The Secure Developer

No one wants to fall prey to a security breach, but in the event that it does occur, it’s important to have systems in place to manage it. In episode 132 of The Secure Developer, we are joined by the CTO of CircleCI, Rob Zuber to discuss the security incident CircleCI announced on January 4th. Rob shares insight into what CircleCI does, how the incident affected customers, and how they communicated it to the public. We find out how the industry responded and adapted to the incident, as well as how it was dealt with internally at CircleCI. Rob opens up about what he learned in the process and shares advice for others facing a security breach. Tune in to find out how best to prevent and manage a security incident, should this happen to you. Follow UsOur WebsiteOur LinkedIn

In episode 131 of The Secure Developer, you’ll hear from former TikTok CISO Roland Cloutier about the realities of securing user-generated content at scale and his belief that we need to take a strictly data-centric approach rather than a humanistic one to solve many of these privacy-related issues. Tuning in, you’ll gain some insight into what it takes to oversee a social media company's cybersecurity, data protection, and crisis management, and find out why Roland believes that an innate understanding of company culture is key to building a large and fast-growing security team in an increasingly virtual world. We also touch on some of the challenges of user identity management, the need for user-driven authentication methods, increased state-level security regulations in the data space, and more, so don’t miss today’s fascinating conversation with cyber security expert and industry veteran, Roland Cloutier! Follow UsOur WebsiteOur LinkedIn

In episode 130 of The Secure Developer, we bring cast our focus on cloud security, and to help us examine this subject we welcome Rick Doten to the show! Rick shares his insight on what cloud security is, some of its history, current concerns in the field, and his hopes and ideas for its future. Our guest generously offers some of his vast experience talking about basic controls, how to organise security teams, necessary education and skills development, and the challenges of putting theoretical security into practice. We also get to explore some helpful definitions, how to approach building the best teams for different security goals, and how our understanding of the cloud differs across app and IT spaces. So if you want to hear all this and a whole lot more from GuyPo and Rick, listen in for another great episode of the show.  Follow UsOur WebsiteOur LinkedIn

In this episode, we conclude our miniseries dealing with software supply chain security by considering the next five years in the space, what we need, and what we can hope for. Emily Fox, Aeva Black, Brian Behlendorf, Adrian Ludwig, Lena Smart, and of course Guy Podjarny, join Simon by sharing some insights on the areas in most need of attention, and where we can realistically expect to make progress in the near future. Listeners will hear about trust and tooling, downstream complexities, and qualifying security engineers, with the conversation ending on an optimistic note with an eye to the horizon. For most of our panel, the message of consistent attention and security prioritisation within organisations, as well as from governance is paramount to the health of any of these systems. So to hear it all in this final installment of our special, be sure to press play now! Follow UsOur WebsiteOur LinkedIn

Continuing our mini-series on supply chain security, as we deep dive into the organisational aspects of this charge and hear from a number of our experts about solutions and initiatives to better prepare for supply chain risks and visibility issues.Simon and Guy are joined by Adrian Ludwig, Aeva Black, Jim Zemlin, Emily Fox, and Eric Brewer as we start thinking about securing the supply chain as an organisation.  Guypo breaking down the four fundamental steps for doing this, and how to tackle the subject of SBOMs or Software Bill of Materials. Our guests share fascinating perspectives on how these areas relate to a company's overall preparedness and particularly to the open source space. We also cover some general advice about raising security awareness at a company, so for all this and a whole lot more, make sure to join us. Next week is our miniseries finale, where we will tackle the future of software supply chain security, so make sure you tune in for that ! Follow UsOur WebsiteOur LinkedIn

When we stop to think about the software running in our production environments, a large proportion of it is very likely open source. Are there effective mechanisms to truly understand and have visibility into all of these libraries? How do you ensure that these libraries are secure? To answer these questions, we feature input from Guy Podjarny, Lena Smart, Brian Behlendorf, Aeva Black, Emily Fox, Jim Zemlin, David Wheeler and Simon Maple as we dissect some key terms and promising projects in the software supply chain security space. Tuning in, you’ll learn what the term SBOM means, why the problem of securing the open-source pipeline is such a complex one, and what organizations like the Open Source Software Foundation (SSF) and Open Source Initiative (OSI) are doing to address it. We also introduce some key players that can provide you with assistance as you work to improve your own open-source security or software supply chain security posture. For all this and more, you won’t want to miss part two of The Secure Developer’s software supply chain security series!  Follow UsOur WebsiteOur LinkedIn

