The Secure Developer

Episode SummaryIn this episode of The Secure Developer, our co-hosts Simon Maple and Guy Podjarny discuss the rise of AI in code generation. Drawing from Snyk's 2023 AI Code Security Report, they examine developers' concerns about security and the importance of auditing and automated controls for AI-generated code.Show NotesIn this compelling episode of The Secure Developer, hosts Simon Maple and Guy Podjarny delve into the fascinating and fast-paced world of artificial intelligence (AI) in code generation. Drawing insights from Snyk's 2023 AI Code Security Report, the hosts discuss the exponential rise in the adoption of AI code generation tools and the impact this has on the software development landscape.Simon and Guy reveal alarming statistics showing that most developers believe AI-generated code is inherently more secure than human-written code, but they also express deep-seated concerns about security and data privacy. This dichotomy sets the stage for a stimulating discussion about the potential risks and rewards of integrating AI within the coding process.A significant point of discussion revolves around the need for more stringent auditing for AI-generated code and much tighter automated security controls. The hosts echo the industry’s growing sentiment about the importance of verification and quality assurance, regardless of the perceived assurance of AI security.This episode challenges conventional thinking and provides critical insights into software development's rapidly evolving AI realm. It's an insightful listen for anyone interested in understanding the interplay of AI code generation, developer behaviors, and security landscapes.LinksSnyk's 2023 AI-Generated Code Security ReportGitHub CopilotSnyk - The Developer Security CompanyFollow UsOur WebsiteOur LinkedIn Follow UsOur WebsiteOur LinkedIn

Episode SummaryIn this episode, Tomasz Tunguz of Theory Ventures discusses the intersection of AI, technology, and security. We explore how AI is revolutionizing software development, data management challenges, and security's vital role in this dynamic landscape. Show NotesIn this episode of The Secure Developer, Guy Podjarny engages in a deep and insightful conversation with Tomasz Tunguz, founding partner of Theory Ventures. They delve into the fascinating world of AI security and its burgeoning impact on the software development landscape. Tomasz brings a unique investor's lens to the discussion, shedding light on how early-stage software companies are leveraging AI to revolutionize market strategies.The conversation navigates through the complexities of AI in the realm of security. Tomasz highlights key trends such as data loss prevention, categorization of AI-related companies, and the significant security challenges in this dynamic space. The episode also touches on the critical role of data governance and compliance in the age of AI, exploring how these elements are becoming increasingly intertwined with security concerns.A significant part of the discussion is dedicated to the future of AI-powered software development. Guy and Tomasz ponder the evolution of coding, predicting a shift towards higher levels of abstraction and the potential challenges this may pose for security. They speculate on the profound changes AI could bring, transforming how software is developed and the implications for developers and security professionals.This episode provides a comprehensive look into the intersection of AI, technology, and security. It's a must-listen for anyone interested in understanding AI's current and future landscape in the tech world, especially from a security standpoint. The insights and predictions offered by Tomasz Tunguz make it an engaging and informative session, perfect for professionals and enthusiasts alike who are keen to stay ahead.LinksTheory VenturesOpenAIGitHubAmazon Web Services (AWS)Google CloudMicrosoft AzureMonte CarloGableSnyk - The Developer Security CompanyFollow UsOur WebsiteOur LinkedIn Follow UsOur WebsiteOur LinkedIn

Episode SummaryIn this episode, Dr. Christina Liaghati discusses incorporating diverse perspectives, early security measures, and continuous risk evaluations in AI system development. She underscores the importance of collaboration and shares resources to help tackle AI-related risks.Show NotesIn this enlightening episode of The Secure Developer, Dr. Christina Liaghati of MITRE offers valuable insights on the necessity of integrating security considerations right from the design phase in AI system development. She underscores the fact that cybersecurity issues can’t be fixed solely at the end of the development process; rather, understanding and mitigating vulnerabilities require continual iterative discovery and investigation throughout the system's lifecycle.Dr. Liaghati emphasizes the need for incorporating diverse perspectives into the process, specifically highlighting the value of expertise from fields like psychology and human-centered design to grasp the socio-technical issues associated with AI use fully. She sounds a cautionary note about the inherent risks when AI is applied in critical sectors like healthcare and transportation, which calls for thorough discussions about these deployments.Additionally, she introduces listeners to MITRE's ATLAS project, a community-focused initiative that seeks to holistically address the challenges posed by AI, drawing lessons from past experiences in cybersecurity. She points out the ATLAS project as a resource for learning about adversarial machine learning, particularly useful for those coming from a traditional cybersecurity environment or the traditional AI side.Importantly, she talks about the potential of AI technology as a tool to improve day-to-day activities, exemplified by email management. These discussions underscore the importance of knowledgeable and informed debates about integrating AI into various aspects of our society and industries. The episode serves as a useful guide for anyone venturing into the world of AI security, offering a balanced perspective on the potential challenges and opportunities involved.LinksMITRE ATLAS ProjectArsenal CALDERA Plugin for Adversary EmulationIBM's Adversarial Robustness Toolbox (ART)Microsoft's Counterfit ToolMIT AI 101 Course (free)Women in CyberSecurity (WiCyS)MITRE's Twitter AccountMITRE's LinkedIn PageSnyk - The Developer Security CompanyFollow UsOur WebsiteOur LinkedIn Follow UsOur WebsiteOur LinkedIn

