The Secure Developer

Today on The Secure Developer, we interview the Director of Product Security at Datadog,  Douglas DePerry. Doug has experience in the offense side of the industry, working as a security researcher and consultant at LeafSR and iSEC partners, and in the realm of defense, having been involved with various defense contractors and the US army. In this episode, Doug talks about wearing many hats at Datadog, first starting in infrastructure security and then moving along to product security amid the company’s rapid growth. But they eventually decided to merge the two teams into a security engineering team, and Dough offers some insight into the new team arrangements and the logic behind the initial separation. Joining in the conversation, listeners will get some advice around building effective communication within engineering teams, learn about the need to raise awareness about the shared responsibility of security, and hear Doug’s approach to developing, evaluating, and embedding security tools effectively. However, from all his years of experience, the most crucial lesson Dough has learned is to never underestimate the importance of people in the tech space, pointing out that without communication, negotiation, and compromise among team members, the tech aspects are bound to failShow notes and transcript can be found here  Follow UsOur WebsiteOur LinkedIn

Security is a vital feature of a platform’s architecture on both the service provider as well as the consumer, and it helps to have a leader who can see the big picture. Our guest for today is Adrian Ludwig, Chief Information Security Officer at Atlassian. Adrian has a marketing and tech background, we speak to him about his transition between the two seemingly unrelated fields through his work at NSA, Adobe, Nest, and Android, and how both sides inform his approach to security at Atlassian.We then get into the nitty-gritty of how Atlassian thinks about security, and the operations and technologies they have in place in order to achieve that goal. We talk about how Atlassian has transitioned from being an on-premises to a cloud provider, and the benefits of merging microservices with security boundaries in its system. Our conversation also covers other systems Atlassian uses to maintain its software and delegate to teams. We speak about the granulations of the roles of embedded developers in security teams, and how timezones are used strategically to speed up turnover time. You’ll also hear about how they use bug bounties as a way of gauging its embedded developer ratio, and different strategies to deal with backlogs. Toward the end of our conversation, Adrian touches on the concept of consumer versus enterprise-grade security, and why it is necessary to build systems that reduce the risk of human error and not the other way round. Join us for a fascinating behind the scenes look into the cogs that make Atlassian work.Show notes and transcript can be found here  Follow UsOur WebsiteOur LinkedIn

Joining us on today’s episode of The Secure Developer is Mandi Walls, technical community manager at Chef Software. Her role involves helping technology organizations increase their effectiveness by using configuration management and other modern IT practices. Along with this, she is also a frequent speaker at tech conferences and is the author of the whitepaper, Building a DevOps Culture, published by O’Reilly. In this show, which is another DevSecCon special, Mandi shares more on the topic of her talk with us: InSpec, which is Chef’s product for infrastructure security testing of code. She sheds light on its uses, and how through its flexibility, it's increasing the speed at which it can do security checks. Mandi also shares more on how the product deals with containerization, how it issues alerts and the role she sees the product playing in the future. Tune in today! Follow UsOur WebsiteOur LinkedIn

Unsurprisingly, many high performing organizations in the DevOps space are simultaneously the best in security and in operations too. In this episode, we sit down to talk with Gene Kim about his work on the saves that get made by organizations who have great operations, and how this fits into their security. Gene Kim is the founder of Tripwire, author of The Unicorn Project and The Phoenix Project and has also co-authored The DevOps Handbook and the State of DevOps Report amongst other texts. He has been studying high performing technology organizations for much of his life and has a rich history in both the security and the DevOps sides. Today we get the change to talk to Gene about the five ideals for optimizing performance in the DevOps space that can be found in The Unicorn Project, particularly from the lens of security.We also chat to Gene about the four hypotheses that the DevOps report he co-authored rested on, and some of the interesting and unexpected conclusions that he and his collaborators came to. This conversation spans many key aspects of the DevOps industry and how locality, flow, daily improvement, psychological safety, and customer focus have the power to augment huge changes for the better, so make sure you don’t miss it!Show notes and transcript can be found here  Follow UsOur WebsiteOur LinkedIn

Our guest today on the show is Clint Gibler, a research director at NCC Group, where he helps provide organizations with security consulting services. Clint speaks to Guy Podjarny at DevSecCon Seattle about the current landscape of application security, how his company fits into that as a global information assurance specialist and the job of helping companies scale their security efforts through cutting edge tools and processes. His vast experience in the field of security, with a wide range of companies, has afforded him great insight into the importance of security teams' morale and goal setting. We hear from him about staying up to date on the latest developments in the field and his advice for remaining as current as possible. Clint's background in helping companies implement security automation and DevSecOps best practices has led to his current standing and we get to hear about the panel discussion he moderated at the DevSecCon event.Show notes and transcript can be found here  Follow UsOur WebsiteOur LinkedIn

In the age of startups, diverse employee backgrounds are increasingly important for companies to be resilient and deeply innovative. People's prior experience helps their work in security both in expected and unexpected ways. Our guest today, Tad Whitaker, has one of the most interesting backgrounds we’ve yet to encounter. From working as a gold miner to a newspaper reporter to a private investigator, Tad’s journey to landing his role as a Engineering Manager at CircleCI has been very colorful. He is also a core member of the Bay Area OWASP leadership that hosts bi-monthly security meetups in San Francisco. Outside of work, Tad volunteers with several different organizations, including The Wall of Sheep at DefCon, Mission Bits, Telegraph Academy and the San Francisco Youth Baseball League. In this episode, Tad shares his interesting background with us and the different ways that have overlapped with current work in security. We also gain some insights into the structure at Circle, from how his team works to their relationship with the development team. The dynamic relationship between development and security is not one we encounter often, so it is refreshing to hear. Tad also walks us through compliance and how adhering to mandated compliance standards have helped and hindered his work.Show notes and transcript can be found here  Follow UsOur WebsiteOur LinkedIn

In our conversation, we chat to Julien about his current professional role, his talk at DevSecCon and the inspiration behind it before diving into his ideas on security's present and possible futures. Julien makes an argument for setting up 'paved roads' for security in order to save time and resources but rather than these being restrictive, he emphasizes the freedom that should remain built into these systems. For a fascinating chat with Julien and some insight into what is going at Mozilla currently, be sure to join us!Show notes and transcript can be found here Follow UsOur WebsiteOur LinkedIn

What Mike and the various other cloud businesses within the broader Cisco network have managed to do is create an environment where they share knowledge and learn from one another to the ultimate benefit of their customers. He talks about their system according to which his team engages with and gives feedback to engineers and the model they have implemented to constantly evaluate their efficiency. We switch to talking about Duo's acquisition by Cisco and how it has boosted the organization, and Mike wraps up the conversation by telling listeners why diversity in teams is crucial.Show notes and transcript can be found here  Follow UsOur WebsiteOur LinkedIn

In episode 44 of The Secure Developer, Guy Podjarny sits down with guest host Simon Maple of Snyk to reflect back on the numerous guests he’s had on the show throughout 2019, and the many security lessons and insights shared along the way. The post Ep. #44, Year in Review with Guy Podjarny appeared first on Heavybit. Follow UsOur WebsiteOur LinkedIn

In episode 43 of The Secure Developer, Guy joins Stu Hirst, Principal Cloud Security Engineer at Just Eat. They discuss Stu’s journey into cloud security, avoiding burnout, cultivating better hiring practices, and the importance of failing fast.The post Ep. #43, Combatting Security Burnout with Stu Hirst of Just Eat appeared first on Heavybit. Follow UsOur WebsiteOur LinkedIn