The Secure Developer

On today’s episode, Guy Podjarny, President and cofounder of Snyk, talks to Seth Vargo at DevSecCon Seattle. Seth previously worked at HashiCorp, Chef Software, CustomInk, and a few Pittsburgh-based startups. He is the author of Learning Chef and is passionate about reducing inequality in technology. Today, he is now a developer advocate at Google and is passionate about the human element of security. This discussion is centered around the talk Seth gave at DevSecCon Seattle titled, Secrets in Serverless. In this episode, we flesh out one of the core principles of this talk which is that security is not binary. Here we explore the often-unseen side of security and how developers can prevent or limit attacks by assuming from the get-go that their secrets will be leaked! If you’re looking for practical, in-depth advice, as well as a leading, expert strategy that will shift your view on managing secrets in serverless – then this is the episode for you! Show notes and transcript can be found here  Follow UsOur WebsiteOur LinkedIn

Barriers to entering the DevSecOps community are becoming much weaker thanks to its provision of free resources and through the work of diversity activists too. Much praise can be given to Vandana Verma in this regard, who we were lucky to have as our guest on the show today. Vandana is an experienced application security practitioner, currently working at IBM’s India software labs as a Security Solutions Architect. She’s OWASP Bangalore’s Chapter Leader, OWASP’s Women in AppSec lead, as well as an advocate for WoSEC, Infosec Girls and Women in Cyber Security. In today’s discussion, we hear about Vandana’s journey into the DevSec and Cloud security world from her early days as a developer. Vandana speaks about the scope of AppSec and Cloud security, weighing in on the ‘left shift’, the app in the context of the cloud, and different focus areas that she implements in her training sessions. We hear about the burgeoning tech scene in Bangalore, how helpful the community is and all the free resources to be found at the OWASP Seaside conferences. Vandana also speaks about her journey into diversity activism, sharing about the many workshops and keynote presentations she gives globally, and the benefits her broad understanding of diversity can give to security teams. For some great tips on how to think about Cloud vs AppSec, as well as how teams with broad backgrounds can benefit security work, make sure to listen in on today’s show. Show notes and transcript can be found here  Follow UsOur WebsiteOur LinkedIn

For this special, DevSecCon Seattle, edition of the show, our guest is Erkang Zheng from LifeOmic. Erkang is an experienced cybersecurity specialist and recently developed JupiterOne, a security product that is changing how organizations manage their cloud-based infrastructure. We get to hear from Erkang about the unique way that security is run at LifeOmic where he is the current CISO. LifeOmic is a software company that builds cloud-based data platforms for its customers. In our conversation, we cover the small security team size at the company, the reasons for this and the systems they have in place that hold all employees accountable. LifeOmic allows for plenty of freedom for their developers and chooses to rather focus on other ways to sure-up their gateways from issues. Erkang comments on the best ways to progress out of outdated systems and the importance of getting out of a comfort zone that is not serving the company in the long run.  Follow UsOur WebsiteOur LinkedIn

Today on the show, we welcome Roland Cloutier. As the Chief Security Officer of ADP, Roland works to protect and secure one of the world’s largest providers of business outsourcing solutions. Prior to that, Roland served as the Vice President and Chief Security Officer of EMC, where he spearheaded protection of the company’s worldwide business across both the commercial and government sectors. He has held executive security management roles at consulting and management security service organizations and has more than nine years of experience in federal law enforcement. Roland’s experience gives him a fascinating, forward-thinking approach to the organizational revolution we see happening today. In this episode, we start by highlighting the major changes that have occurred in security orgs over the past 10 years and reveal the changes that need to be made in order to survive in today’s complex climate. We look to ADP as an example, dissecting the multiple stacks of its infrastructure, their security by design approach, and how they tackle the challenges of maintaining talent, upskilling, embracing new styles of work, and more! Follow UsOur WebsiteOur LinkedIn

Today on The Secure Developer, we interview the Director of Product Security at Datadog,  Douglas DePerry. Doug has experience in the offense side of the industry, working as a security researcher and consultant at LeafSR and iSEC partners, and in the realm of defense, having been involved with various defense contractors and the US army. In this episode, Doug talks about wearing many hats at Datadog, first starting in infrastructure security and then moving along to product security amid the company’s rapid growth. But they eventually decided to merge the two teams into a security engineering team, and Dough offers some insight into the new team arrangements and the logic behind the initial separation. Joining in the conversation, listeners will get some advice around building effective communication within engineering teams, learn about the need to raise awareness about the shared responsibility of security, and hear Doug’s approach to developing, evaluating, and embedding security tools effectively. However, from all his years of experience, the most crucial lesson Dough has learned is to never underestimate the importance of people in the tech space, pointing out that without communication, negotiation, and compromise among team members, the tech aspects are bound to failShow notes and transcript can be found here  Follow UsOur WebsiteOur LinkedIn

