug, hearing Sacha’s ideas about learning from bug failures so you can make an impact you can measure, and the complexities of truly fixing something. We move on to the subject of Sacha’s time as a developer next, and he talks about the lessons he learned about the intricacies of that world and the empathy they gave him when he switched back to engineering. His empowerment-first approach was very much born during that time as was his belief in the value of diversity of experience for building one's career as well as one’s teams. For insights into security work at different scales and a few gems about the people side of security from Sacha too, be sure to tune in.
Follow Us
Today’s guest is Andy Steingruebl, Chief Security Officer at Pinterest, here to talk about DevSecOps, collaboration, and measuring security performance at his place of work! We open with a few details from Andy’s background and how he got into security by working on UNIX systems. After talking about how he splits up his teams, Andy touches on the fact that many issues spill over from one area to another, meaning the lines that divide them are not set in stone and issues get tackled on a case-by-case basis. We shift from security to engineering next, talking about the interaction between application security teams and agile development teams building software. As is often the case, Andy has found that the more communication between the two the better, and he describes how the company culture at Pinterest helps to bolster this practice even further. Secure by default is always a big goal, and Andy talks about the line between using preexisting web frameworks with security baked in and allowing developers to be creative. We dive with Andy into the difficult question of how to measure security performance next, hearing his approach that highlights measuring the applicability of a security control. Wrapping up for the day, we close with some golden advice from Andy regarding security being about people and collaboration, something we would all do well to remember. Be sure to tune in today!
Follow Us
Today’s guest is Lucas Moody, Head of Security Innovation and Operations at Rubrik, here to talk about what being forward-thinking about security in 2020 looks like. We open with Lucas sketching out his impressive career in Silicon Valley and how his role as the first CISO at Palo Alto Networks is informing his current work at Rubrik. Here we explore what it means to work on security as far as operations and product innovation too, and Lucas compares his experience doing this at Palo Alto, a security company first, versus at Rubrik which is more focused on data management, resiliency and recovery, and backup. From there, we move onto the topic of how the shift to cloud and SaaS has changed tech companies and is leading to exciting evolutions in the roles of CIOs, CSOs, and CISOs. Shifting to the idea of security DNA, we discuss how firms should think about security as part of their day to day operations with Lucas next. Before closing, we talk about how the pandemic affected the security strategy at Rubrik, and Lucas details some of the major shifts they made away from infrastructure-related projects to things like identity and access so that security work could still effectively be done remotely. Finally, Lucas shares a few top tips for how firms can level up their security foo as far as throwing old playbooks out and having an independent red team. Be sure to tune in!
Follow Us
On The Secure Developer, we often hear a lot of opinions and experiences from people who are working in development, so today we’re turning to the data, to figure out what works and what doesn’t in the world of DevOps and SecDevOps. Joining us for a panel discussion on the topic is Alanna Brown, Senior Marketing Director at Puppet and mastermind behind the State of DevOps Report, Gareth Rushgrove, Product Director at Snyk and curator of Devops Weekly, and Alyssa Miller, Application Security Advocate, also at Synk. In this show, we get a lay of the land and take a look at the state of where things stand. In this section of the discussion, we hear about vulnerabilities and the mixed bag of data that our panelists have seen around remediation. While there are some positive developments in the space, there are also some areas, like on the container side, where there is great room for improvement. The conversation then moves to security practices and which security controls are effectively deployed and which are not. We gain great insights into the role that integration plays in the efficacy of controls. While it’s not all sunshine and roses, there are encouraging shifts happening around security thinking. From there, we move onto talking about infrastructure as code security and shared responsibility. Again, the panelists present their varied data findings, which paints an interesting picture. Finally, we wrap the show up with consolidating the discussion, where the panelists highlight what they think is key going forward. To hear more from this fascinating, data-rich discussion, tune in today!
Follow Us
Bringing large organizations in line with modern security practices can be a tricky task, especially when they don’t understand how valuable security is to the business and your customers. Today we speak with Geoff Kershner, Chief Security Officer at Medallia, who brings 25 years of experience to bear on leveling up the security of big organizations. After sharing highlights from his career, Geoff talks about the shift from consulting to running Medallia’s security team. We then dive into what their security team looks like and Geoff explains his security philosophy. We discuss how Geoff integrates security into Medallia’s engineering teams through security champion programs and the benefit that upskilling their security practices has for employees. Considering the often hybrid nature of their work, Geoff details how Medallia’s security champions function both workflow-wise and in terms of their role expectations. Focusing on more specifics, we ask Geoff what he looks for in new hires, how his security and developer teams work together, and how product and cloud security are managed. We also touch on how Geoff evaluates security tools and how leveling up security requires being able to adapt your security message to bring your organization along with you, instead of combating them. With a treasure trove of experience, our discussion with Geoff is filled with insights. Tune in to hear more about growing security within big organizations.
Follow Us
It’s been well accepted by now that we’re all humans and if you want to incentivize developers to do well in terms of security then you should recognize them! So, today on The Secure Developer, we will be having another one of our mix episodes, where we compile a sequence of snippets from conversations out of different episodes of the show and our theme for this episode is celebrating success! We feature segments from our interviews with Kyle Randolph, Zach Powers, Siren Hofvander, Mike Hanley, Leif Dreizler, and Eric Ellett, who talk about how success is celebrated at Optimizely, One Medical, Cybercom, Cisco, and Segment. A common theme from our show today is the idea that a little bit of swag goes a long way! Cash rewards tend to incentivize developers to only perform for the money, whereas surprise gifts like shirts, mugs, and hoodies keep things interesting and retain more association with the success they award than money in the bank. Some other interesting methods for celebrating success are public acknowledgments, ‘Cake for No Reason Day’, awards in the form of training and certifications, gamification, and a whole lot more! Tune in and hear how the few firms that do celebrate success are upholding this much-needed tradition.
Follow Us
Welcome to the first episode in a series where we reflect on the lessons given to us by our previous guests. This episode is a deep focus on security champions — developers with extra training who provide input from the security side of things. Our first perspective comes from episode 59 featuring Steve White, Field CISO of Pivotal, now a part of VMware. Steve shares his enthusiasm for security champion programs and speaks about their role in helping their teams make incremental security changes. After talking about why we should be moving security into the early development cycle, Steve gives advice on giving developers one security problem to focus on at a time. From Steve, we dive into episode 42 where we spoke to Kate Whalen from The Guardian. She highlights the value of organizing meetings for developers who are interested in security. These spaces, she explains, are for engineers to ask questions and come to an understanding that security is a shared responsibility. Next, we listen to Omer Levi Hevroni from episode 24, who was a maven for Asurion — their version of a security champion. He talks about the productivity challenges of being a security champion and needing to complete your tasks. Mirroring Kate’s points, Omer emphasizes the importance of having a community to share your experiences with and how conferences and online channels like Slack can serve this need. Our last perspective is provided by Yashvier Kosaraju from episode 66. Yashvier discusses having a security partner on a security team to complement having a security champion on the development team. We talk about the advantages of this system as it allows you to perform a security review on a project as it’s being created, ensuring that timelines aren’t affected. Our guest’s experiences are filled with insight and wisdom. Tune in for more on how you can develop your own security champion program.
Follow Us
On today’s episode, Guy Podjarny, President and Co-Founder of Snyk talks to Nitzan Blouin. Nitzan’s background combines engineering and product management. She built six QA test departments from scratch while bulletproofing big data with mobile products. Nowadays, she’s leading Spotify’s product security team. In this episode, Nitzan digs into changing culture, something that she has managed a couple of times before in a variety of contexts. She shares a bit about her journey from quality assurance to security and how they are essentially two sides of the same coin. We get a step-by-step process from Nitzan, about how she sought to create a plan that would solve security as an engineering problem at Spotify. She also has some tips about interaction models, hiring a diverse team, and talking to your customers. Tune in today for more on changing culture, from Nitzan Blouin!
Follow Us
Security teams often adopt an untrusting and policing approach to development, creating confrontational relationships that only increase risk. For many companies, this culture of gatekeeping prevents the adoption of DevSecOps practices. But now the data is out! Having used agile practices to integrate DevSecOps into Comcast’s development cycle, Larry Maccherone has shown that DevSpecOps significantly reduces risk. On today’s episode, our conversation with Larry focuses on his experience transforming Comcast’s development team. We open by talking about Larry’s career and how he’s learned the importance of visualizing data in order to explain his research. Larry shares the pushback that he experienced from security teams when implementing DevOps practices and how getting this approach to work involved a gradual onboarding process. We discuss the challenges that arise when you follow some DevOps practices but not others before diving into Larry’s research. Despite having results that prove the value of DevSecOps, Larry talks about the unique problem that, “You’re never a prophet in your own town,” meaning that people often fail to recognize innovation when it is developed in-house. Near the end of the episode, Larry talks about cloud tech before giving advice on taking your security to the next level. An episode filled with insights, tune in to it and learn how you can transform your dev team.
Follow Us
Today, we talk about business, technology, and development as it relates to cloud security with Teri Radichel, CEO of 2nd Sight Lab and author of Cybersecurity for Executives in the Age of Cloud. Teri begins by explaining how she got into the world of cloud security after experiencing a breach in her prior web application development and hosting company. From there, we explore what cloud security is all about and Teri starts by defining cloud systems in contrast to physically rented servers. She mentions a concern in the form of the new distributions of responsibility between client and host, and then sketches out some of the novel security challenges posed by the unique architecture of cloud-based apps. We get into a few of the main places that breaches occur and then discuss how necessary – and possible – it is for people from executives to developers to become more security savvy. This brings up the issue of the fine line between raising justified alarm bells and fear-mongering, and we hear why Teri believes talking about security is of utmost importance. Other big takeaways from today’s conversation are Teri’s thoughts on the way teams are distributed, and we touch on the need for developers and security people to understand each other's roles more, the importance of ‘builders’ and ‘auditors’, and how to make the job of security teams easier, thus put them to best use! Make sure you tune in for all this as well as Teri’s thoughts on how cloud systems can optimize security, and some valuable lessons from her about personal and professional growth!
Follow Us
Today’s episode of The Secure Developer features some fantastic content from a panel at DevSecCon London. Clint Gibler, Research Director at the NCC Group is joined by Doug DePerry, Director of Defense at Datadog, Tash Norris, Head of Product Security at Moonpig, Jesse Endahl, CSO at Fleetsmith, and Zane Lackey, CSO at Signal Sciences. The discussion begins with a dive into building a good security culture within a company and ways to get other members of an organization interested in security. Some of the strategies explored include cross-departmental relationship building, incentivizing conversations with the security team through swag and food, and embedding security within development teams. We then turn our attention to metrics. There are often competing priorities between developers and security, which can cause tension. The panel shares some of the security metrics that have and have not worked for them, and we also hear different takes on the often-divisive bug count metric. Next up is a dive into working with limited personnel and financial resources, one of the most common constraints security teams face. We hear how the panel approaches prioritization, adding value to the organization as a whole, and the importance of making the security capabilities digestible to the developers. After this, the panel explores risk quantification and subsequent communication. While it's difficult to quantify risk precisely, there are some effective strategies such as risk forecasting. Along with this, techniques on communicating with executives in resonant ways to convey the severity of potential threats are also shared. Other topics covered include policy-driven vs technical-driven security and skilling up less technical teams, how to know when security is ‘done,’ and incentives for upholding security protocols!
Follow Us
Chaos engineering is a powerful practice where experiments are run to build confidence that a system operates as expected. While the practice shapes the way that large-scale systems are built, it is underutilized in the security space. Verica, a continuous verification company that uses chaos engineering to make systems more secure, is looking to remedy this shortfall, and its co-founder and CTO, Aaron Rinehart joins us today. Aaron has been expanding the possibilities of chaos engineering in its application to other safety-critical portions of the IT domain, notably cybersecurity. In this episode, we learn more about Aaron’s diverse background. Having worked as a developer before making his move into security, he understands systems intricately, giving him unique insights. We then dive into chaos engineering, the proactive approach it takes, and the intentional feedback loop it provides. Aaron believes that these experiments are great learning moments because there is not a high cognitive load that comes with unplanned system failures. After, we turn our attention to how chaos engineering ensures systems' stability is accelerated in a controlled and managed way. Along with this, we explore why it’s not necessary to wait for production to test different security controls, what security chaos engineering offers instant response teams, and some fascinating use cases. Be sure to tune in today!
Follow Us
For this episode, we are joined by Yashvier Kosaraju, who manages the product security team at the ever-inspiring Twilio! Yash is here to share a whole load of insights and learnings from his career, with a specific focus on the 'Security Champions' program at his current company and what management means to him coming from a consulting background. We hear from our guest about the unusual path he chose to his career and how an interest in cryptocurrency led him into the security sphere. Yash does a sterling job of unpacking the way the different security teams are laid out at Twilio, their relationships to each other and the developers, and where the lines are drawn. Our guest gives us some insight into the work that he and the team typically do and some examples of their projects and there is also time for some philosophical musings as we talk with Yash about the importance of developer empathy for anyone working in security as well as the high value he places on listening as a means to improvement. The 'champion' concept at Twilio is really inspiring and the conversation covers how this actually works within teams and departments and the incentives and rewards that are offered for better security practices. Listeners can expect to gain access to a high-level and integrated systems approach, something that could be helpful to anyone in the space!
