Code security for software engineers
The Pragmatic Engineer
Dependency risk and SCA tools
Johannes explains software composition analysis (SCA) and how tools detect vulnerable dependency versions (CVEs).
Brought to You By:
• Statsig — The unified platform for flags, analytics, experiments, and more. Statsig are helping make the first-ever Pragmatic Summit a reality. Join me and 400 other top engineers and leaders on 11 February, in San Francisco for a special one-day event. Reserve your spot here.
• Linear — The system for modern product development. Engineering teams today move much faster, thanks to AI. Because of this, coordination increasingly becomes a problem. This is where Linear helps fast-moving teams stay focused. Check out Linear.
—
As software engineers, what should we know about writing secure code?
Johannes Dahse is the VP of Code Security at Sonar and a security expert with 20 years of industry experience. In today’s episode of The Pragmatic Engineer, he joins me to talk about what security teams actually do, what developers should own, and where real-world risk enters modern codebases.
We cover dependency risk, software composition analysis, CVEs, dynamic testing, and how everyday development practices affect security outcomes. Johannes also explains where AI meaningfully helps, where it introduces new failure modes, and why understanding the code you write and ship remains the most reliable defense.
If you build and ship software, this episode is a practical guide to thinking about code security under real-world engineering constraints.
—
Timestamps
(00:00) Intro
(02:31) What is penetration testing?
(06:23) Who owns code security: devs or security teams?
(14:42) What is code security?
(17:10) Code security basics for devs
(21:35) Advanced security challenges
(24:36) SCA testing
(25:26) The CVE Program
(29:39) The State of Code Security report
(32:02) Code quality vs security
(35:20) Dev machines as a security vulnerability
(37:29) Common security tools
(42:50) Dynamic security tools
(45:01) AI security reviews: what are the limits?
(47:51) AI-generated code risks
(49:21) More code: more vulnerabilities
(51:44) AI’s impact on code security
(58:32) Common misconceptions of the security industry
(1:03:05) When is security “good enough?”
(1:05:40) Johannes’s favorite programming language
—
The Pragmatic Engineer deepdives relevant for this episode:
• What is Security Engineering?
• Mishandled security vulnerability in Next.js
• Okta Schooled on Its Security Practices
—
Production and marketing by https://penname.co/. For inquiries about sponsoring the podcast, email podcast@pragmaticengineer.com.
Get full access to The Pragmatic Engineer at newsletter.pragmaticengineer.com/subscribe
The AI-powered Podcast Player
