The Secure Developer

In this episode we are defining the key pillars of software supply chain security. This episode is part 1 of a 4 part software supply chain series where our hosts Guy Podjarny and Simon Maple combine their analysis of this space of supply chain security with a series of interviews that we’ve had a chance to do with other supply chain security experts like Eric Brewer, Google Fellow,  Adrian Ludwig, Chief Trust Officer at Atlassian, Jim Zemlin, Executive Director at Linux Foundation, Nicole Perlroth, NY Times Bestselling Author, Lena Smart, CISO MongoDB, Eli Hooten, CTO CodeCov and many more.And we are going to try and create a clearer picture of what this topic involves, and what’s the state of the land. And try to help you understand what you should be doing about it.In this first episode, we’ll focus on defining the problem. We’ll break up the key pillars of Supply Chain Security, and talk about what you should care about most - and why. The second episode will get specific, covering the key terms you should know and players you should track, as well as talk about some of the most prominent or promising projects in this space, so you can deep dive.In the third episode, we’ll give examples from practitioners actually implementing supply chain security in their organizations so that you can learn and choose which of these practices you want to adopt, and we’ll talk a bit about maturity levels, how you get started vs how you continue. Then lastly, in the fourth episode we’ll cast our eyes forward, and talk about industry motions, what can and is being done to help the ecosystem deal with this problem, and what key changes you might expect to come down the road.  Follow UsOur WebsiteOur LinkedIn

As we look forward into a new year 2023, we wanted to recap some of the most important developments we saw, and conversations we had during 2022. This episode features a look back at the key events and moments from the past twelve months before we share some of the expectations and predictions we have for the year ahead. Simon and Guypo sit down to discuss market corrections, the war in Ukraine, and also the tumultuous time that the crypto space has endured, before getting into some thoughts on the biggest lessons that can be garnered from these events. The ever-present message of better preparation is obviously a strong theme, and some time is spent reflecting on a few of the great guests and their insights on the show. Guypo underlines his excitement about the possibilities he sees in the authorisation space, and we also consider the managing of  potential zero days in 2023. So to hear all this, and a whole lot more, press play now! Follow UsOur WebsiteOur LinkedIn

Today our focus shifts towards products for a change, and we welcome the CEO and Co-Founder of Project Discovery, Rishiraj Sharma, to talk about their story, as well as the genesis of the Nuclei project. With some wide-ranging experience in the worlds of engineering and product management, before he entered into the security space, Rishiraj has a unique story and brings a personal perspective and philosophy to his work, and we get to unpack that a bit before discussing his approach to putting tools in the hands of developers, increasing the reach of engineers, and ultimately the big goal of making Nuclei a completely community-driven ecosystem! We get into some of the more technical aspects of their work and value offer, as Rishiraj shares how their tools have been used by different parties so far, their inclusion of manual code contributions, and how they are overcoming hurdles in CI/CD. So to hear all about and learn much more about this exciting work being done by our guest and his team, tune in! Follow UsOur WebsiteOur LinkedIn

Malicious attacks are a real threat, especially with the essential role of open source in mind. Today’s guest, Liran Tal, is  the director of developer advocacy at Snyk and. Github Star, and he is here to share a plethora of tips you can implement today to see a marked improvement in general posture and company safety. Tune in to hear Liran’s perspective on the state of malicious attacks today in comparison to previous years, how third-party dependencies can be problematic, and how a single attack can impact thousands of users, developers and CI machines. He believes that open source is an essential tool today and that the solution lies in better security. Listeners will also learn how security sanitization is different for each ecosystem, and hear some advice for security-conscious companies cautious not to restrict innovation by tightening up their security plan. Join us to hear all this and more from today’s expert voice from Snyk.  Follow UsOur WebsiteOur LinkedIn

Cloud Security is a evolving and so are the attacks in this space. The landscape is becoming increasingly complex, so the question remains how do we tackle cloud security in organisations, who owns it and how do we best prepare?. In this episode, we provide listeners with an overview of Snyk’s report on cloud security and unpack some unsettling statics. To walk us through the report, we're joined by Drew Wright, the primary author of the report, and Simon Maple, Snyk’s Field CTO. In our conversation, we delve into the main findings, how data was collected, and essential lessons from the report. We discuss the differences between the IT cloud and the app cloud, adopting an infrastructure-as-code approach, what businesses are most at risk, and why cloud security is vital for all businesses. We also talk about the recent cultural shift regarding the responsibility of security and the nuanced perspectives on why cloud security is vital. Hear about a fantastic open-source resource, how to prevent security breaches, common mistakes businesses make, and more. Tune in to ensure you are up to date on the latest developments in the space as we navigate The State of Cloud Security report with experts Drew Wright and Simon Maple. Follow UsOur WebsiteOur LinkedIn