Follow Us
On today’s episode, Guy Podjarny talks to Alyssa Miller, a security advocate who is here to talk about everything DevSpecOps. Alyssa begins by detailing her extensive experience from working in FinTech to becoming a penetration tester, security evangelist, team leader, and security consultant. After talking about her experience with app security, Alyssa shares her perspective of the tech world and the incredible changes that have emerged over the past two years, including the rise of cloud technology and the use of docker images. Then Guy and Alyssa talk about Snyk’s DevSecOps Hub — a tool that guides organizations in implementing DevSpecOps into their organizations. Along with theory on the topic, the hub is filled with practical advice as it relates to DevSpecOps culture, the ‘people components’ of a business, processes, and technology. The Hub also has a space for people to share how they’ve implemented and matured their DevSpecOps models. Throughout the conversation, Alyssa draws on her experience to provide insights on DevSpecOps, emphasizing the need for a model that integrates continual improvement, shared responsibility, and an aim for greater security.
Follow Us
On today’s episode, Guy Podjarny talks to Ryan Ware, a Security Architect and director of the Intel Products Assurance and Security Tools team. He has been at Intel since 1999, and has focused on product security for almost his entire career. His current passion is ensuring that developers at Intel have the right security tools in their hands to be able to quickly and efficiently understand the security implications of the choices they make in their daily work. In this episode, Ryan and Guy discuss open source security and how Intel deals with vulnerabilities in open source projects, the collaboration between security and development teams at Intel, and how COVID-19 has affected Ryans job. Ryan shares his perspectives on balancing management and individual contributor roles, some tips for that transition, as well his final advice for teams looking to level up their security foo. Tune in today!
Follow Us
On today’s episode, Guy Podjarny talks to Kelly Shortridge about security, microservices, and chaos engineering. Kelly is currently VP of product strategy at Capsule8, following product roles at SecurityScorecard, BAE Systems Applied Intelligence, as well as co-founding IperLane, a security startup which was acquired. Kelly is also known for presenting at international technology conferences, on topics ranging from behavioral economics at Infosec to chaos security engineering. In this episode, Kelly explains exactly what product strategy and management means, and goes into the relationships and tensions between dev, ops, and security and how that has changed. We also discuss container security and how it is different from any other end point security systems, as well as the difference between container security and microservices. Kelly believes that we are overlooking a lot of the benefits of microservices, as well as the applications for chaos engineering in security. Tune in to find out what changes Kelly sees happening in the industry, and see what advice she has for teams looking to level up their security!
Follow Us
Careers often take interesting, meandering journeys and coalesce in unexpected ways. With a Ph.D. in Medical Genetics, today’s guest, Dr. Wendy Ng did not envision herself working in DevSecOps. However, she has combined her academic skills with technical prowess to now hold the role of DevSecOps Security Managing Advisor at Experian. We kick the episode off by learning more about Wendy’s diverse background, from her time in the lab to her first network engineering position and what piqued her interest in security. From there, we move to what she saw being a consultant, working across multiple industries. She realized the importance of not always chasing the shiny object and the research it takes to implement new security systems effectively. We then take a look at her time with Experian and what she’s gained from it so far. She has seen firsthand what it takes to manage security transitions holistically and shares these insights with us today. We round the show off by talking about the power of collaboration and knowledge sharing within an organization. Be sure to tune in today!
Follow Us
For this episode of The Secure Developer Podcast, we welcome Scott Helme to chat with us about front end security. Scott is the force behind Security Headers and Report URI and he is also a Pluralsight author and an award-winning entrepreneur! We get to hear about Scott's professional trajectory since leaving college, the interesting developments and changes he has made along the way, and his current work with his different projects. Scott then explains the service that Security Headers provides, something that he created to effectively scratch his own itch. The educational value it offers is quite remarkable and our guest does a great job of explaining exactly how it functions and its ease of use. From there he turns to Report URI and explains how this company compliments the services of Security Headers. Our conversation progresses onto the topic of HTTPS and the encouraging increases that have been happening for years now in terms of adoption and ultimately, security. This is something that Scott has been very excited about and happy to see, as it shows a general trend in the industry towards better, safer practices and standards. The last part of our conversation is spent with Scott sharing some thoughts on organizational approaches to security and what he sees in the near future for the space. For all this and then some, tune in today!
Follow Us
Today we have a great guest who brings battle tested perspectives on security from both inside and out, Ian Amit! Ian is Chief Security Officer at Cimpress and founder of the Penetration Testing Execution Standard as well as Tel Aviv DEFCON group (DC9723). Ian has worked on everything from pen testing to red teaming, risk management, research, and national security too. We kick things off hearing about Ian’s journey in the field starting out tinkering with computers in his early teens and working on application security in its nascent phase, before he moved into consulting and then went full circle from the vendor to customer side in his current position. Ian moves on to talk about his approach to vetting vendors in light of being one himself once, and the experiences he had working at Amazon of the difficulty of drawing the line as far as shared responsibility for security between cloud providers and clients goes. We then move to hear more about the mass customization services Cimpress provides before digging into their practices for offering custom security to their clients. Ian sheds light on the minimum standards Cimpress’s clients need to meet in regards to their secure software development practices and more. He talks about how Cimpress guides their clients in this manner using a secure SDLC framework and the ‘paved road’ approach, weighing in on how this is also expanding their best practices further afield. We wrap things up hearing about the challenge of finding metrics to measure their evolving systems, and Ian talks about their use the NIST Cyber Security and FAIR frameworks in this regard. Tune in for some brilliant insights from a man who has done it all!
Follow Us
In episode 59 of The Secure Developer, Guy Podjarny talks to Steve White, Field CISO at Pivotal. Steve spends his time helping organizations envision and implement new ways of integrating security into their software development, deployment, and operations life cycle. Most recently, his focus has been on cybersecurity, helping build a cybersecurity consulting practice for Microsoft and then leading security teams for companies such as Amazon, Sonos, and CenturyLink.
On today’s show we talk with Steve White, Field CISO for Pivotal, where he gets to regularly exercise his passion for working at the intersection of application security, development, infrastructure, and operations. Steve spends his time helping organizations envision and implement new ways of integrating security into their software development, deployment, and operations life cycle. Most recently, his focus has been on cybersecurity, helping build a cybersecurity consulting practice for Microsoft and then leading security teams for companies such as Amazon, Sonos, and CenturyLink. Prior to joining Pivotal, Steve was the Chief Security Officer at ForgeRock. In this episode we are going to get a broader perspective from Steve on digital transformation within organizations. We also hear from Steve why he recommends making small incremental changes, we discuss the idea of a security champion, as well as the best practices for helping developers understand the importance of cybersecurity work. Finally, Steve shares more about how to recognize when organizations are having challenges with digital transformation, and why it is key to focus only on the actual threats and not the imaginary ones. So don’t miss out on today’s enlightening conversation with Steve White of Pivotal.
Transcript
[00:01:32] Guy Podjarny: Hello, everyone. Welcome back to The Secure Developer. Today, we’re going to get a bit of a broader market perspective here from someone who works with a lot of security and development through the years across the enterprise, and that is Steve White who is a Field CISO at VMware.
Steve, welcome to the show. Thanks for coming on.
[00:01:49] Steve White: Thanks, Guy. Thanks for having me.
[00:01:50] Guy Podjarny: Steve, we’re going to go broad in a sec. But before we do that, tell us a little bit about yourself and your path to where you are today.
[00:01:58] Steve White: Absolutely. Well, the first thing I’ll say about my path was, like many, it was accidental in a lot of cases. I started my career really honestly back before security was even a profession, the early security practitioners. We were sys admins and network admins and the people running the systems. We didn’t have things like firewalls and we didn’t have things like anti-malware software. We kind of invented this space, trying to protect our systems. The first firewall I ever used was a bit of software running on a Sun server.
Fast-forward a career from there, I learned to really appreciate all facets of security during those early years. I moved into some application development roles. Ultimately, senior tech leader role and then moved into security full-time, trying to help build up a security consulting practice for Microsoft. Then from there, I’ve held a number of internal security roles at places like Amazon, CenturyLink Cloud, and Sonos. Then I was the Chief Security Officer at ForgeRock. Now, I’m a Field CISO at Pivotal VMware and spend my time really focusing on how can I best help organizations think through and strategize around this transformation into cloud native. How do we take what had become traditional enterprise security mechanisms and methods, and how do these change based on sort of this move to interesting things like containers and microservices and agile development? That’s why I spend my time thinking about and looking at today.
[00:03:35] Guy Podjarny: Who do you typically work with? Who’s the peer in the companies you work with or maybe the profile of the companies?
[00:03:42] Steve White: It has to be the larger global enterprises, so those companies who are primarily going through digital transformations. Companies who are writing a lot of their own custom code that they derive significant business value from, and they’re working to transform how they write that code from sort of the traditional monolithic waterfall method into now the microservice-oriented cloud native 12- factor apps, right? As those companies who are making that transformation because it brings business value to them.
I'm working primarily with their security leadership and security engineering and architecture organizations.
[00:04:29] Guy Podjarny: Within those organizations, within the enterprises that you work with, who is the sort of typical profile or role of a person who works with you on sort of understanding the security concerns? Is it more the CTO? There’s more security mind role.
[00:04:44] Steve White: It’s definitely the security organizations. I have a number of peers that I work with who spend more time on the application development organization side of things. I focus almost exclusively on the security organization, so I spend my time talking primarily with CISOs, with director of information security, or sort of the leadership in engineering security architecture kinds of spaces. I spend much of my time there.
Lately, I have been doing some more detailed hands-on security workshops with I would say representatives sort of from every security discipline in the company, so security operations, incident response, architecture and engineering. We’ll bring them all together in a room for a day and work through some of the implications of what cloud native security really means in each of those parts of the security team.
[00:05:36] Guy Podjarny: Thanks for that. It’s sort of the context.
[00:05:37] Steve White: Yup.
[00:05:37] Guy Podjarny: Just to dive right into it, like you’re helping these organizations kind of keep security or level up even security as they do this sort of digital transformation and embrace all of these exciting new technologies. What do you see as kind of the pillars or the core tenets of change that they need to do?
[00:05:55] Steve White: Well, it starts with – The first tenet of change in this space is that it's not just a technology change, although there is some technology shift that needs to happen. It’s a culture and a perspective change that ultimately is the larger piece of what’s to happen in information security, like it has happened in the rest of the business, right? We liken it to this change from security historically perhaps was perceived as providing perhaps gates, and you had to pass through the security gate to get to production or something like that.
The phrase I like to use is we’re moving from gates to guardrails, right? So security’s function in the enterprise moving forward should be to provide these – They’re like the safety net, right? There's a top and bottom guard rail that would protect you from sort of exceeding really bad parameters but within those guardrails. Development teams, operations teams have the flexibility to move around, to fluctuate, to flex, and to experiment frankly with what they need to do. That’s one big topic. It’s just that it’s that cultural shift, that mindset.
When you start to peel that back, how do you think about these culture changes, it really honestly comes down to – From my experience, it’s the idea of pairing, right? The key differentiator I believe these days in helping security transform into this kind of cloud native organization is pairing them with developers from application development teams and vice versa, right?
Let's expand our knowledge, let’s expand our relationships, and let's expand our understanding of how this work impacts the business. I think that's like one of the really key factors.
There’s a whole lot of technology that comes with that culture change too.
"But without the culture and perspective change, all the technology in the world isn't going to make a difference."
[00:07:55] Guy Podjarny: I’ve got like a whole like a series of questions now to just ask based on that aspect. I’ll start with that pairing comment. Pairing is a bit of a loaded term in the world of development you talked about sort of in those three program in pairing. When you talk about pairing developers and security people, are you literally talking about like two people watching the same screen and work together or pairing them to like a team?
[00:08:15] Steve White: In an ideal world. Yeah, both in an ideal world. So I am ingrained in the Pivotal culture. I know you’re familiar with Pivotal and what we created, right? Pivotal is very big on extreme programming and pair programming and test-driven development and all of the things that go with that. I'm here because I believe pretty strongly in the value of those things, but not every enterprise is there, right? Not every application development organization, for example, sees pair programming the same way.
When I speak of pairing, I would love to see it be in the true sense of paired programming where two heads sitting in front of one screen, working on solving one problem together. If one of those folks is a security engineer and one of them is a feature developer, they’re both learning a lot and adding a good chunk to the conversation. That doesn't necessarily work for every organization. If you're not an organization where pairing is a particular practice that you use, then you go along the line of things like rotations, right? Take a security engineer out of security. Put them into a feature development team for 90 days or let them be a part of that team and participate at whatever level they can and write code at whatever level they can and vice versa, right? Take a feature developer. Embed them in the security organization for 90 days or 180 days, whatever you can do.
Pairing can look like a lot of different things depending on the what's appropriate to that enterprise. But it's pairing these folks who would not necessarily have been working together side-by-side. Give them common shared goals and outcomes for a period of time and let them learn from each other, right? That connectedness in that relationship I think is a really important part of that.
[00:10:03] Guy Podjarny: I love the analogy to sort of extreme programming pairings. I think organizational pairing, that makes a lot of sense to me as well. That visual of sort of working together is beautiful one for the cases where that works.
[00:10:14] Steve White: It is.
[00:10:16] Guy Podjarny: Unpacking another piece that you said over there was this notion of guardrails. I’m a firm believer, right? Guardrails, you basically want to say, basically paint out the extremes about general paths kind of between past those elements. How do you help developers go make the right decisions in-between the guardrails? There’s still a range of security and decisions that you make.
