The Secure Developer

If you are interested in improving diversity in security, this is the episode for you! Over the years we have had some very wise guests come on this show and share their views on diversity, why it matters, and how it can be improved. In this episode, we bring you a collection of insights, techniques, and approaches that may help you on this front. Tuning in, you’ll hear how Nitzan Blouin from Spotify built a team that is 75% female, information about Tad Whitaker’s Day of ‘Shecurity’ and the innovative way he trains women for jobs in security, as well as insight into the internship program at Snyk and how it improved diversity. We also hear some great tips from Vandana Verma from Snyk, Tanya Janca from We Hack Purple, and Rinki Sethi from Twitter. Tune in for all this and more! Follow UsOur WebsiteOur LinkedIn

Security as a field is constantly evolving. As a result, it requires a high degree of awareness, including staying up to date with the latest developments in potential new threats. It was the challenge of working in security that drew Patrick O'Doherty to the field in the first place. Today on the show, we speak with Patrick about his time as a Senior Security Engineer at Intercom, his current role at Oso as an Engineer, and what he has discovered on his security journey. Patrick shares what he learned while being part of the security solutions team at Intercom and how they built common infrastructure and coding patterns. We also discuss the role of empathy in security, why it’s essential for your goals to be aligned with the people you’re trying to help, and why we should all work to be more aware of third-party threat exposures. Tune in today! Follow UsOur WebsiteOur LinkedIn

Supply chain security is a multifaceted, complex, and currently unsolved problem, and today’s guest is determined to change that. Jonathan Meadows has worked for major industry players throughout his career, and is currently the Head of Cloud Cybersecurity at Citigroup. As you’ll discover in more detail today, the issues that exist within supply chain security can only be solved by a group effort on behalf of all enterprises involved at all levels of the chain. Without open source collaboration, everyone is left vulnerable. In this episode, Jonathan shares the various open source communities that he is involved with, the numerous different elements of supply chain security that need to be addressed, and where and how to start, as well as how he feels about the future of this sector that he is so invested in. Tune in today! Follow UsOur WebsiteOur LinkedIn

Being passionate about security at a time when industry hadn’t caught on yet, Bryan D. Payne found himself working for the National Security Agency (NSA). During his time there, and in the years that followed where he focused his efforts on research, he learned a number of valuable lessons which he was able to take with him first to a small start up and then to the giant that is Netflix. In today’s conversation, Bryan and I discuss what his role as the Engineering Director of Product and Application Security at Netflix consisted of, the company culture, and how the teams within the company work together to achieve the most effective results. We also get into Bryan’s thoughts on detection methods, data integrity, and how to deal with mistakes that are inevitable when working in the security sphere. Follow UsOur WebsiteOur LinkedIn

Today’s guest is the CISO at Carta, a software company that helps other companies manage their valuations, investments, and equity plans. Garrett Held has many years of experience in many different arenas within the security space, as well as a degree in business and economics; the combination of these passions led him to develop the program which forms the basis of today’s conversation. Frustrated with the traditional risk assessment model, Garrett came up with a new one, built around the idea of credit card balances and credit scores. In this episode, he explains how the model works, why it is beneficial, the process that went into creating it, and how you can do something similar in your own organization. Tune in today to hear from a true security pioneer! Follow UsOur WebsiteOur LinkedIn

Today we have a fun episode lined up for you! Over the last year of 2021, we’ve been honored to have some incredibly smart people on the show to share their views and practices in the DevSecCon space with us all. And in each episode, they were asked a slightly open-ended question: if you took out your crystal ball and you thought about someone sitting in your position or your type of role in five years’ time, what would be most different about their reality? For this special installment, we’ve put together some highlights of these brilliant answers! Hear perspectives that cover everything from changes on the data, AI, and ML front to the idea of ownership when it comes to security. We also touch on the increased fragmentation in the DevOps scene that we’re going to need to work with, bigger picture concerns about how regulation might be different in five years, and some final optimistic predictions on ways we could all be in a much better place! We hear some golden nuggets from the likes of Robert wood from CMS, cybersecurity influencer Ashish Rajan, Liz Rice from eBPF pioneers Isovalent, our very own Simon Maple who weighs in with his concrete expectations of what will happen, Dev Akhawe, Daniel Bryant, Rinki Sethi, and so many more! So to hear what these top industry professionals have to say about the future, join us today! Follow UsOur WebsiteOur LinkedIn

