The Secure Developer

Continuing our mini-series on supply chain security, as we deep dive into the organisational aspects of this charge and hear from a number of our experts about solutions and initiatives to better prepare for supply chain risks and visibility issues.Simon and Guy are joined by Adrian Ludwig, Aeva Black, Jim Zemlin, Emily Fox, and Eric Brewer as we start thinking about securing the supply chain as an organisation.  Guypo breaking down the four fundamental steps for doing this, and how to tackle the subject of SBOMs or Software Bill of Materials. Our guests share fascinating perspectives on how these areas relate to a company's overall preparedness and particularly to the open source space. We also cover some general advice about raising security awareness at a company, so for all this and a whole lot more, make sure to join us. Next week is our miniseries finale, where we will tackle the future of software supply chain security, so make sure you tune in for that ! Follow UsOur WebsiteOur LinkedIn

When we stop to think about the software running in our production environments, a large proportion of it is very likely open source. Are there effective mechanisms to truly understand and have visibility into all of these libraries? How do you ensure that these libraries are secure? To answer these questions, we feature input from Guy Podjarny, Lena Smart, Brian Behlendorf, Aeva Black, Emily Fox, Jim Zemlin, David Wheeler and Simon Maple as we dissect some key terms and promising projects in the software supply chain security space. Tuning in, you’ll learn what the term SBOM means, why the problem of securing the open-source pipeline is such a complex one, and what organizations like the Open Source Software Foundation (SSF) and Open Source Initiative (OSI) are doing to address it. We also introduce some key players that can provide you with assistance as you work to improve your own open-source security or software supply chain security posture. For all this and more, you won’t want to miss part two of The Secure Developer’s software supply chain security series!  Follow UsOur WebsiteOur LinkedIn

In this episode we are defining the key pillars of software supply chain security. This episode is part 1 of a 4 part software supply chain series where our hosts Guy Podjarny and Simon Maple combine their analysis of this space of supply chain security with a series of interviews that we’ve had a chance to do with other supply chain security experts like Eric Brewer, Google Fellow,  Adrian Ludwig, Chief Trust Officer at Atlassian, Jim Zemlin, Executive Director at Linux Foundation, Nicole Perlroth, NY Times Bestselling Author, Lena Smart, CISO MongoDB, Eli Hooten, CTO CodeCov and many more.And we are going to try and create a clearer picture of what this topic involves, and what’s the state of the land. And try to help you understand what you should be doing about it.In this first episode, we’ll focus on defining the problem. We’ll break up the key pillars of Supply Chain Security, and talk about what you should care about most - and why. The second episode will get specific, covering the key terms you should know and players you should track, as well as talk about some of the most prominent or promising projects in this space, so you can deep dive.In the third episode, we’ll give examples from practitioners actually implementing supply chain security in their organizations so that you can learn and choose which of these practices you want to adopt, and we’ll talk a bit about maturity levels, how you get started vs how you continue. Then lastly, in the fourth episode we’ll cast our eyes forward, and talk about industry motions, what can and is being done to help the ecosystem deal with this problem, and what key changes you might expect to come down the road.  Follow UsOur WebsiteOur LinkedIn

As we look forward into a new year 2023, we wanted to recap some of the most important developments we saw, and conversations we had during 2022. This episode features a look back at the key events and moments from the past twelve months before we share some of the expectations and predictions we have for the year ahead. Simon and Guypo sit down to discuss market corrections, the war in Ukraine, and also the tumultuous time that the crypto space has endured, before getting into some thoughts on the biggest lessons that can be garnered from these events. The ever-present message of better preparation is obviously a strong theme, and some time is spent reflecting on a few of the great guests and their insights on the show. Guypo underlines his excitement about the possibilities he sees in the authorisation space, and we also consider the managing of  potential zero days in 2023. So to hear all this, and a whole lot more, press play now! Follow UsOur WebsiteOur LinkedIn

Today our focus shifts towards products for a change, and we welcome the CEO and Co-Founder of Project Discovery, Rishiraj Sharma, to talk about their story, as well as the genesis of the Nuclei project. With some wide-ranging experience in the worlds of engineering and product management, before he entered into the security space, Rishiraj has a unique story and brings a personal perspective and philosophy to his work, and we get to unpack that a bit before discussing his approach to putting tools in the hands of developers, increasing the reach of engineers, and ultimately the big goal of making Nuclei a completely community-driven ecosystem! We get into some of the more technical aspects of their work and value offer, as Rishiraj shares how their tools have been used by different parties so far, their inclusion of manual code contributions, and how they are overcoming hurdles in CI/CD. So to hear all about and learn much more about this exciting work being done by our guest and his team, tune in! Follow UsOur WebsiteOur LinkedIn