[00:10:36] Steve White: That’s right, yes. This is another key thing I think that's enabled by this idea of cross team sharing that I described, and that's in the modern sort of cloud native security organization. I say a good chunk of time used to be spent writing tools, writing code that the rest of the organization can adopt. Whether those tools be things like – Whether those are code blocks that enforce identity, authentication, and authorization in a particular way for the languages used by your company, right? That’s one idea. There’s a lot of other ways that security teams can write code, and that’s typically in the realm of either reusable objects that developers can embed in their project and use or it's in the realm of tools that help them integrate their methods and their procedures better with the tools that exist in the rest of the organization, where having security focused on writing code in those spaces I think pays big dividends in that question. How do you help developers navigate the guardrails ? You give them tools to do that. The security organization should spend a good chunk of its time creating tools and listening to the developers and making them better, so those tools better fit how the developers do their work.
[00:11:57] Guy Podjarny: Yeah, for sure. I guess when you work, like you work with secure organizations that might not have had that approach before they started. I imagine like many times they’re not necessarily like the skills in the team without necessarily letting themselves doing such so coding activities. How do you see or maybe how do you guide organizations to sort of navigate that expansion or transition of skills? Actually, if you have any opinions on which skills can they actually invest less in as we move to this world?
[00:12:29] Steve White: Yeah. I’ll maybe start with the first part of that question. I absolutely have thoughts on that. Everything goes back to agile. It’s about incremental change. The first thing I would speak to organizations making that transition is don't try to do the whole thing at once, right? Pick a particular area where you can make an impact, and you don't want it to be a low, quiet, non-visible area. Some people try to do incremental change. They’ll pick this little quiet part of the business that doesn't have a lot of visibility and impact. That’s actually not the right way.
The right way is to pick a small piece of what you do that has lots of visibility, lots of impact and make a change there, right? Pick a marquee application that's being developed and have one of your security engineers working with that team or vice versa. Pick a particular problem area. So if you do a survey across your development organizations, if there’s a particular problem let’s say with how SQL authentication has happened with backend databases, that's visible and it often will cause security vulnerability alarms. So pick that one problem, and now go and write some code to solve for that problem.
If you don't have any folks in the security organization who are developers, borrow some. This is back to that pairing idea. Bring a couple in from the application development organization and have them help you write tools that they and their peers would want to use, right? But do it in a paired programming model. So even if you're not big on paired programming, in this scenario bring one of your security engineers who’s eager to learn new things. Pair them with that developer in whatever way works in your organization. Let them learn from that effort. That’s like how an organization can get started like right away.
The other thing I would be doing for any enterprise organization doing security today is I’d be hiring for these skill sets. As you’re hiring new people into the organization, this is a place you can hire junior people into security. Maybe they don't know a lot about security but they're pretty good. They’ve got some good development skills behind them. You can hire them into the organization, as most enterprise size security organizations regularly have openings that they’re trying to fill. Rethink about some of those open positions. Repurpose one or two of them. Bring in a developer heavy or even a developer with little security experience and then train them over time.
The last piece of that that I would say is training, right? Find individuals inside your security organization who raise their hands and say, “Hey, I want to learn this new thing. I want to be part of this change,” and give them some training, right? You can invest in your people and sending a security engineer to training to learn some development skills that creates loyalty. It creates energy. It creates enthusiasm. It creates a whole lot of positive side effects that they can then bring to the organization. Those are like three straightforward things you can do. There's a variety of others.
[00:15:37] Guy Podjarny: Yeah, I know. But those are great advice, both on kind of where you focus, which is pick one that matters and not the kind of hidden that you care about. It’s sort of the transitional sort of change and the pairing once again. I think that’s definitely kind of a strong theme and a powerful one in kind of the human aspect of sort of [inaudible 00:15:54]. All sound like really good suggestions. It’s going to be like a transition. We’re going to make a bit of a transition towards the world of dev, right? This is security, and they’re building and they’re building those kind of skills and tools with different approaches. How do you then advise that they engage with dev? I mean, how do you see the collaboration happening in terms of process and steps?
[00:16:19] Steve White: There’s a lot of different ways you get after that. I'm a big fan. I've seen a lot of success in what I have historically called the security champions program, right? Security champions tend to be – It's like a way you help the development teams get invested and take ownership of security for their code, the stuff that they're creating. It’s difficult to try to train everyone all the time and get them really enthusiastic about security things, right? I think that's not effective for most organizations. It’s to try to get an entire development team jazzed about security.
It’s like pick same ideas. I have one on the security side and on the developer side. Pick a person, one person that’s part of the team who has some enthusiasm for security, who has some understanding or some background in why it's important, and invest in them, right? Give them some additional training. Delegate to them some responsibility that perhaps the security team might've held within their arms previously. Find a security champion. Say, “Hey, we’re going to invest in some training and we’re going to invest in some responsibility, right? That now because you’re on the team, we’re going to take off the reins somewhat. We’re going to take off some controls, loosen the guardrails, and give them more flexibility within this operating framework, because you now have a security voice embedded within the team.”
That person, because they are a day-to-day functioning member of the team, can find incremental ways to help the team make small changes or do small things a little better. I'm a big fan of that natural growth of security awareness inside of a team.
The second part of that is frankly is to move security tooling and security validation earlier in their process, right? Well, I like to talk about this shift left thing with security. Although if you ever look at the DevOps lifecycle, it’s a continuous loop, so how you shift left in the loop is beyond me. But nonetheless, we still use that terminology. For me, it’s simply where do I provide security feedback to developers in a more timely fashion and in a way that's consistent with the way they work. That's always been one of the challenges is in security we’ll like run our SaaS and our desk tools somewhere down in the pipeline, and all we do is send them a report of a thousand probabilities in their code, and we’re done.
That’s just not how you build those bridges, right? It’s not how you build awareness, and so finding ways to give those developers actionable real-time feedback as close to the time they write the code as possible and then making sure that when you're providing security-related findings or feedback or what have you, that it really actually truly is actionable. It's not fanciful. We have this tendency in security to sort of take the high ground, right? It’s like all the vulnerabilities have to be gone. There can't be a single line of misplaced code. That’s not really where we need to be, right?
One of the advice I've heard from others who I respected in this space is pick a particular security problem you’re going to focus on, say, for a month and have all the development teams focus on that one class of vulnerability like SQL injection. We like to pick on that, because that’s a pretty bad one. It’s like all the teams focused on – We’re going to focus on SQL injection this month, and so we’re going to turn the knob up. We’re going to turn the noise level up on SQL injection this month, and we’re going to do everything we can. Then next month, we’ll look at something else. But engage the teams in that conversation about what it should be, how they should receive the feedback, what's best for them. If you actually engage the developers in that conversation, I think you will ultimately get better results. Those are some of the keys, yeah.
[00:20:20] Guy Podjarny: All great advice and I very much resonate with some of the whole shift left on it to say it’s not shift left. It’s top to bottom, it’s to go from central governance to central controls and sort of bottom up and power teams.
The question about the practicality of the security champions program, I mean, lots of good things to say about it. One of the pushbacks is that organizations don’t always acknowledge this developer, the person in the development team who’s now been sort of added in some form of authority, might have a different job. I mean, how do you recommend or sort of how do you see work best for organizations that do that security champion in terms of the role description for the security champion? Is it a percentage, less work that they do on the product side? I mean, how does that relate to their day job?
[00:21:08] Steve White: Well, that's a really interesting question, and I think is also in some ways a cultural question, right? If you are trying to measure output of individual developers down to the level where they if they’ve spent two hours on security champion work, it would show up in some developer productivity metric. I think you need to question the cultural approach to that, because frankly,
"output of development organizations should be focused minimally on the team output, right? There is very little external measure I would argue that is effective in measuring explicit individual developer productivity and especially in organizations where you’re pairing, because now it’s like, “Well, am I measuring the pair?”"
Frankly, I would first say if you're trying to measure individual developer productivity at that level, I think you’d need to ask some tough questions about is that really effective and is that really the culture you want drive. If you take that up a level and you’re measuring productivity and impact, it’s really more about impact and feature flow and team metrics, right? Are they getting impactful things to the customers? Do the customers love what they deliver? Do they deliver frequently? Those kinds of metrics are what's important. I would argue that you're not going to see a big change in that by having one person spend some time on security champion types of duties.
The other thing is that once trained – So there is a training period. Then during that training period, there may be some reduction in flow, but the responsibilities of the security champion are really just to speak up during planning or speak up during design sessions to ask the questions of the team. Did you think about this or did we include this or is this something that really should go through a deeper security review? It doesn't take a lot of work, right? It’s not a big investment of time. It's like a focus versus amount of effort kind of thing, so it shouldn't take a lot of time.
[00:23:14] Guy Podjarny: That’s some great aspect. It kind of leads me to sort of another question I wanted to ask, which is like this measure. That team is also supposed to produce secure software and presumably whatever low [inaudible 00:23:26] provided by this sort of individual that might be helping also take some off or like helping others do their work more effectively. We’re going to kind of take that last step into the world of dev and ask some questions there. How do you see, again, kind of best practices around helping the dev side of the fence appreciate security work, sort of time times spent, effort made in security, in terms of like measurements, mandates? I mean, like these are enterprises [inaudible 00:23:57] small organization sometimes or small [inaudible 00:24:00] in values in change suffice. It tends to be that in the enterprise it needs something a little bit more structured. What works best?
[00:24:09] Steve White: First off, I don't think that I've seen a one-size-fits-all for every enterprise, because honestly it is a very cultural perspective. Even within enterprises, there's a big variety in culture. But I will say that I think the most effective thing I have seen in terms of helping the developers understand the impacts and the importance of security is frankly the value of something like a pen test, but a pen test specific to the code they’re writing, because really a penetration test or a testing like that comes from the attacker mindset. What we’re really trying to do in this scenario is to help the developers really adopt an attacker mindset. It’s like if I was attacking this code, number one, why would I? Give them some really good illustration like if I break ‘this’, then I got to ‘this’. Now, all of a sudden, I copied a thousand credit card numbers or healthcare or health record pieces of information.
Nothing I think reinforces that message better than that kind of effort, and that’s true from the executive tier and down, right? Like a good penetration test that demonstrates a chain of vulnerabilities carries powerful illustration.
[00:25:26] Guy Podjarny: A sobering moment too.
[00:25:27] Steve White: It does. Those things don't have to be external, so the other really interesting thing here is if you're building this kind of culture, is you can actually build a pen testing or a vulnerability assessing kind of mindset even within the application development organization, right? There's nothing that says that you might not take a Sprint and attack your own code or attack your neighbor’s code and have them attack yours. Actually, you spend some time having folks go out actually purposefully attempt to exploit their own code or the other team’s code. It really reinforces these things of, A, thinking like an attacker, understanding how these things can chain together and more importantly leading back to what's really important to the business.
Every developer I've ever worked with, they care about the business. They care about what's important to the business. They care about their code doing good things for the business. If you can always tie these back to what data is being protected, how their code fits into that story, and if you can make this connection very visceral through pen testing and those kinds of things, I find that carries a lot of emotional value for the organizations.
[00:26:42] Guy Podjarny: I love that as well. I mean, it’s like security to an extent is sobering, as well as fun. So security and risk is – This other one’s boring but sort of –
[00:26:51] Steve White: I will tell people like the most fun I ever had in security is red teaming, right? That was my most fun assignment ever in security was being a red teamer or a black hat hacker.
[00:27:02] Guy Podjarny: One more question on the dev side. We’re going to level up a little bit. What you suggested right now is good for like getting them engaged, kind of getting them alive. How do you measure if they’re doing a good job? I guess that’s just not the developer’s job but security as a whole. But how do you know that it’s working?
[00:27:21] Steve White: There are I think various ways to answer that question. But ultimately, it comes down to me. Number one, are the risk metrics that you use as an enterprise, are they improving? Every enterprise has a set of risk metrics that they’re tracking as it relates to all parts of the organization, and so the way to look at this from the app developer side is a set of those metrics that apply to the custom developed applications and the platforms on which they’re running. One way of looking at this is simply talking about are those risk metrics going down or up. Whichever way they're going, having a pretty open honest conversation about what it is that's driving those metrics down or up. So that's one way.
Another way to look at that would be in the – I'm thinking of the relational metrics of it, right? I'm big on actually having people who are working together, basically kind of rating that experience or rating their collective collaboration. I'm looking for a word here, but it's like how do I rate the effectiveness of my collaboration. That's ultimately what I'm after. I think –
[00:28:34] Guy Podjarny: Almost like a sentiment element –
[00:28:36] Steve White: Yes. It’s almost like an NPS. It’s like a net promoter score but it's internal, and so I would say you’re seeing success in this scenario if you ask the app development organization, “Hey, how good of a partner is security? How easy is it to follow the guardrails? What roadblocks are you seeing in the security processes,” and vice versa. You marry that up with similar questions from the security organization. Hey, how receptive do you find the app development teams? How collaborative is your relationship with them? How is the quality of the security in the custom-built applications going? Ask these questions on both sides of that equation and focus on sort of the collaborative aspects of it more than the “are the desk tools results going up or down in terms of vulnerability”. That’s sort of an irrelevant metric to me, frankly.
The number of vulnerabilities found in the source code, well, that can change just as I release a new tool into the environment, and it skyrockets, right? So I think more about metrics that are more about collaboration, effectiveness, and then ultimately like what really is getting through like flow. How easy is the flow of applications through my security pipeline? If it's easy to flow things through that are secure, great. If it's not so easy to flow things through, even if they’re secure, that’s a red flag, and you can put metrics around that. You can measure it.