In this episode we are defining the key pillars of software supply chain security. This episode is part 1 of a 4 part software supply chain series where our hosts Guy Podjarny and Simon Maple combine their analysis of this space of supply chain security with a series of interviews that we’ve had a chance to do with other supply chain security experts like Eric Brewer, Google Fellow,  Adrian Ludwig, Chief Trust Officer at Atlassian, Jim Zemlin, Executive Director at Linux Foundation, Nicole Perlroth, NY Times Bestselling Author, Lena Smart, CISO MongoDB, Eli Hooten, CTO CodeCov and many more.And we are going to try and create a clearer picture of what this topic involves, and what’s the state of the land. And try to help you understand what you should be doing about it.In this first episode, we’ll focus on defining the problem. We’ll break up the key pillars of Supply Chain Security, and talk about what you should care about most - and why. The second episode will get specific, covering the key terms you should know and players you should track, as well as talk about some of the most prominent or promising projects in this space, so you can deep dive.In the third episode, we’ll give examples from practitioners actually implementing supply chain security in their organizations so that you can learn and choose which of these practices you want to adopt, and we’ll talk a bit about maturity levels, how you get started vs how you continue. Then lastly, in the fourth episode we’ll cast our eyes forward, and talk about industry motions, what can and is being done to help the ecosystem deal with this problem, and what key changes you might expect to come down the road.  Follow UsOur WebsiteOur LinkedIn

As we look forward into a new year 2023, we wanted to recap some of the most important developments we saw, and conversations we had during 2022. This episode features a look back at the key events and moments from the past twelve months before we share some of the expectations and predictions we have for the year ahead. Simon and Guypo sit down to discuss market corrections, the war in Ukraine, and also the tumultuous time that the crypto space has endured, before getting into some thoughts on the biggest lessons that can be garnered from these events. The ever-present message of better preparation is obviously a strong theme, and some time is spent reflecting on a few of the great guests and their insights on the show. Guypo underlines his excitement about the possibilities he sees in the authorisation space, and we also consider the managing of  potential zero days in 2023. So to hear all this, and a whole lot more, press play now! Follow UsOur WebsiteOur LinkedIn

Today our focus shifts towards products for a change, and we welcome the CEO and Co-Founder of Project Discovery, Rishiraj Sharma, to talk about their story, as well as the genesis of the Nuclei project. With some wide-ranging experience in the worlds of engineering and product management, before he entered into the security space, Rishiraj has a unique story and brings a personal perspective and philosophy to his work, and we get to unpack that a bit before discussing his approach to putting tools in the hands of developers, increasing the reach of engineers, and ultimately the big goal of making Nuclei a completely community-driven ecosystem! We get into some of the more technical aspects of their work and value offer, as Rishiraj shares how their tools have been used by different parties so far, their inclusion of manual code contributions, and how they are overcoming hurdles in CI/CD. So to hear all about and learn much more about this exciting work being done by our guest and his team, tune in! Follow UsOur WebsiteOur LinkedIn

Malicious attacks are a real threat, especially with the essential role of open source in mind. Today’s guest, Liran Tal, is  the director of developer advocacy at Snyk and. Github Star, and he is here to share a plethora of tips you can implement today to see a marked improvement in general posture and company safety. Tune in to hear Liran’s perspective on the state of malicious attacks today in comparison to previous years, how third-party dependencies can be problematic, and how a single attack can impact thousands of users, developers and CI machines. He believes that open source is an essential tool today and that the solution lies in better security. Listeners will also learn how security sanitization is different for each ecosystem, and hear some advice for security-conscious companies cautious not to restrict innovation by tightening up their security plan. Join us to hear all this and more from today’s expert voice from Snyk.  Follow UsOur WebsiteOur LinkedIn