As the year of 2021 draws to a close, we use this episode to look back on the last 12 months, and Guy is joined by Simon Maple to go through some reflections on the major themes, lessons, and takeaways from the show! Simon takes on the role of host, turning the microphone around and probing Guy for his highlights from the 22 episodes we aired during the year. We are so happy to have been able to have these conversations, hosting interesting chats with experts from many different backgrounds and positions, and as we see in this year-end review, there are so many exciting and inspiring changes happening in the DevSec world! Guy talks about hiring people with development experience for security work, the need for empathy, how to adapt education about security for developers, and more. We also have time to look forward to the new year, imagining some of the challenges and key areas we will encounter together. A big thank you to all our listeners for tuning in this year, and here's to another year of insightful conversations and progress in the space! Follow UsOur WebsiteOur LinkedIn

Today on The Secure Developer, we look at how to modernize security in DevSecOps. To guide us through this, we are joined by Tim Crothers, Senior Vice President and Chief Security Officer at Mandiant. Tim is a seasoned security leader with over 20 years of experience building and running information security programs, large and complex incident response engagements, and threat and vulnerability assessments. He has a wealth of experience in cyber threat intelligence, reverse engineering, and computer forensics. He has authored 17 books to date and presents regular training and speaking engagements at information security conferences. As someone who has been in the world of IT since the 80s, Tim explains how he has seen DevSecOps evolve over time, how security has changed its approach over the years, and what DevSecOps means to him. We discuss the differences between controls and guardrails, how often developers are allowed to override guardrails, and to what degree these are left to the decisions of development teams. To find out what Tim considers to be the optimal setup for the split of responsibility between development teams and security teams, what he looks for when hiring new people into his product security team, and what his top three KPIs are, tune in today! Follow UsOur WebsiteOur LinkedIn

Welcome back to another installment of The Secure Developer, where we have another fascinating conversation lined up! Today your host Guy Podjamy sits down with Rohit Parchuri, Chief Information Security Officer at Yext, to pick his powerhouse brain about DevSecOps frameworks. Rohit is an accomplished security leader with an established record building, structuring, and institutionalizing security principles and disciplines in the cloud hosting, network hardware, cloud software, and healthcare domains. In this episode, the listener hears a comprehensive understanding of the differences between a health platform and a tech platform, the crucial component of building a culture or security mindset across a company, and the challenges of weaving security into fast-paced and leading-edge organizations. We then touch on the 3 frameworks which Rohit delineates before he starts building a program, before diving deep into the different approaches needed for more heavily regulated industries versus the less regulated spaces. Plus, you'll get a sneak peek into Rohit's favorite interview question, and his hard-won take on the need for dual skills in security as well as the programming landscape. Finally, we look to the future and hear some exciting and pretty accurate projections into what cybersecurity will look like in 5 years time. Press play to hear all this and more! Follow UsOur WebsiteOur LinkedIn

Welcome to another episode of the Secure Developer! During today’s conversation, Guy Podjarny, founder of Snyk, speaks with Liz Rice, Chief Open-Source Officer with eBPF pioneers Isovalent, where she works on the Cilium project, which provides cloud native networking, observability and security. They touch on plenty of current and relevant topics, with a focus on eBPF and the CNCF and its role in security. You’ll hear all about her role and her journey into the world of cyber security, and what it was like to transition into the sometimes intimidating world of security. We touch on why containers are essentially just processes, and Liz gives us an introduction to eBPF, how it benefits security, and the renaissance it is currently experiencing. Liz tells us all about her work at CNCF and the Technical Oversight Committee, and how it is building much of the foundation for cloud native computing. Join us today to hear all this and more! Follow UsOur WebsiteOur LinkedIn