[00:30:07] Guy Podjarny: That’s awesome. I definitely agree with kind of the sentiment of like it’s people first, and you do those sorts of just the metrics. But there’s a lot. I haven’t heard this sort of the survey idea or this notion of ask people thing if they are collaborating well or not.
Before I kind of ask you for your bit of advice, just one overlaying question. You’ve been in security for a while and you’ve kind of seen it transition. You’re also advising organizations specifically on that transition from pre-imposed cloud native. It must have sort of developed more of a sort of – beyond the frameworks and all that, some crunch, some sort of sniff test about you’re coming in, some properties that you’re sort of seeing indicate, hey this company is probably not or is very effective in security. What would you say are like the key highlights that really kind of triggered that alert and how has that changed between kind pre-cloud native I guess, which arbitrarily affects the worlds into pre-cloud, post-cloud?
[00:31:06] Steve White: There's a lot of things I would say around that one. The first and most important I would go back to - is there an ongoing collaborative relationship between security and the application development teams? Is that relationship through service desk tickets or is there an actual conversation happening on a regular basis? That, to me, is the key indicator of a problem. If there is not an active ongoing like daily or weekly conversation happening with active participation from security and app dev, then I think you need to dig deeper because I think that's indicative of a challenge. If all communication is through service desk tickets and those service desk tickets take three weeks to solve, I mean that's an indication of an organization that may have some challenges in these kinds of digital transformations. That’s the point of it, right. These kinds of digital transformations are all about speed and agility, so you only get speed and agility if you're having active conversation versus trying to communicate sort of asynchronously. That’s number one to me.
Number two comes down to that conversation about gates versus guardrails. If I look at an organization, I can pretty quickly determine “do the application development teams have some guardrails to function within or do they have a bunch of gates they have to get through that I have to toss things over a silo wall to get security approvals.” That's really another really big indicator, right? Those are two key ones, and then there's a whole ton other ones like how you're giving feedback on your security testing, how effective is your security testing and how well tuned is it, are you providing developer feedback to keyboard entry layer, etc. etc. All of those are indicators, but the first two always come back to that. How do they communicate? How do they collaborate?
[00:32:56] Guy Podjarny: They’re both great. Would you say like are they just as important in the sort of the pre-cloud era as they are post? Is it – How they’re useful here like when you actually not even recommend them if you’re sort of developing some [inaudible 00:33:12] applications.
[00:33:14] Steve White: Yeah, but I’ll be careful. It's not so much about the word ‘cloud’, because the word ‘cloud’ can imply a move to the public cloud. It can imply a lot of things. I use the term cloud native, which is I like to define four key things. Cloud native architecture and organizations are defined by microservices. They’re writing all their apps as microservices. They’re defined by automated CICD pipelines. They're doing SRE/DevOps kinds of things and they're doing containers.
Those four things really make up a cloud native organization. I would say that traditional enterprises who are not defined by those four things, if they're not doing containers, if they're not doing micro services, they're not doing automated CICD, and they’re not doing agile DevOps, the existing security mechanisms may work fine for what they're trying to achieve, because the existing security mechanisms kind of grew up and were developed in that world, and they work fine if you weren’t trying to make those kinds of transformations.
But those are the exact things that put the existing security measures in a lot of pressure on them, right? When you're doing automated microservice agile code development, trying to release features to production, say, daily, the traditional code review, code testing feedback cycle just doesn't work. The short answer is it can work for traditional enterprise to continue to do security the way they have done it. Most enterprises that are writing custom code, they don't have the luxury to stay there. They have to move into this cloud native world in order to compete. They’ll become irrelevant if they don't.
[00:35:00] Guy Podjarny: Yeah. No, absolutely. Fully aligned, and you’re right about this. I am sometimes kind of lazy and say cloud where they really mean cloud native in their approach but just the challenge of it. In that one, it’s like – For most enterprises, the switch to cloud native is hardly a one-time thing, they will have a for a long period of time a portion of their assets or kind of their technology stacks be cloud native and a portion remain in that traditional surrounding. Would you advocate using kind of those, if you will, cloud native approaches to security across the board or would you actually kind of bifurcate the organization to say it’s actually better for the sort of the traditional enterprises sort of stay where it was?
[00:35:44] Steve White: Well, I would definitely suggest that it's best long-term to get the entire approach to security aligned with what I've described for cloud native. But if you have a bifurcated – Most enterprises are as you said. We’ve got a lot of existing things that we have to keep up and running and maintain in those kinds of pieces. For most organizations, this is not an overnight transition on the security side either, right? So I would suggest that it's best for those organizations to start the transition now. Get moving on transforming security just like you've got moving, transforming application development and have a plan and a strategy to make that transformation universal across all of security. But you don't have to do it overnight, just like you don't have to transform all of the application development overnight, right? Make it sensible for your organization. Make the right pace of change, something that the larger organization can consume, and do it in a planful way.
Ultimate answer is you – I mean, this kind of transformation is great for all of security, but you don't have to artificially rush it to get there immediately for the whole organization. Do it incrementally, just like everything else.
[00:37:04] Guy Podjarny: A nice kind of full circle as well is one of your first bits of advice. It’s kind of pick the area you’re going to start first. It’s very clear. This has been some jam-packed with great advice I think for the whole journey. But I’ll ask you for one more. As you know, I like to ask every guest that sort of come to the show if you have kind of one bit of advice or even like a pet peeve or something that kind of annoys you when people start doing if you’d like to give sort of a team that is looking to kind of level up their security too, what would that be?
[00:37:33] Steve White: That would be focus on the actual threats to your organization, not the science lab projects that your neighbor has dreamed up. Keep your organization focused on combating those threats. That, to me, is like
"my number one advised any security team. Focus on the real threats, not necessarily all of the imaginary ones."
[00:38:02] Guy Podjarny: Excellent spoken like a person who’s had many conversation with enterprise security teams with advanced [inaudible 00:38:09] threat and nightmares –
[00:38:10] Steve White: I’ve had lots of conversations with lots of really brilliant people. To be clear, there are organizations under some very, very sophisticated threats. I have a pretty long military career in cyber, and there are lots of really interesting threats out there. But a lot of enterprises out there today aren’t going to see those threats.
[00:38:29] Guy Podjarny: That’s great advice. Steve, this has been a pleasure. Thanks a lot for coming on the show.
[00:38:33] Steve White: Absolutely. Thanks for having me.
[00:38:33] Guy Podjarny: Thanks, everybody, for tuning in. I hope you join us for the next one.
[END OF INTERVIEW]
Follow Us
In episode 58 of The Secure Developer, Guy Podjarny talks to Shannon Lietz, DevSecOps Leader and Director at Intuit. Shannon is a multi-award winning leader and security innovation visionary with 20 years of experience in motivating high performance teams.
Today on The Secure Developer, we interview Shannon Lietz from Intuit. She is a multi-award winning leader and security innovation visionary with 20 years of experience in motivating high-performance teams. Her accolades include winning the Scott Cook Innovation Award in 2014 for developing a new cloud security program to protect sensitive data in AWS. She has a development, security, and operations background, working for several Fortune 500 companies. Currently, she is at Intuit where she leads a team of DevSecOps engineers. In this episode, she talks about the future of security and the progress the industry has made in closing the vulnerability gaps by, inter alia, maintaining continuous testing, ongoing production, and building sufficient capability within teams to know a good test from a bad one. But the problem is a long way from solved, and she shares with enthusiasm about the new buzzword called “securability” and how this measure can be standardized to uplift the security industry as a whole.
[0:01:27.9] Guy Podjarny: Hello, everyone. Welcome back to The Secure Developer. Thanks for tuning in. Today, we have really maybe one of the originators, the pioneers of DevSecOps with us and really a bright security mind in Shannon Lietz from Intuit. Thank for coming out to the show, Shannon.
[0:01:42.2] Shannon Lietz: Super excited to be here. I love this show.
[0:01:46.4] Guy Podjarny: Shannon, we have a whole bunch of topics to cover. Before we dig in, tell us a little bit about yourself. What is it you do? How you got into security?
[0:01:53.5] Shannon Lietz: Awesome. Yeah, I've been in this industry for over 30 years and that makes me a dinosaur, as I always say. I feel the placement journey on an ad is to really try and help the industry and take some of the lessons I've learned over that long career and really try to make a change.
As part of it, I got into this basically with lots of curiosity and didn't even realize it was a mostly male journey. Nobody told me when I decided that computers were fun. I learned through lots of hard knocks, but basically this wasn't a path carved out for women. I thought, “You know what? The heck with it. I always do things that people tell me I shouldn't be doing.” I started out with computers at a really young age and eventually, learned how to do some really neat things that again, shouldn't have been done.
At the time, they called it hacking. I thought, “Well, you know what? I want to be a hacker, so cool.” Then eventually, it became illegal and I was like, “Okay, that's not a job.” My dad was horrified by the fact that this could be a problem. Eventually, it turned into actually it was a job. You just had to do it a certain way. That was the beginning. I mean, when I started in computers, nothing was really illegal per se. The Computer Fraud and Abuse Act was interesting and that shaped some of this industry.
Along the way, there's lots of trials and tribulations. Yeah, I started there and I've been a developer, so I've written code. I'm so sorry to anybody who's still maintaining my code, God forbid. Then as you look back on 30 years, you’re like, “Wow, I could have done a lot of better things.”
Then I got into the security and I've even done ops. I always said that if I needed to make money and pay my bills that I would ops for food, and so I ops for food. Then eventually, I smooshed it all together and created a term that some love and some hate and whether – here we are.
[0:03:50.9] Guy Podjarny: Yeah. Definitely has become the terminology of choice, the depth of the – we had a rugged DevOps, we had also some variance, but it's very clear that DevSecOps is the term that emerged.
[0:04:02.0] Shannon Lietz: That's cool, because I've got a new one coming.
[0:04:06.0] Guy Podjarny: We’ve got some great further pioneering here to air on the show. Just a little bit from a companies and industries’ experience and so we don’t completely jumped around, like a whole bunch of things. I think right now, you are at Intuit, right? Before that, you were at ServiceNow?
[0:04:23.9] Shannon Lietz: I was. I was at that wonderful other cloud company. I like cloud companies as they seem to be fun. I was also at Sony before that. I mean, my track record is pretty much financial. I did telco work. I mean, I've had about 22 companies that worked for in this period. I've been at Intuit now for almost eight years, which is the longest job I've ever had.
[0:04:44.3] Guy Podjarny: Yeah. Well, definitely changing the streak here. What is it you do at Intuit?
[0:04:47.9] Shannon Lietz: I run the red team here at Intuit. It's relatively large. I would say it's an adversary management practice. A lot of people think of red team as something that's relatively surprising. We put a lot of science behind our red team capabilities. We've really been working on moving it forward to adversary management and trying to make it so that we make this more scientific. I'm into a lot of math and science around trying to artfully measure the things that we all want to do, which is to make software more rugged and to make things more resilient, so that we can do the things we love, which is solve human problems.
[0:05:21.6] Guy Podjarny: When you talk about red team, what's the – I like to geek out a little bit about org structure.
[0:05:25.6] Shannon Lietz: Totally.
[0:05:26.2] Guy Podjarny: What does that red team get divided into?
[0:05:28.6] Shannon Lietz: I got to measure my red team recently to find out how many headcount I had. I was pretty surprised. We have about 53 people and we also just started a part of the red team in Israel. I've got four more people there that are doing red team. Actually, we've been pushing the bounds. We're applying more to application security and also, business logic issues. That's neat. I think that we're always the willing participants to emerge and try to innovate in a lot of different security spaces. I'm excited to see how that really advances us.
My org structure, I have mixed threat Intel with our red teamers. Also, we have this other group that basically runs a continuous exploit system. Essentially, we built containers to essentially exploit all the things that we worry about, so people can feel pretty comfortable that things are going 24 by 7. Internally, yeah.
[0:06:27.5] Guy Podjarny: Are these a known set of attacks? Is it more regression-minded, or is it more almost bug bounty? Like something that –
[0:06:34.3] Shannon Lietz: Yes. I say that way, because it's a mix of a lot of things. Anything that could cause us to have a security escape is something that we put into this engine. The way that I tell it is if you can conceive of it and it could be automated, it should go onto our platform and that platform basically runs it across our attack surface, for our production attack surface, our internal attack surface.
Not everything yet that I'd love to see it do but eventually my feeling is that that platform becomes really the way for us to continually level up against some of the exploitable surface. I think it's the way in which most companies are going to need to go and I think it's the path forward, is to really figure out how to do full resilience and regression testing against your attack surface for both the things that you know and the things that you learn and pull that information in to essentially get there before the adversaries do.
The big mission is get ahead and stay ahead of adversaries and understand your adversaries for your applications. I think that people design their software, but they don't think about what the potential anti-cases are, or thinking about – I always say that security is basically a developer's edge case.
The security edge case is really important, but a lot of times people don't have time for it. My job in my mind is to make it faster for people to think about the edge case that it’s going to give an adversary an advantage, to allow business to do what it needs to do and figure out where the risks are to help mitigate those risks, so that we can do the things that help solve customer problems. Instead of - everybody's been talking the road to no. I got to tell you, early in my career, I was the road to no. Everybody would rat around me. It was the coolest thing. I was definitely that little picture with the little house in the middle, or the little guard shack in the middle and the gates and the snow.
I love that one, because it's always a reminder to me. I actually framed a copy for myself, so I could keep myself humble. Because the people that now I feel we support and subscribe to the things that we do to help them, they're coming, they're asking and that behavioral change was something that had to start in us first, in me first and then basically extends out to everybody that you touch and help.