This week, we're rewinding to play one of our favorite episodes from the archive! We'll be back with a brand-new episode in two weeks!Today’s guest is someone we have wanted to have on the show for a long time, and we are so happy to finally welcome him. Dev Akhawe is the Head of Security at Figma, the first state-of-the-art interface design tool that runs entirely in your browser. Before that, Dev worked at Dropbox, as Director of Security Engineering, leading application security, infrastructure security, and abuse prevention for the Dropbox products. He also holds a Ph.D. in Computer Science from UC Berkeley, where his thesis focused on web application security. In this episode, Dev pulls back the curtain and gives us a look at what security at Figma looks like. The relatively small organization has a culture where the security team earns their trust and works openly. This has resulted in far greater cohesion between the security team and developers. We also hear about Dev’s time at Dropbox, and how working on an application with many products exposed him to the gamut of security issues that companies can face. Along with this, we discuss some of the positive changes in how startups are thinking about security, the value of exposing people to different parts of an organization, the place of security champions, and having a curious mindset as a security professional. Dev's approach to security is empathetic, collaborative, and solution-driven, and if you would like to hear more, be sure to tune in today! Follow UsOur WebsiteOur LinkedIn

Royal Hansen, VP of Engineering for Privacy, Safety, and Security at Google, talks about effective risk management strategies and AI security standards. He discusses Google's Secure AI Framework (SAIF), the six core elements of SAIF, and the importance of collaboration. They also explore the potential of AI in different fields, the balance between attackers and defenders in security, and the risks and challenges of AI. The podcast emphasizes the need for collaboration between security teams and AI experts and discusses the potential for AI regulation and automation of personal tasks.

Security is changing quickly in the fast-paced world of AI. During this episode, we explore AI safety and security with the help of David Haber, who co-founded Lakera.ai. David is also the creator of Gandalf, an AI tool that makes Large Language Models (LLMs) accessible to everyone. Join us as we dive into the world of prompt injections, AI behavior, and its corresponding risks and vulnerabilities. We discuss questions about data poisoning and protections and explore David’s motivation to create Gandalf and how he has used it to gain vital insights into the complex topic of LLM security. This episode also includes a foray into the two approaches to informing an LLM about sensitive data and the pros and cons of each. Lastly, David emphasises the importance of considering what is known about each model on a case-by-case basis and using that as a starting point. Tune in to hear all this and more about AI safety, security, and play from a veritable expert in the field, David Haber!  Follow UsOur WebsiteOur LinkedIn

On episode 126 of The Secure Developer we had a fascinating conversation with Guy Rosen, who is the current CISO at Meta. In our chat, we are able to mine Guy's vast experience, expertise, and perspective on what being CISO at a huge tech company in today's climate requires, focusing on how security and integrity concerns come together and play out. In his role at Meta, Guy oversees both of these areas, and listeners will get to hear how he distinguishes the two worlds, and also where they overlap and intersect. We spend some time talking about human and technological resources for these fields, how Guy thinks about skills and hiring, and of course the impact of AI on the field right now. We also hear from our guest about issues such as privacy, account takeover, and the complexity of the policies that govern online abuse. So join us to catch it all in this great conversation! Follow UsOur WebsiteOur LinkedIn

Artificial Intelligence is innovating at a faster than ever before. Could there be a better response than fear? Sam Curry is the VP and Chief Information Security Officer at Zscaler, and he joins us to share his perspective on what AI means for cyber security. Tune in to hear how AI is advancing cybersecurity and the potential threats it poses to data and metadata protection. Sam delves into the nature of fearmongering and a more appropriate response to technological development before revealing the process behind AI integration at Zscaler, why many companies are opting to build internal AI systems, and the three buckets of AI in the security world. Sam shares his opinion on eliminating the offensive use of AI, touches on how AI uses mechanical twerks to get around security checks, and discusses the preparation of InfoSec cycles. After we explore the possibility of deception in a DevOps context, Sam reveals his concerns for the malicious use of AI and stresses the importance of advancing in alignment with technological progress. Tune in to hear all this and much more! Follow UsOur WebsiteOur LinkedIn

At the rate at which AI is infiltrating operations around the globe, AI regulation and security is becoming an increasingly pressing topic. As external regulations are put in place, it’s important to ensure that your internal compliance measures are up to scratch and your systems are safe. Joining us today to discuss the security of ML systems and AI applications is Ian Swanson, the Co-Founder and CEO of Protect AI. In this episode, Ian breaks down the five pillars of ML SecOps: supply chain vulnerabilities, model provenance, GRC (governance, risk, and compliance), trusted AI, and adversarial machine learning. We learn the key differences between software development and machine learning development lifecycles, and thus the difference between DevSecOps and ML SecOps. Ian identifies the risks and threats posed to different AI classifications and explains how to level up your GRC practice and why it’s essential to do so! Given the unnatural rate of adoption of AI and the dynamic nature of machine learning, ML SecOps is essential, particularly with the new regulations and third-party auditing that is predicted to grow as an industry. Tune in as we investigate all things ML SecOps and protecting your AI! Follow UsOur WebsiteOur LinkedIn

In this episode of The Secure Developer, we delve into the subject of supply chain security across various ecosystems and languages, guided by industry experts Liran Tal and Roy Ram from Snyk. Liran is the Director of Developer Advocacy at Snyk and has a background working particularly in Node.js and JavaScript. Roy is a Senior Product Manager serving as part of the product team for Snyk Code, and has a background in cybersecurity and a solid understanding of C++. With a 20-year background in Java, host Simon Maple moderates the conversation. We discuss the challenges and differences between ecosystems, such as the use of third-party libraries and issues with typosquatting and malicious packages. We also talk about the volume of dependencies that each of our ecosystems pull in, whether you should stay on the latest version or pin to a version, and the importance of software bill of materials (SBOMs). For valuable advice on securing your supply chain in different languages and ecosystems, tune in today! Follow UsOur WebsiteOur LinkedIn