Security is a vital feature of a platform’s architecture on both the service provider as well as the consumer, and it helps to have a leader who can see the big picture. Our guest for today is Adrian Ludwig, Chief Information Security Officer at Atlassian. Adrian has a marketing and tech background, we speak to him about his transition between the two seemingly unrelated fields through his work at NSA, Adobe, Nest, and Android, and how both sides inform his approach to security at Atlassian.We then get into the nitty-gritty of how Atlassian thinks about security, and the operations and technologies they have in place in order to achieve that goal. We talk about how Atlassian has transitioned from being an on-premises to a cloud provider, and the benefits of merging microservices with security boundaries in its system. Our conversation also covers other systems Atlassian uses to maintain its software and delegate to teams. We speak about the granulations of the roles of embedded developers in security teams, and how timezones are used strategically to speed up turnover time. You’ll also hear about how they use bug bounties as a way of gauging its embedded developer ratio, and different strategies to deal with backlogs. Toward the end of our conversation, Adrian touches on the concept of consumer versus enterprise-grade security, and why it is necessary to build systems that reduce the risk of human error and not the other way round. Join us for a fascinating behind the scenes look into the cogs that make Atlassian work.Show notes and transcript can be found here  Follow UsOur WebsiteOur LinkedIn

Joining us on today’s episode of The Secure Developer is Mandi Walls, technical community manager at Chef Software. Her role involves helping technology organizations increase their effectiveness by using configuration management and other modern IT practices. Along with this, she is also a frequent speaker at tech conferences and is the author of the whitepaper, Building a DevOps Culture, published by O’Reilly. In this show, which is another DevSecCon special, Mandi shares more on the topic of her talk with us: InSpec, which is Chef’s product for infrastructure security testing of code. She sheds light on its uses, and how through its flexibility, it's increasing the speed at which it can do security checks. Mandi also shares more on how the product deals with containerization, how it issues alerts and the role she sees the product playing in the future. Tune in today! Follow UsOur WebsiteOur LinkedIn

Unsurprisingly, many high performing organizations in the DevOps space are simultaneously the best in security and in operations too. In this episode, we sit down to talk with Gene Kim about his work on the saves that get made by organizations who have great operations, and how this fits into their security. Gene Kim is the founder of Tripwire, author of The Unicorn Project and The Phoenix Project and has also co-authored The DevOps Handbook and the State of DevOps Report amongst other texts. He has been studying high performing technology organizations for much of his life and has a rich history in both the security and the DevOps sides. Today we get the change to talk to Gene about the five ideals for optimizing performance in the DevOps space that can be found in The Unicorn Project, particularly from the lens of security.We also chat to Gene about the four hypotheses that the DevOps report he co-authored rested on, and some of the interesting and unexpected conclusions that he and his collaborators came to. This conversation spans many key aspects of the DevOps industry and how locality, flow, daily improvement, psychological safety, and customer focus have the power to augment huge changes for the better, so make sure you don’t miss it!Show notes and transcript can be found here  Follow UsOur WebsiteOur LinkedIn

Our guest today on the show is Clint Gibler, a research director at NCC Group, where he helps provide organizations with security consulting services. Clint speaks to Guy Podjarny at DevSecCon Seattle about the current landscape of application security, how his company fits into that as a global information assurance specialist and the job of helping companies scale their security efforts through cutting edge tools and processes. His vast experience in the field of security, with a wide range of companies, has afforded him great insight into the importance of security teams' morale and goal setting. We hear from him about staying up to date on the latest developments in the field and his advice for remaining as current as possible. Clint's background in helping companies implement security automation and DevSecOps best practices has led to his current standing and we get to hear about the panel discussion he moderated at the DevSecCon event.Show notes and transcript can be found here  Follow UsOur WebsiteOur LinkedIn

In the age of startups, diverse employee backgrounds are increasingly important for companies to be resilient and deeply innovative. People's prior experience helps their work in security both in expected and unexpected ways. Our guest today, Tad Whitaker, has one of the most interesting backgrounds we’ve yet to encounter. From working as a gold miner to a newspaper reporter to a private investigator, Tad’s journey to landing his role as a Engineering Manager at CircleCI has been very colorful. He is also a core member of the Bay Area OWASP leadership that hosts bi-monthly security meetups in San Francisco. Outside of work, Tad volunteers with several different organizations, including The Wall of Sheep at DefCon, Mission Bits, Telegraph Academy and the San Francisco Youth Baseball League. In this episode, Tad shares his interesting background with us and the different ways that have overlapped with current work in security. We also gain some insights into the structure at Circle, from how his team works to their relationship with the development team. The dynamic relationship between development and security is not one we encounter often, so it is refreshing to hear. Tad also walks us through compliance and how adhering to mandated compliance standards have helped and hindered his work.Show notes and transcript can be found here  Follow UsOur WebsiteOur LinkedIn