I think that being meaningful in their lives to try and help change how people think about things is actually the journey forward for security. For me, this adversary management capability has extended into things like we're using AI, ML. Now my team fully codes. When I first started this, I remember I have this really cool little – with DevSecOps, I have this really cool little presentation and I framed that for myself, because we do these things to remind yourself of where you came from.
It had a snail and a hare in it and a little lane that I developed. I was trying to explain basically, this was the path to go faster in a secure way and a safer way. I'll never forget that, because I delivered it here in San Diego to the ISSA. It was a small room of about 30 or 40 people who had never heard of what DevSecOps was and they were like, “This lady's crazy.” I think it's been eight years since that talk. It feels like it just flew by and there's so many people now that you hear are starting to see more security in software that their products and services are getting better. Is it perfect? No. Have we taken a significant dent out of the stuff that was out there at one point? I think the answer is yes.
I just saw some metrics from github about how the fact that they have vulnerabilities showing up and 20% of all the vulnerabilities that are showing up, they basically have seen that they're getting closed. That's in no small part to a lot of companies that are out there that are providing that information to developers, so that they know about these things, that they're not having to go figure it out on their own.
I mean, for the companies I've worked for where that wasn't available, developers are like, “What should I worry about?” We're like, “Oh, we just need to go get CBSS for you and here's a set of a spreadsheet. Go figure it out for yourself, dude. Thanks.” I think that was a serious problem, because it inhibited their ability to develop safe software, because they didn't have the time to go figure out and crunch the spreadsheets. I mean, let's all be honest. That's basically a full-time job for a security practitioner. Something has to be able to build the software, so you can do something with it. From my perspective, there's a lot that goes into this.
[0:11:00.9] Guy Podjarny: There's a bunch to unpack. I want to make sure I was taking you like a bunch of a subsequent questions. Let me backtrack a little bit. First on the – I love that notion of that continue effect. Yeah, this is something to use exploits of the elements. I've often thought about bag boundaries and the likes as I almost like the continuous monitoring, or chronic monitoring, or telling you if something is wrong.
I think this type of internal system makes a lot of sense to ensure that the questions you know to ask at least alongside that the red teaming and the creativity get continuously asked and you don't go back and that you can go buy that at scale. How do you maintain that? Do you take feeds in from basically the botnets out there? Is it more about fixes or problems that before they have already seen in your surroundings? What would you say are rough primary ingredients of the types of attacks that get run?
[0:11:55.1] Shannon Lietz: Oh, gosh. We take in everything. If there's no data set, I turn away, because honestly, there's always nuggets in everything. They always tell you like, no two scanners actually scan the same things. They never scan them alike the same way. I think people are really creative about how they test for security problems, so we take in any bit of data we can get. We've taken in stuff from a variety of product vendors who do scanning. We're looking at the build materials, companies all the stuff we can get from them. Anybody who is basically asserting a CVSS score, a CPE score, a score of any type that would actually reflect a vulnerability of a significant risk. All of those things are useful.
To me, they're lagging indicators, however. The other things that we take in is threat intel. We're constantly looking for vendors and providers that have information that can help us get ahead. Why not be able to find the zero day, or what about signatures that are actually written against your company specifically? Why not harvest those, use them, learn from them and then replay them against your systems? Because essentially, that's a really great way to be able to build up your catalog of how to make yourself harder to beat from a resilience perspective. That took a lot of years to learn.
I will tell you this is not, “Hey, by the way, this is what we're going to do,” eight years ago. It was a lot of trials and tribulations and my little sign on the back wall here that basically says, “Bang your head here.” It's been banged a lot of times. I mean, hey.
[0:13:18.6] Guy Podjarny: You take all that information and then your team you said, codes. And builds it like this is an operational system that runs and runs those experts against production, or more against staging [inaudible 0:13:28.9]? How do you handle that?
[0:13:30.4] Shannon Lietz: What is production? I mean, that’s really cool. We got we got rid of that in what? 1980? No, I'm just kidding. Production to me is everything. Nowadays, even development systems are production, right? Even a lot of these capabilities that are out there, they're significant in a way that you'd think. Pretty much at this point, if your developers are down and the productivity is lacking, aren't you down essentially?
[0:13:57.2] Guy Podjarny: Absolutely. I love the approach. All these systems are production and they're all impactful to the systems. Oftentimes, the one of the concerns that happens when you run these continuous tests against the customer for saying, we’re moving to more production –
[0:14:11.5] Shannon Lietz: Production?
[0:14:12.4] Guy Podjarny: When you run it, there's always this fear of, “Hey, you're going to mess something up.” [Inaudible 0:14:16.2].
[0:14:17.1] Shannon Lietz: Don't take production down. It's the one rule, right? That one rule. Don't take production down, which is why you've got to think about everything as production. If you delineate that this system is okay, but that system is not okay, to me you miss the major principle, which is if you're going to do resilience testing, you need to be mindful of the things that you're testing. You need to test your tests, right? That's a thing.
You need to be able to build your tests in a meaningful way, not just throwing garbage at a system, but throwing something that's precision-oriented, that you're looking for a specific issue and that you're actually harvesting that issue as an escape. Not that you're poking around at it in a way that actually doesn't really provide that precision. My mindset about testing and production and resilience testing is that major principle. Everybody's always said like, “What are your rules for your team?” I'm like, “I have one rule. Don't take production down.” Because honestly, that's actually a meaningful issue for most companies, especially ones that are in the software industry.
I think the second piece of this puzzle for us is build enough capability in your teams to understand what's a good test, what's not a good test, have that scientific set of principles about how you actually develop those tests to be able to make it so that they work in your organization. That's essentially why I think – I'd love to say that eventually, this trade craft will be able to be moved into the teams, that's possible and I think that as we commoditize in the industry that these tests that you could run are actually being built by external companies and there's ways to actually create them and they can be tuned and tweaked and developers could run them.
I think it absolutely is possible for us to get to true DevSecOps, which is a developer can build safe software, operate it and they can eventually continually secure it and have it resilient against attackers. I eventually think that that is possible for an individual to be able to do those things, but not without assistance. It's not without buying specialty capabilities. We have to as a industry in my mind, be able to create that Nirvana, so that we're not also burdening people.
What I would say right now is if you look at some of the surveys that have come out, the DevOps, DevSecOps surveys about burnout and some of those things, well, the problem - and I did a huge study on this - is we're not seeing enough investment in small businesses that are trying to solve the commoditization of security in the way that it's actually going to be meaningful. Because I'm not sure that people really grok the full problem space of making it so that developers could leverage these services and capabilities, so that they can do the work of integrating it, but they don't necessarily have to invent and understand every facet of it, so that they're the expert practitioner.
Because, I just think that's what the difference is between having a security team that's off to the side that does it for people and having it be something that somebody can fully integrate into their workload.
[0:17:19.4] Guy Podjarny: Yeah, absolutely. I love also, so you mentioned about how your team now codes and that was actually one of the other bits that really – how have you seen that skill set? This is definitely a forward-thinking approach and I see a lot of the guests in the show talk about how their teams today code. How have you seen the evolution there? What were some of the –again, you've been touting DevSecOps for a while. What was your timeline and your views of changing that skillset? Which skills do you feel are needed less, if you're assuming you don't just want to increasingly perfect individuals on the team to build –
[0:17:55.1] Shannon Lietz: How do you trade it?
[0:17:56.0] Guy Podjarny: Sacrifice more coding skills today.
[0:17:59.7] Shannon Lietz: Yeah, exactly. How do you trade the workload of today for the workload of tomorrow? It’s definitely a challenge. I think when I first got started, I probably trivialized it a little bit, because I already had some coding skills so I was rebranding it to myself and realizing it's important in my life.
At the time, as a oversight on my part to be so cavalier about it being less than difficult, because I think it is a difficult practice to be a developer. I think there's so many things to consider, like you're not just code slinging if you were. You're actually looking at the human problem and trying to find an elegant solution that can be easy for people to really embrace. You're lowering the complexity for them, right?
When we first got started, I think it was like, well, Ruby's easy enough. Let's all do Ruby. There were some definite opinions about whether we would do Ruby or all the other languages of choice. Frankly –
[0:18:55.3] Guy Podjarny: There hasn’t been [inaudible 0:18:56.2] languages.
[0:18:57.7] Shannon Lietz: No, never. There’s never opinion in the bunch for that at all. I had a few people who could write some Ruby code and I had some people who do Java and this, that, the other thing. I think Ruby ultimately, because Metasploit was on Ruby and well, a bunch of people have done modules and things like that. It was just easier that way. There's definitely a lot of hacking tools that started out in Ruby that's migrated to different languages.
Some of my team now does Python. We've definitely gone after different languages along the way. Some folks are doing Go. Everything has its place. When we first got started, it was easier for us to all go together on one language that was going to help level everybody up. Meaning, it was easy enough, it wasn't necessarily a compiled language. You didn't have to get onto all the harder stuff. We started with what I would consider an easier language to address. Some might actually find that to be different, right? They might say, “Hey, Ruby's not that easy.”
I'll say that that was just a choice that we made together. It started with only a few people and obviously, now most of my team that codes. I can't even think of one person on the team at this point that doesn't code. If a manager has to do something quite often, they're breaking open a SQL query at the least to go run even a report as an example.
Even the managers are finding themselves having to code. They're putting things together, snapping in APIs. That was a big thing now. The question is what do you really trade off? I would say and I'm going to say it, because I think it's really what does get traded off. I think your code migrates into from policy into code, and so you're not writing as many documents, frankly. I think that code that's well documented is really a wonderful thing. I don't think enough people put enough comments in their code at this point. I read code all the time and I'm like, “Could you just comment a little bit more? I don't know why you made that choice.”
[0:20:48.9] Guy Podjarny: [Inaudible 0:20:48.11].
[0:20:49.9] Shannon Lietz: No opinions. No strong opinions at all. Over-commented code is also a disaster, so I know. I would say where the industry seems to be heading is we're lightening up on documentation. There's reams of paper that are being saved and trees across the world that have been released from the horrible death of paper policies. I think that's actually where some of it's coming from.
I also think that the other thing that is fueling the ability to migrate from one to the other is there's not as many meetings. It used to be that security was a meeting after a meeting after a meeting. The time that you were sinking into those things to go convince people and whatnot, it's for them to go do the work and you to manage them doing the work and all of that is basically being walked back to, “Hey, I have code that will solve that for you. If you could adopt it, that would be great.” Literally, I'm seeing programs being built by people who know what needs to go into them and that gets converted into something you need to onboard, so it's really migrating towards the – security is migrating to the way of microservices if you ask me.
[0:21:52.0] Guy Podjarny: Yeah. Those are great insights, right? Fundamentally, if you build solutions, you build tools, you're a service provider. You don't need to be peeking behind people's shoulder all the time, which in turn in the form of meetings, or chasing somebody to read the document, will take up your time.
[0:22:10.0] Shannon Lietz: Absolutely.
[0:22:10.9] Guy Podjarny: We're building, like you've got this valley around, like we're evolving. Made all sorts of comments is all about they know, like maybe not quite in fact want it, but it's under evolution in the industry. What would you say today – you talked a little bit about DevSecOps, so if we cling to that term, what would you say are the biggest gaps? More like, what's rolling it out and rolling out the mindset, what areas do you feel we don't know to do yet, or people are especially resistant to?
[0:22:39.4] Shannon Lietz: The stuff that I like to dig into. Over the years, there's lots of insights here. I would say that the biggest aha moment for me, the needle mover that's really starting to fuel people coming closer to a better state is having measurement. All the maturity models are right. It just takes a lot to convince yourself that they're right. I used to love and hate maturity models, because you're always writing so many documents to get to level three.
I keep telling people, why do you need level three when you can get to level four? Which is really measurement. I would say that the DevSecOps thing, along the way the real challenge, like we keep saying culture. What I am finding and it's again, aha moment is it's really about how we talk about security and what it means to our businesses and having some of that business acumen as security practitioners is just missing in our industry.
Now I'm spending a lot more time thinking about the business, if you were. What does it mean to have risk tolerance as an example? What security does actually thought about at the business level? The answer commonly is yes, most companies consider, especially public companies because they are required to report on significant changes in outages, especially if they're going to be materially impacting revenue and things like that. I would say that the business is definitely attuned to the fact that those are happening.
I think the challenge is how do you actually take something that's non-monetary? You have things like fraud and other types of outages. They might be monetary. Some things are non-monetary. As an example, you might have an event that happens, an incident that happens. It takes time to resolve. You may have an investigation that you have to go do to make sure that nothing bad happens, right?
The question is ‘is that something for the books?’ Is it in your risk tolerance thought process? I think that's something that DevSecOps needs to address. I think another couple of DevSecOps things that need to be addressed is where's the market? I mean, we really do need to commoditize. There are not enough capabilities and products out there at a significant level. The science of how you apply them, we just haven't figured out how to really get developers yet into the mix. My belief is that companies that are actually trying to solve the developer problem, being able to adopt, commoditize capabilities and services where you take security knowledge and capability and you package it all up and you make it developer-friendly, so they know where to put it in their CICD pipeline has a significant impact on making their software more resilient and the usage of their software pretty good too.
[0:25:22.9] Guy Podjarny: Amen to that for sure. You and I have both talked a lot. One of the topics we’re excited about over a year is indeed trying to crack the measurement problem. You’ve alluded to a new buzzword, a new framework for us called ‘securability’. Tell us about it.