In this Ask Me Anything episode we Guypo, we put Guy Podjarny in the guest chair, and had him field a bunch of really interesting guest-submitted questions.In this Ask Me Anything session, you can expect to hear a few bits about Guypo's taste in books, how he likes to unwind, before we dive into some industry-specific content, and some rather interesting insights on the history of Snyk. We take a journey down memory lane for what started this podcast, and what has enabled it to keep growing and stay relevant.Guypo talks about the subjects that have persisted through the last five years and the topics that will continue to grow in relevance in the future. He also shares some reflections on the hurdles of running a startup, and the pivotal moments that really made the difference. So to hear all this and more, from the one and only GuyPo, make sure to press play now! Follow UsOur WebsiteOur LinkedIn

A successful bug bounty program can play a pivotal role in the security strategy for a company but defining and running such a program requires structure and maturity within an organisation. Sean Poris, Senior Director of Cyber Resilience at Yahoo knows all about the anchor elements that you need in a bug bounty program and how to drive maturity of such a program. In this fascinating conversation, Sean goes deep into how bug bounties fit into their security philosophy, and how this program has been developed and adapted over time. From there, we turn to the actual structure of the security team, with our guest shedding some light on what is required from the different roles on the teams. He explains what the Deputy Paranoids stay busy with, and how they approach hiring and educating for this position. Follow UsOur WebsiteOur LinkedIn

The software supply chain is anything and everything that touches an application or plays a role in its development, from the beginning to the end of the software development life cycle (SDLC). As you might imagine, this makes software supply chain security a somewhat complicated task! Today, we are joined by returning guest, Adrian Ludwig, formerly of Nest and Android and now Chief Trust Officer at Atlassian, to discuss what ‘software supply chain security’ actually means, why it matters, and how you can help secure the supply chain of your product. As a self-described hacker in his early years, he was recruited by the Department of Defense at just 16-years-old, and worked with them for several years to find security flaws in cryptographic and computer network systems. He has a fascinating lens through which he views today’s topic and, as you’ll discover in this episode, he has a real talent for clearly and efficiently explaining very complex problems. To learn more about Adrian’s interesting take on SBOMs and find out which processes, tools, and practices to invest in, make sure to tune in today! Follow UsOur WebsiteOur LinkedIn

Nicole is a cyber security journalist and has covered many high-profile cases, such as the Russian hacking of nuclear power plants, North Korea’s attacks on movie studios, and Chinese government-sanctioned cyber-attacks around the globe. She is also the author of This Is How They Tell Me the World Ends, which provides readers with details about the most secretive, government-backed market in the world, cyberweapons. In this conversation, we learn why cybersecurity is such an essential topic for non-technical people, cyber security threats that exist within global supply-chain markets, and the definition of cyber hygiene. Hear some examples of high-profile cyber attacks, steps companies should take regarding cyber security, why cyber security stories rarely make headlines, and the human-behaviour element behind the problem. We also learn ways in which society and governments can act to overcome the challenges of cyber security, and what advancements are needed within the space. Tune in to learn everything you need to know about the undercover cyber threat and what you can do about it, with expert Nicole Perlroth! Follow UsOur WebsiteOur LinkedIn

In this episode, we are digging into Shift Left, what it really means, and how to accomplish it successfully. Sharing her insight is Rupa Parameswaran, head of security at Amplitude, and a security and privacy expert with 20 years of knowledge behind her.She works closely with business leaders to create relevant secure by design and secure by default controls that help businesses run efficiently, but also be secure. She shared with us how she has really successfully transformed the security mindsets in the engineering teams at Amplitude.Learn why Rupa wants developers and business owners to grow their understanding of security, and which metrics she uses to assess security success. Tune in to learn all about the evolving list of capabilities essential to security teams, and Rupa shares her thoughts about the future of security and standardization. Follow UsOur WebsiteOur LinkedIn