Malicious attacks are a real threat, especially with the essential role of open source in mind. Today’s guest, Liran Tal, is  the director of developer advocacy at Snyk and. Github Star, and he is here to share a plethora of tips you can implement today to see a marked improvement in general posture and company safety. Tune in to hear Liran’s perspective on the state of malicious attacks today in comparison to previous years, how third-party dependencies can be problematic, and how a single attack can impact thousands of users, developers and CI machines. He believes that open source is an essential tool today and that the solution lies in better security. Listeners will also learn how security sanitization is different for each ecosystem, and hear some advice for security-conscious companies cautious not to restrict innovation by tightening up their security plan. Join us to hear all this and more from today’s expert voice from Snyk.  Follow UsOur WebsiteOur LinkedIn

Cloud Security is a evolving and so are the attacks in this space. The landscape is becoming increasingly complex, so the question remains how do we tackle cloud security in organisations, who owns it and how do we best prepare?. In this episode, we provide listeners with an overview of Snyk’s report on cloud security and unpack some unsettling statics. To walk us through the report, we're joined by Drew Wright, the primary author of the report, and Simon Maple, Snyk’s Field CTO. In our conversation, we delve into the main findings, how data was collected, and essential lessons from the report. We discuss the differences between the IT cloud and the app cloud, adopting an infrastructure-as-code approach, what businesses are most at risk, and why cloud security is vital for all businesses. We also talk about the recent cultural shift regarding the responsibility of security and the nuanced perspectives on why cloud security is vital. Hear about a fantastic open-source resource, how to prevent security breaches, common mistakes businesses make, and more. Tune in to ensure you are up to date on the latest developments in the space as we navigate The State of Cloud Security report with experts Drew Wright and Simon Maple. Follow UsOur WebsiteOur LinkedIn

In this Ask Me Anything episode we Guypo, we put Guy Podjarny in the guest chair, and had him field a bunch of really interesting guest-submitted questions.In this Ask Me Anything session, you can expect to hear a few bits about Guypo's taste in books, how he likes to unwind, before we dive into some industry-specific content, and some rather interesting insights on the history of Snyk. We take a journey down memory lane for what started this podcast, and what has enabled it to keep growing and stay relevant.Guypo talks about the subjects that have persisted through the last five years and the topics that will continue to grow in relevance in the future. He also shares some reflections on the hurdles of running a startup, and the pivotal moments that really made the difference. So to hear all this and more, from the one and only GuyPo, make sure to press play now! Follow UsOur WebsiteOur LinkedIn

A successful bug bounty program can play a pivotal role in the security strategy for a company but defining and running such a program requires structure and maturity within an organisation. Sean Poris, Senior Director of Cyber Resilience at Yahoo knows all about the anchor elements that you need in a bug bounty program and how to drive maturity of such a program. In this fascinating conversation, Sean goes deep into how bug bounties fit into their security philosophy, and how this program has been developed and adapted over time. From there, we turn to the actual structure of the security team, with our guest shedding some light on what is required from the different roles on the teams. He explains what the Deputy Paranoids stay busy with, and how they approach hiring and educating for this position. Follow UsOur WebsiteOur LinkedIn

The software supply chain is anything and everything that touches an application or plays a role in its development, from the beginning to the end of the software development life cycle (SDLC). As you might imagine, this makes software supply chain security a somewhat complicated task! Today, we are joined by returning guest, Adrian Ludwig, formerly of Nest and Android and now Chief Trust Officer at Atlassian, to discuss what ‘software supply chain security’ actually means, why it matters, and how you can help secure the supply chain of your product. As a self-described hacker in his early years, he was recruited by the Department of Defense at just 16-years-old, and worked with them for several years to find security flaws in cryptographic and computer network systems. He has a fascinating lens through which he views today’s topic and, as you’ll discover in this episode, he has a real talent for clearly and efficiently explaining very complex problems. To learn more about Adrian’s interesting take on SBOMs and find out which processes, tools, and practices to invest in, make sure to tune in today! Follow UsOur WebsiteOur LinkedIn