[0:25:38.6] Shannon Lietz: I am super jazzed about it, because we put a lot of time and effort into sciencing the heck out of security, right? I guess along the way, I used to have other measurements that I thought I can get – if I could just teach a developer how to use this metric, it'll blow their minds and they’ll love security and I'll do something about putting security into that stuff. I guess I changed my mind about the quest and I realized, actually I need to figure out what developers care about, so that I can have them understand what security means to them, so that we can actually get them to address it as part of their process, whatever that might be, whether they're using CICD or they’re hand-jamming their code. I mean, there's a lot of different ways in which software gets built.
Essentially, measuring the resiliency of software from a security point of view is essentially the craft, right? The idea behind a measurement that moves the world forward, I think is in understanding the behavior you want. In my mind, the behavior I want is I want a developer to be able to decide whether or not the security they have for their product is good enough. From my perspective, securability is a 59s measure, because if you're going to do anything, you make it 59s. I mean, I learned along the way. I work for a telco. You learn a lot about 59s and eventually, you get told 59s isn’t enough and you're like, “Are you serious?” I’m just going to go for the 59s. Honestly, if somebody can show me a 59 secured system, I would love it. It would be amazing. I would say so, right? The way we've thought about this is meaningful is that you can utilize securability at a very low level on a single component, a library even and you can also roll it up a little bit at a time, right?
Being able to roll up measures, I think is also significant. That has I think a meaningful piece of the puzzle. From my perspective, securability, big 59s means that it's now something that you don't actually have to teach a developer what 59s means. You've already lowered that intensity of learning, right? Because you're already applying something that they're pretty consistent with.
The question is then, what's the denominator, from my security practitioners perspective? Well we've all wanted to know what the bill of materials was for anything we work on. If you can imagine, CMDB and some other types of systems that are providing resource understanding for you. You know what your attack surface is. There's all kinds of companies out there right now that are trying to tell you what your attack surface is from the outside of a vantage point of an adversary, so that you know, like “hey, that's on the Internet. Did you know that?”
People are like, “Oh, my God. I didn’t know that was on the Internet.” Honestly, I think those are amazing companies, because they're really solving the denominator problem of basically, figuring out what your bill of materials is. Once you figure out what your bill of materials is, then you essentially have the opportunity of figuring out all the known defects that are out there, that could actually have a meaningful impact on your attack surface. As an example, you might have a CBSS10 that's out there. That's going to apply to a handful of your resources maybe, or all of them.
Say you had a million resources with the same CBSS book, that's a bad day, because that's a lot of attackable surface, right? Then the question is so what do you do with that? What’s the numerator on it? The numerator is the escape. I like to say that escapes are a variety of different things. I'll start with just a simple one, which is you got an internal red team, they pone you, they send you a ticket, in our case it's a P0 ticket. You want to basically take that P0 ticket over that splittable surface.
If you only have one on all those different resources, that means hey, you're really firewalling great. You probably have a good zoning and containment. Fantastic. You've got some mitigating controls in place and you're one over a million. I would love to be one in a million, right? That would be amazing. Again, your securability is super high. One in a million awesome.
Let's just say that you had a one-for-one problems. Let's say there's actually only one system out there that has a problem, but it's literally you're going to get an escape one-for-one. You have zero securability. That's a big problem. The question then is once you have that ratio, let's just say you have zero securability against that particular issue, let's just say you have a lot of adversaries that would love to come after you and they are and they're going after that specific resource with that specific attack. You're breached. That's essentially a very simple way of explaining security to somebody who wants to understand it, wants to do the right thing.
I think that resilience capability is super important and exploitability focusing there, understanding how to bring your losses to bear. Companies all the time have fraud against their systems. They have security problems against their systems. The escape of the red team is one aspect, but you might even have losses you've got in your incident capabilities, right? If you can imagine, why aren't you putting your incidents over your exploitable surface, right? If you had 30 incidents in a month and you know they applied to some of your exploitable surface area, your exploitable opportunities, then essentially you had a calculation that said you actually had more risk and your risk was realized, right?
I think that that allows us to have people really take responsibility and be accountable for the security that they're implementing or not implementing, right? It makes it so it's super easy for them to know on the face of it without a lot of interpretation or subjectiveness that they're either doing well there or not.
[0:31:08.9] Guy Podjarny: Do you see securability as a measure that every organization then develops for its own surrounding? You need to add mileage, then look mapped out your security threats, say bill of materials and know more abilities. Something that is very clearly measurable, could also be like whatever, misconfigurations, right? We know buckets left open, or open access points. You do those and then you see the exploits and you see that become new backward calculate. I mean, that's I'm referring to is putting the time to invest in historically understanding the exploit surface you had, the incident, whether full-on groupers, or just forensics abilities and all that that happened on top of that then calculate that? Or do you see it as a standardized, this is how we can measure security. 59s for uptime are –
[0:31:58.6] Shannon Lietz: I think it's all.
[0:32:00.2] Guy Podjarny: They’re a standard metric, right?
[0:32:01.3] Shannon Lietz: I think it should be a standard metric. I think you should have to put your bill of materials into your software, it rolls into a system, you have telemetry based on that bill of materials that helps you to understand your attack surface that you have testing that's going against to help you to monitor it. It should be a real-time system that helps you to understand how you're doing from an LED’s perspective on security and it's measuring your resilience constantly. If adversaries are measuring your resilience too, then it should help you to find those problems as well.
I also think that you should be able to leverage that same methodology to go backwards, looking and figure out like, hey, do we miss something? To your point, could you hand calculate it? Absolutely. It'll be really easy if you have a bill of materials. Then going forward, you should be able to forecast it. What I like to say is that when somebody designs a system, they should be able to understand their bill of materials and where they think that there might be adversary happenings, so I could imagine in the future we're going to find a company out there that's going to say, “Hey, we're monitoring your bill of materials and we actually see adversary interest in these key areas of your bill of materials,” so your likelihood if you have resiliency issues in those areas is very high that it's going to be a problem for you specifically.
I do think the way in which it's been invented is really important about it being specific to your company, but I also think it makes things shareable. If I wanted to share information with another company, I should be able to share the securability information in a reasonable way without necessarily telling somebody all the bits and details of my security program. Hopefully, that's also helping people have the conversation that says, “Hey, yours is 99.9%, but mine's 97% because we don't see the same adversaries as you do and the amount of adversaries that we encounter is much less.”
People are having those risk-based conversations in a meaningful way at a business level, because really, this isn't just the software developers, but it's also to solve for people that have to have those conversations, where you're not talking about hey, you're not doing it the right way. The how isn't the thing of focus anymore. You're actually talking about the why and the what, right?
You're really getting into the business level conversation of what is your measure? Why is that appropriate? If you can build trust on that why and what, because that's where you build trust, you don't build trust on how, you build trust on why and what, then you can actually create a meaningful ecosystem of people who are doing the right thing for the right reasons with the right intent, so that you can establish a much bigger barrier against adversaries.
[0:34:40.9] Guy Podjarny: How do you see – I mean, I think the idea is compelling in the sense, what will aspire to the measure of how secure you are, or securable you are maybe in this term. How do you meld in, I think the bill of materials of the known components, while there are some disagreement in the industry should have some factual elements, or you were using this component who has this known vulnerability. How do you see a custom vulnerability that are also security risks that related fit into this probability in your code, or a misconfiguration?
[0:35:13.7] Shannon Lietz: I love that conversation. It's not a different score. All the same. I'm so tired of us talking about whether it's in the library, outside the library, upside down from the library. Who cares? It is all part of the bill of materials. If you have a configuration, it's part of your bill of materials. You configure it a certain specific way to work with your software package. We really need to focus on the bill of materials standard that says, this is actually if I had to look at your system, rebuild it, whatever it might be, I could actually have information that suggests what risk you took and why.
If you wanted to leave open port 80, I shouldn't have to find it out from some scanner out there in the world. I should know your intention was to leave open port 80, or it was a mistake and you're taking accountability for it. You're having a system that even knows that your intent was this design, so that bill of materials is actually also about your design constraints and your design intent is really important in my mind.
[0:36:09.3] Guy Podjarny: In this model, the more detailed your bill of material, to an extent if you provided more information, you might actually get a lower score. You're not tricking anybody with your own. It's your own system you're trying to do it. The more information in it, the more accurate your score is, whether it's higher or lower. Is that –
[0:36:26.6] Shannon Lietz: That's right. Well and in addition, you benefit from providing a much more accurate bill of materials, because the downside to not doing it is that adversaries actually find it before you do, before your friendly partners do. It would be much better to be accountable for good security than to find out from bad guys. From my perspective, it's only benefit to be able to identify these intents and design, so that you can actually route it out. I think that's about the principles of resilience, right? Is we all want to be resilient.
If we're afraid to actually put this information in because we might be judged by it, I think I would rather be judged by an internal friendly red team adversary than to be judged by an external unfriendly adversary who's going to cause your company to have challenges, right? From my perspective, they're very different.
[0:37:20.1] Guy Podjarny: Yeah. Very well said. Have you been experimenting with the securability within Intuit? Are you using that measure?
[0:37:26.6] Shannon Lietz: Yeah, absolutely. We've been working with it directly for about a year and a half, and so we've got lots of information data. We've done a lot of work with it. I would say in the initial states of doing anything different than the rest of what everybody else does, your why is so important. Honestly, I started looking around in the industry and I questioned a lot of the things that were out there, because they just weren't solving some of the problems.
I believe securability will eventually lead to the capability of us all automating it and even making systems be able to do self-resilience. If you have a good intent and you can do resilience measurement, eventually we might be able to automate risk most of the time, right? Automating risk and complexity, I think is a right thing to actually chase. I was looking at most of the things that were out there, most of the frameworks and there's nothing to say that they're bad, because I actually think most frameworks are pretty awesome that somebody even tried it in the first place.
I don't see anything that's really solving for that notion of automating this, so that it can actually be done by a system and it can be something that can be a support system for your developers. From my perspective, that was the why. I think at Intuit, we've done a job to basically try to always be better than we were last year at everything that we do. That's a wonderful aspiration and I love the mission.
From my perspective, securability has become a thing. Is it in its final states where we fully mature on it? No, we're not. I am definitely interested in the things that we have ahead of us, because securability is worth it. I think that solving for these problems, there are no small feat because just like DevSecOps, what securability is missing right now is the companies that are going to help create it, change it, commoditize it, make it easy to digest, make it consumable.
If you look at the availability market, that's what securability could be for our industry is you look at the billions of dollars that have been generated by monitoring and availability capabilities that are out there and there's a real market opportunity to be had around trying to bring this to bear for our developers.
[0:39:30.9] Guy Podjarny: Yeah. I love the idea. We talk about its effect on [inaudible 0:39:34.0] more measuring security, because it is about capturing the full more than security, but also specifically security related information, from configuration, to dependencies, to known flaws, to various other elements within this bill of materials that moves around. Then you're able to layer on top of that all the known attack surface, security flaws that you have.
Then once you do those and you measure it, because DevSecOps follow through the opposite of that. One of the core principle is you can’t measure it. If it moves, measure it. If it doesn't move, measure it in case it moves, right?
[0:40:16.0] Shannon Lietz: That's right.
[0:40:17.4] Guy Podjarny: Doing with that and not doing it in the world of security. Would definitely be keen to see it evolve and definitely build there on our end.
[0:40:27.1] Shannon Lietz: I'd love that.
[0:40:28.6] Guy Podjarny: I think this is – we can probably go on here for –
[0:40:32.3] Shannon Lietz: For hours, probably.
[0:40:34.3] Guy Podjarny: An hour longer, but I think we're probably a little bit over at already in time. Before I let you go, Shannon, I like to ask every guest that comes on – anyway, you’ve already given a whole bunch of advice, but ask for one more bit, which is if you have one smaller bit of advice that you can give a team looking to level up their security foo, what would that bit of advice be?
[0:40:56.3] Shannon Lietz: Yeah. Somebody who’s looking at, but to look up their security skills and try and up-level, I would say the one question you should ask yourself is how many adversaries does my application have? Because it's the curiosity around that question that will lead you to better places. That I think just having that goal of trying to solve that question will lead you down to find people that you can contribute to, or collaborate with that will help you answer that question.
I think once you do answer that question, it's mind-blowingly obvious what you have to do to fix the problems that might actually be in your applications and in some of the code that you are writing.
[0:41:35.6] Guy Podjarny: Very cool. Well, definitely sound advice focus. Shannon, this has been excellent. Thanks a lot for coming on the show.
[0:41:43.3] Shannon Lietz: Thank you.
[END OF INTERVIEW]
Follow Us
Many banks are still running on decades-old sets of legacy technologies, but the security and performance advantages cloud-native systems offer is changing that. Today, we’re going into the future of banking technology with Neil Drennan, CTO at 10x Future Technologies. His firm is building the first cloud-native banking platform that can be used by large-scale banks in order to solve the cost and security related problems caused by their legacy systems. Neil fills listeners in about his role in the overall mission at 10x before diving right into the topic of how they integrate security into their development practices. Often security and development teams find it difficult to integrate into each other because they are kept in separate silos from the outset. Things are different at 10x though as Neil explains, talking about the back and forth conversations between his different teams and their use of vulnerability dashboards to keep things transparent. Neil weighs in on the necessity for 10x to get security right, but the benefits of working with banks as clients because of their high level of insight into potential threats. We hear all sorts of amazing improvements for threat monitoring that cloud-native solutions can provide, making the legacy moat model look outdated indeed. A key takeaway from Neil today is the importance of building security into development from the ground up, so tune in to hear how he manages best practices at 10x.
10x is looking for more talent to join its team with roles in the UK in London and Leeds. You can see their latest roles here
Show notes and transcript can be found here
Follow Us
On today’s episode, Guy Podjarny, President and cofounder of Snyk, talks to Seth Vargo at DevSecCon Seattle. Seth previously worked at HashiCorp, Chef Software, CustomInk, and a few Pittsburgh-based startups. He is the author of Learning Chef and is passionate about reducing inequality in technology. Today, he is now a developer advocate at Google and is passionate about the human element of security. This discussion is centered around the talk Seth gave at DevSecCon Seattle titled, Secrets in Serverless. In this episode, we flesh out one of the core principles of this talk which is that security is not binary. Here we explore the often-unseen side of security and how developers can prevent or limit attacks by assuming from the get-go that their secrets will be leaked! If you’re looking for practical, in-depth advice, as well as a leading, expert strategy that will shift your view on managing secrets in serverless – then this is the episode for you!
Show notes and transcript can be found here
Follow Us
Barriers to entering the DevSecOps community are becoming much weaker thanks to its provision of free resources and through the work of diversity activists too. Much praise can be given to Vandana Verma in this regard, who we were lucky to have as our guest on the show today. Vandana is an experienced application security practitioner, currently working at IBM’s India software labs as a Security Solutions Architect. She’s OWASP Bangalore’s Chapter Leader, OWASP’s Women in AppSec lead, as well as an advocate for WoSEC, Infosec Girls and Women in Cyber Security. In today’s discussion, we hear about Vandana’s journey into the DevSec and Cloud security world from her early days as a developer. Vandana speaks about the scope of AppSec and Cloud security, weighing in on the ‘left shift’, the app in the context of the cloud, and different focus areas that she implements in her training sessions. We hear about the burgeoning tech scene in Bangalore, how helpful the community is and all the free resources to be found at the OWASP Seaside conferences. Vandana also speaks about her journey into diversity activism, sharing about the many workshops and keynote presentations she gives globally, and the benefits her broad understanding of diversity can give to security teams. For some great tips on how to think about Cloud vs AppSec, as well as how teams with broad backgrounds can benefit security work, make sure to listen in on today’s show.
Show notes and transcript can be found here
Follow Us
For this special, DevSecCon Seattle, edition of the show, our guest is Erkang Zheng from LifeOmic. Erkang is an experienced cybersecurity specialist and recently developed JupiterOne, a security product that is changing how organizations manage their cloud-based infrastructure. We get to hear from Erkang about the unique way that security is run at LifeOmic where he is the current CISO. LifeOmic is a software company that builds cloud-based data platforms for its customers. In our conversation, we cover the small security team size at the company, the reasons for this and the systems they have in place that hold all employees accountable. LifeOmic allows for plenty of freedom for their developers and chooses to rather focus on other ways to sure-up their gateways from issues. Erkang comments on the best ways to progress out of outdated systems and the importance of getting out of a comfort zone that is not serving the company in the long run.
Follow Us
Today on the show, we welcome Roland Cloutier. As the Chief Security Officer of ADP, Roland works to protect and secure one of the world’s largest providers of business outsourcing solutions. Prior to that, Roland served as the Vice President and Chief Security Officer of EMC, where he spearheaded protection of the company’s worldwide business across both the commercial and government sectors. He has held executive security management roles at consulting and management security service organizations and has more than nine years of experience in federal law enforcement. Roland’s experience gives him a fascinating, forward-thinking approach to the organizational revolution we see happening today. In this episode, we start by highlighting the major changes that have occurred in security orgs over the past 10 years and reveal the changes that need to be made in order to survive in today’s complex climate. We look to ADP as an example, dissecting the multiple stacks of its infrastructure, their security by design approach, and how they tackle the challenges of maintaining talent, upskilling, embracing new styles of work, and more!
Follow Us
Today on The Secure Developer, we interview the Director of Product Security at Datadog, Douglas DePerry. Doug has experience in the offense side of the industry, working as a security researcher and consultant at LeafSR and iSEC partners, and in the realm of defense, having been involved with various defense contractors and the US army. In this episode, Doug talks about wearing many hats at Datadog, first starting in infrastructure security and then moving along to product security amid the company’s rapid growth. But they eventually decided to merge the two teams into a security engineering team, and Dough offers some insight into the new team arrangements and the logic behind the initial separation. Joining in the conversation, listeners will get some advice around building effective communication within engineering teams, learn about the need to raise awareness about the shared responsibility of security, and hear Doug’s approach to developing, evaluating, and embedding security tools effectively. However, from all his years of experience, the most crucial lesson Dough has learned is to never underestimate the importance of people in the tech space, pointing out that without communication, negotiation, and compromise among team members, the tech aspects are bound to fail
Show notes and transcript can be found here
Follow Us
Security is a vital feature of a platform’s architecture on both the service provider as well as the consumer, and it helps to have a leader who can see the big picture. Our guest for today is Adrian Ludwig, Chief Information Security Officer at Atlassian. Adrian has a marketing and tech background, we speak to him about his transition between the two seemingly unrelated fields through his work at NSA, Adobe, Nest, and Android, and how both sides inform his approach to security at Atlassian.We then get into the nitty-gritty of how Atlassian thinks about security, and the operations and technologies they have in place in order to achieve that goal. We talk about how Atlassian has transitioned from being an on-premises to a cloud provider, and the benefits of merging microservices with security boundaries in its system. Our conversation also covers other systems Atlassian uses to maintain its software and delegate to teams. We speak about the granulations of the roles of embedded developers in security teams, and how timezones are used strategically to speed up turnover time. You’ll also hear about how they use bug bounties as a way of gauging its embedded developer ratio, and different strategies to deal with backlogs. Toward the end of our conversation, Adrian touches on the concept of consumer versus enterprise-grade security, and why it is necessary to build systems that reduce the risk of human error and not the other way round. Join us for a fascinating behind the scenes look into the cogs that make Atlassian work.
Show notes and transcript can be found here
Follow Us
Joining us on today’s episode of The Secure Developer is Mandi Walls, technical community manager at Chef Software. Her role involves helping technology organizations increase their effectiveness by using configuration management and other modern IT practices. Along with this, she is also a frequent speaker at tech conferences and is the author of the whitepaper, Building a DevOps Culture, published by O’Reilly. In this show, which is another DevSecCon special, Mandi shares more on the topic of her talk with us: InSpec, which is Chef’s product for infrastructure security testing of code. She sheds light on its uses, and how through its flexibility, it's increasing the speed at which it can do security checks. Mandi also shares more on how the product deals with containerization, how it issues alerts and the role she sees the product playing in the future. Tune in today!
Follow Us
Unsurprisingly, many high performing organizations in the DevOps space are simultaneously the best in security and in operations too. In this episode, we sit down to talk with Gene Kim about his work on the saves that get made by organizations who have great operations, and how this fits into their security. Gene Kim is the founder of Tripwire, author of The Unicorn Project and The Phoenix Project and has also co-authored The DevOps Handbook and the State of DevOps Report amongst other texts. He has been studying high performing technology organizations for much of his life and has a rich history in both the security and the DevOps sides. Today we get the change to talk to Gene about the five ideals for optimizing performance in the DevOps space that can be found in The Unicorn Project, particularly from the lens of security.We also chat to Gene about the four hypotheses that the DevOps report he co-authored rested on, and some of the interesting and unexpected conclusions that he and his collaborators came to. This conversation spans many key aspects of the DevOps industry and how locality, flow, daily improvement, psychological safety, and customer focus have the power to augment huge changes for the better, so make sure you don’t miss it!
Show notes and transcript can be found here
Follow Us
Our guest today on the show is Clint Gibler, a research director at NCC Group, where he helps provide organizations with security consulting services. Clint speaks to Guy Podjarny at DevSecCon Seattle about the current landscape of application security, how his company fits into that as a global information assurance specialist and the job of helping companies scale their security efforts through cutting edge tools and processes. His vast experience in the field of security, with a wide range of companies, has afforded him great insight into the importance of security teams' morale and goal setting. We hear from him about staying up to date on the latest developments in the field and his advice for remaining as current as possible. Clint's background in helping companies implement security automation and DevSecOps best practices has led to his current standing and we get to hear about the panel discussion he moderated at the DevSecCon event.
Show notes and transcript can be found here
Follow Us
In the age of startups, diverse employee backgrounds are increasingly important for companies to be resilient and deeply innovative. People's prior experience helps their work in security both in expected and unexpected ways. Our guest today, Tad Whitaker, has one of the most interesting backgrounds we’ve yet to encounter. From working as a gold miner to a newspaper reporter to a private investigator, Tad’s journey to landing his role as a Engineering Manager at CircleCI has been very colorful. He is also a core member of the Bay Area OWASP leadership that hosts bi-monthly security meetups in San Francisco. Outside of work, Tad volunteers with several different organizations, including The Wall of Sheep at DefCon, Mission Bits, Telegraph Academy and the San Francisco Youth Baseball League. In this episode, Tad shares his interesting background with us and the different ways that have overlapped with current work in security. We also gain some insights into the structure at Circle, from how his team works to their relationship with the development team. The dynamic relationship between development and security is not one we encounter often, so it is refreshing to hear. Tad also walks us through compliance and how adhering to mandated compliance standards have helped and hindered his work.
Show notes and transcript can be found here
Follow Us
In our conversation, we chat to Julien about his current professional role, his talk at DevSecCon and the inspiration behind it before diving into his ideas on security's present and possible futures. Julien makes an argument for setting up 'paved roads' for security in order to save time and resources but rather than these being restrictive, he emphasizes the freedom that should remain built into these systems. For a fascinating chat with Julien and some insight into what is going at Mozilla currently, be sure to join us!
Show notes and transcript can be found here
Follow Us
What Mike and the various other cloud businesses within the broader Cisco network have managed to do is create an environment where they share knowledge and learn from one another to the ultimate benefit of their customers. He talks about their system according to which his team engages with and gives feedback to engineers and the model they have implemented to constantly evaluate their efficiency. We switch to talking about Duo's acquisition by Cisco and how it has boosted the organization, and Mike wraps up the conversation by telling listeners why diversity in teams is crucial.
Show notes and transcript can be found here
Follow Us
In episode 44 of The Secure Developer, Guy Podjarny sits down with guest host Simon Maple of Snyk to reflect back on the numerous guests he’s had on the show throughout 2019, and the many security lessons and insights shared along the way.
The post Ep. #44, Year in Review with Guy Podjarny appeared first on Heavybit.
Follow Us
In episode 43 of The Secure Developer, Guy joins Stu Hirst, Principle Cloud Security Engineer at Just Eat. They discuss Stu’s journey into cloud security, avoiding burnout, cultivating better hiring practices, and the importance of failing fast.
The post Ep. #43, Combatting Security Burnout with Stu Hirst of Just Eat appeared first on Heavybit.
Follow Us
In episode 42 of The Secure Developer, Guy speaks with Kate Whalen, a security engineer at The Guardian, to discuss news media security and advocating security across many teams within a large organization.
The post Ep. #42, News Media Security with Kate Whalen of The Guardian appeared first on Heavybit.
Follow Us
In episode 41 of The Secure Developer, Guy talks with Sara Dunnack, a security engineer at InVision. They discuss methods for improving communication between DevSecOps, AppSec, and Engineering teams within an organization.
The post Ep. #41, Optimizing Team Communication with Sara Dunnack of InVision appeared first on Heavybit.
Follow Us
In episode 40 of The Secure Developer, Guy speaks with Brian Sodano, Director of Engineering at Liberty Mutual Insurance. They unpack what happens to security when a company goes through a large-scale digital transformation, and ruminate on the future of the security industry.
The post Ep. #40, Large-Scale Digital Transformation with Brian Sodano of Liberty Mutual appeared first on Heavybit.
Follow Us
In episode 39 of The Secure Developer, Guy is joined by Mohan Yelnadu, Head of AppSec at Prudential. They discuss Mohan’s journey from pen tester to DevSecOps consultant, security threat modeling, and his 6 principles of continuous security.
The post Ep. #39, Build, Break, and Defend with Mohan Yelnadu of Prudential appeared first on Heavybit.
Follow Us
In episode 38 of The Secure Developer, Guy speaks with Andy Ellis, CSO of Akamai. They discuss streamlining customer assurance, the role of an incidents coordinator, and the value of transparency between a security company and their associates.
The post Ep. #38, You Own It, You Secure It with Andy Ellis of Akamai appeared first on Heavybit.
Follow Us
In episode 37 of The Secure Developer, Guy speaks with James Kaplan of McKinsey & Co. James describes his journey into the telecommunications industry, and how many longstanding companies must reevaluate security practices when going through a digital transformation.
The post Ep. #37, Security Transformation with James Kaplan of McKinsey & Company appeared first on Heavybit.
Follow Us
In episode 36 of The Secure Developer, Guy is joined by Peter Oehlert of Smartsheet. They discuss holistic security approaches, understanding various categories of risk, and how the different teams in a large organization can work together to improve security.
The post Ep. #36, Holistic Security with Peter Oehlert of Smartsheet appeared first on Heavybit.
Follow Us
In episode 35 of The Secure Developer, Guy is joined by Robert C. Seacord of NCC Group, who champions the continued practice of coding security in C and C++, and offers practical advantages to using various programming languages in the Agile era.
The post Ep. #35, Secure Coding in C/C++ with Robert C. Seacord of NCC Group appeared first on Heavybit.
Follow Us
In episode 34 of The Secure Developer, Guy speaks with Siren Hofvander of Cybercom about her enlightening journey from the digital medical space to running a secure developer consulting team, as well as her empathy-driven ethos in the one-size-fits-all security world.
The post Ep. #34, Positive Security with Siren Hofvander of Cybercom appeared first on Heavybit.
Follow Us
In episode 33 of The Secure Developer, Guy is joined by Leif Dreizler and Eric Ellett of Segment. They discuss motivating security teams, the importance of investing time in your business relationships, and the longterm rewards of proper security training.
The post Ep. #33, Engineering Teams with Leif Dreizler and Eric Ellett of Segment appeared first on Heavybit.
Follow Us
In episode 32 of The Secure Developer, Duncan Godfrey from Auth0 speaks with Guy about his journey into security. Duncan also shares great insights into staying secure and compliant in a fast moving environment.
The post Ep. #32, Security and Compliance with Duncan Godfrey of Auth0 appeared first on Heavybit.
Follow Us
In episode 31 of The Secure Developer, Guy is joined by Tanya Janca, Cloud Advocate at Microsoft. Tanya shares insights, from her early days leading software teams for the Canadian government, to evangelizing software security at Microsoft.
The post Ep. #31, Evangelizing Security with Tanya Janca of Microsoft appeared first on Heavybit.
Follow Us
In episode 30 of The Secure Developer, Guy speaks with Justin Somaini, a security industry leader and Founder of Somaini LLC. They discuss how security theory has changed over the past 25 years, and how AppSec can be improved by educating the developer community.
The post Ep. #30, Improving Security Culture with Justin Somaini appeared first on Heavybit.
Follow Us
In episode 29 of The Secure Developer, Guy sits down with Liran Tal, Developer Advocate at Snyk, to discuss the state of open source, Docker security, and developer infrastructure.
The post Ep. #29, The State of Open Source & Docker Security appeared first on Heavybit.
Follow Us
In episode 28 of The Secure Developer, Guy is joined by Jason Chan of Netflix to discuss simplifying the security process for software developers, as well as some of the open source projects Netflix has shared with the community.
The post Ep. #28, Developer Empathy with Jason Chan of Netflix appeared first on Heavybit.
Follow Us
In episode 27 of The Secure Developer, Guy is joined by Jeff McAffer, director of Microsoft’s Open Source Programs Office, who shares his insights on how to keep open source projects sustainable and secure for the whole community.
The post Ep. #27, Open Source Security with Jeff McAffer of Microsoft appeared first on Heavybit.
Follow Us
In episode 26 of The Secure Developer, Guy is joined by Jim Manico, founder of Manicode Security, to discuss insights from his long career as a security educator, and to explore the importance of developer training in application security.
The post Ep. #26, Security Education with Jim Manico appeared first on Heavybit.
Follow Us
In episode 25 of The Secure Developer, Guy meets with Simon Bennett, VP Product at Bitnami, to discuss golden images, image layering, and how Bitnami helps accelerate application delivery across multiple clouds.
The post Ep. #25, Golden Images with Simon Bennett of Bitnami appeared first on Heavybit.
Follow Us
In episode 24 of The Secure Developer, Guy is joined by Omer Levi Hevroni, DevSecOps Engineer at Soluto, to discuss application security, OWASP, security ‘mavens,’ and more.
The post Ep. #24, Application Security with Omer Levi Hevroni appeared first on Heavybit.
Follow Us
In episode 23 of The Secure Developer, Guy speaks with Zach Powers, CISO of One Medical, to discuss the evolution of security at One Medical, what he looks for when hiring for his team, and why automation is a must.
The post Ep. #23, Automation with One Medical’s Zach Powers appeared first on Heavybit.
Follow Us
In episode 22 of The Secure Developer, Guy meets with Stina Ehrensvärd, founder and CEO of Yubico, to explore how hardware solutions like YubiKey can be an effective approach to authentication and security.
The post Ep. #22, Authentication with Yubico’s Stina Ehrensvärd appeared first on Heavybit.
Follow Us
In episode 21 of The Secure Developer, Guy meets with Julie Tsai, Cybersecurity Leader and DevSecOps Practitioner, to discuss ways to manage secure systems and bridge the gap between security and DevOps.
The post Ep. #21, Managing Security with Cybersecurity Leader and DevSecOps Practitioner Julie Tsai appeared first on Heavybit.
Follow Us
In episode 20 of The Secure Developer, Guy speaks to Dan Cornell, CTO of Denim Group, the developer security firm behind ThreadFix, a vulnerability resolution platform.
The post Ep. #20, Using ThreadFix with Dan Cornell of Denim Group appeared first on Heavybit.
Follow Us
In episode 19 of The Secure Developer, Guy meets with Allison Miller to discuss the ways technology and security have intersected throughout her career.
The post Ep. #19, Measuring Security with Allison Miller appeared first on Heavybit.
Follow Us
In episode 18 of The Secure Developer, Guy meets with Marten Mickos, CEO of HackerOne, a platform for vulnerability coordination and a bug bounty program that helps developers test and build more secure systems.
The post Ep. #18, Collaborative Security with HackerOne’s Marten Mickos appeared first on Heavybit.
Follow Us
In episode 17 of The Secure Developer, Guy meets up with Adrian Colyer, Venture Partner at Accel and author of The Morning Paper, a daily recap of academic articles in computer science. The pair investigates how researchers are discovering new side-channel attacks and vulnerabilities that look, at first glance, like they’re out of a science fiction or spy novel.
The post Ep. #17, Security Research with The Morning Paper’s Adrian Colyer appeared first on Heavybit.
Follow Us
In episode 16 of The Secure Developer, Guy is joined by Masha Sedova, co-founder of Elevate Security, to discuss how training for employees (even developers) can help companies stay one step ahead of the pack when it comes to preventing a breach.
The post Ep. #16, Security Training with Elevate’s Masha Sedova appeared first on Heavybit.
Follow Us
In episode 15 of The Secure Developer, Guy is joined by James Governor, Analyst and Co-founder of RedMonk, a developer-focused industry analyst firm. The pair discusses multiple ways that companies can be incentivized, and how they can incentivize others, to invest in and improve security.
The post Ep. #15, Enterprise Security with RedMonk’s James Governor appeared first on Heavybit.
Follow Us
In the latest episode of The Secure Developer, Guy is joined by Geoff Belknap, Chief Security Officer at Slack. Geoff discusses what drew him into security and reveals why it’s critical for security teams to be recognized as a full-fledged member of engineering. He explains why it makes sense for companies to develop a track record of transparency and actively encourage community participation through bug bounty programs. Geoff also concludes that companies should encourage basic security hygiene rather than seek a silver bullet that does not exist.
The post Ep. #14, How Slack Stays Secure During Hyper Growth appeared first on Heavybit.
Follow Us
In the latest episode of The Secure Developer, Guy is joined by Shaun Gordon, Chief Security Officer at New Relic. Shaun tells us how he got into a career in security and explains how the role of security has evolved at New Relic. He reveals their philosophy of adapting security processes to fit the way developers do their job and emphasizes the importance of exception alerts, scorecards, and automation to support a rapidly scaling organization.
The post Ep. #13, How New Relic Does Security appeared first on Heavybit.
Follow Us
In the latest episode of The Secure Developer, Guy is joined by Molly Crowther from Pivotal. Molly discusses her role in managing security at Cloud Foundry, an open source cloud platform on which developers can build, deploy and run applications.
She explains their security triage and CVE process and reveals some of the challenges of working within the large ecosystem of diverse companies that make up the Cloud Foundry Foundation. Molly also talks about how she fulfills her role of wearing many hats as a representative of both Pivotal and the open source foundation.
The post Ep. #12, Keeping Cloud Foundry Secure appeared first on Heavybit.
Follow Us
In the latest episode of The Secure Developer, Guy is joined by Arup Chakrabarti, Kevin Babcock and Rich Adams from PagerDuty. They discuss how they put into practice their security vision of “making it easy to do the right thing”.
This involves picking the right tooling and designing a security experience that doesn’t force people to do things, but rather provides insight into how vulnerabilities can be exposed. Giving people the opportunity to break things also creates a strong desire to want to then protect those things.
The post Ep. #11, Keeping PagerDuty Secure appeared first on Heavybit.
Follow Us
In the latest episode of The Secure Developer, Guy is joined by Aren Sandersen. They examine the current state of access control systems and discuss the need for better education and tooling to support time-bound dynamic access control.
Aren also explains why most startups consider security too late and reveals the minimum mindset that all early stage startups need to adopt to manage their attack surface.
The post Ep. #10, Dynamic Authorization: The Evolution of Access Controls appeared first on Heavybit.
Follow Us
In the latest episode of The Secure Developer, Francois Raynaud joins Guy to discuss the current state of IT security.
Francois explains why a cultural shift is needed to make security more inclusive, with security professionals taking on a greater mentoring and guiding role. Francois discusses why he created DevSecCon, a Development Security Conference aimed at fostering inclusion. He also shares approaches for DevOps and Security teams to better understand what other teams are trying to achieve so they can work collaboratively and improve business security.
The post Ep. #9, Making Security More Inclusive appeared first on Heavybit.
Follow Us
In this episode of The Secure Developer, Geva Solomonovich, COO at Snyk and founder of Snowy Peak Security joins Guy to discuss security policies, and why you shouldn’t wait to implement your own.
Geva shares the 3 categories of security policies he developed with his clients and emphasizes that it’s not enough to create a set of documents or processes. You need to establish a security mindset and integrate it into everything you do. Don’t miss this episode for practical tips on reducing your company’s risk surface.
The post Ep. #8, What’s In A Security Policy? appeared first on Heavybit.
Follow Us
In this episode of The Secure Developer, Ben Bernstein from Twistlock joins Guy to discuss container security. Are you currently using containers, or thinking about moving to containers in your stack? You won’t want to miss this episode.
With containers, developers control the entire stack. While empowering to developers, this can also open up new security vulnerabilities. Ben and Guy discuss the tools and processes you’ll need to put in place to ensure your containers are compliant and secure.
The post Ep. #7, Understanding Container Security appeared first on Heavybit.
Follow Us
In episode #6 of The Secure Developer, Guy is joined by his Snyk.io co-founder Danny Grander for an in depth discussion on CTF (Capture The Flag) competitions in the security world. Learn about the differences between jeopardy style and attack-defense CTFs, the future of AI powered hacking (and defense!), and where you should start if you’re interested in playing.
The post Ep. #6, Developer War Games: Capture The Flag! appeared first on Heavybit.
Follow Us
In the fifth installment of The Secure Developer, Guy talks with Chef CTO Adam Jacob about the role security can play in DevOps and continuous integration/deployment. They cover the differences between baked-in and bolted on security and how automation with Habitat can change the way developers approach secure coding.
The post Ep. #5, Continuous Security at Chef appeared first on Heavybit.
Follow Us
In episode #4 of The Secure Developer, Guy is joined by Eric Lawrence of the Google Chrome security team. Eric and Guy begin with a discussion on what it takes to be a great security engineer – namely curiosity and a willingness to learn. Later they discuss the growing importance of the modern web browser, and how security previously only found in operating systems is now moving into browsers themselves. Finally they discuss the current state of HTTPS, including the carrots and the sticks that browser designers like Eric have at their disposal.
The post Ep. #4, Getting Down To The Metal appeared first on Heavybit.
Follow Us
In episode 3 of The Secure Developer, Guy is joined by Sabin Thomas, VP of Engineering at Codiscope, where he creates tools that help developers build and deploy secure code faster. The two discuss the difficulties presented by the accelerating release of new tools and frameworks, the problem of too many sticks and not enough carrots, and the benefits of designing with security in mind from the start.
The post Ep. #3, Security From The Start appeared first on Heavybit.
Follow Us
Episode Summary
In this episode of The Secure Developer, Guy hosts RisingStack Founder and CEO Gergely Nemeth. The pair discuss the difficulties of selling security as a requirement, some of the most common attack vectors used on today’s web, and finally, the work Gergely is doing on Trace, a Node.js-focused tool that makes debugging code simple.
Show Notes
Links
Follow Us
Episode Summary
In our first episode, Guy is joined by Kyle Randolph, Principal Security Engineer at Optimizely. Kyle and Guy discuss the sometimes challenging but always important task of prioritizing security in your engineering organization. Kyle shares stories from his time at Optimizely, Adobe, and Twitter.
Show Notes
In this insightful episode, we welcome Kyle Randolph, an experienced security professional from Optimizely, to share his wealth of knowledge on establishing an effective application security (AppSec) system. With an impressive background in security at companies like Citrix, Adobe, and Twitter, Kyle holds a deep understanding of building security from scratch and safeguarding existing systems. The conversation draws attention to the importance of fostering a security-based culture within engineering teams, enabling engineers to take ownership of security concerns, and promoting security practices through relevant, real-life stories.
Kyle's approach goes beyond merely fixing security bugs; it's about 'baking in' security from the outset. Coupling security considerations with product development, Kyle highlights the role of automation, mentioning tools like Spinnaker and AWS that help incorporate security measures seamlessly into product development. He vividly illustrates the success of these methods through examples at Optimizely, where they have managed to eliminate vulnerabilities like cross-site scripting in their tech infrastructure.
The discussion also broaches the challenges associated with prioritizing security tasks, especially during resource constraints. For such scenarios, Kyle emphasizes maintaining a transparent system that records all security issues so that they're addressed comprehensively. Listeners will find this episode particularly valuable as it delves into both the successful strategies and the challenges associated with integrating security into the architectural fabric of product development.
Links
Follow Us
En liten tjänst av I'm With Friends. Finns även på engelska.