The Secure Developer

The Cloud Native Computing Foundation (CNCF) hosts critical components of the global technology infrastructure and has played a huge part in elevating the industry standard for security. They bring together top developers, end-users, and vendors, and also run the world’s largest open source developer conferences. Today on the show we’re thrilled to welcome Emily Fox, a Security Engineer, who also serves as the co-chair of the CNCF Technical Oversight Committee (TOC), and is involved in a variety of open source communities. In our conversation with Emily, we unpack the intricacies of Open Source security and vulnerabilities, as well as what she’s learned during her time with the CNCF. We discuss what participants can expect from the Global Security Vulnerability Summit, how you can get involved, and the project that Emily is most excited about. Finally, Emily shares her passion for ensuring that women join the technology sector and breaks down the crucial steps that will get us there. Tune in for a fascinating conversation on open source securities, vulnerabilities, and more! Follow UsOur WebsiteOur LinkedIn

Thanks for tuning in to a brand new episode of the Secure Developer! Joining us in conversation today is Peter Oehlert, Chief Security Officer at Highspot. We hear about Peter’s journey with Facebook, Smartsheet, and Microsoft, learn the difference between establishing a new security practice when there is an existing security culture and when there isn’t, and find out why taking ownership is more important than having all the necessary information. Peter is passionate about every aspect of product security, and tells the story of modeling for threats at Highspot, where he attributes one of his biggest challenges at any company to working with and educating people. Hear about the hurdles attached to dealing with the cloud, what has surprised him moving from security to CSO reality, and why it has been so important to have open communication in order to build the necessary bridges to navigate this change. Find out what he would do differently, what has changed within SaaS and product security over the past few years, and what direction he would take if he had access to unlimited resources. Tune in to hear all this and more today! Follow UsOur WebsiteOur LinkedIn

We’re switching it up in this episode and putting Guy Podjarny in the hot seat to answer all of your most pressing security questions! Following his astute prompts, Guy comprehensively explains everything from how startups can build in security with limited resources to how security teams need to transform going forward. We discuss the balance of security and usability, the security implications of quantum computing, and the role developers are predicted to play in DevSec. We also speculate how NoOps might affect DevOps and the potential of achieving zero trust for application security. For all of this and so much, tune in for an in-depth AMA with Guy as he answers all of your unanswered DevSecOps-related questions! Follow UsOur WebsiteOur LinkedIn

Today on the Secure Developer we speak with Lena Smart, Chief Information Security Officer (CISO) at MongoDB. Lena has extensive cybersecurity experience and has worked in the security space for over 20 years. We talk with Lena about how she first got started in security, why she gets so much satisfaction from being the first CISO at a company, and what she has loved most about working at MongoDB. In our conversation, we discuss core principles around supply chain security as well as supply chain risk and what these definitions mean for practical applications. We delve into the latest executive order from the current administration and discuss some of Lena’s insights on the topic. She explains why the government wants to move into automation and continuous monitoring, as well as what that process will entail. Tuning in you’ll learn more about the Information Technology — Information Sharing and Analysis Center (IT-ISAC), why Lena is such a big proponent of theirs, in addition to how they are helping private and public industries work together in a trusted environment. Lena also describes her Security Champions Program and some of the exciting developments that have occurred as a result of the program. To learn more about MongoDB, how to create a thriving security culture, and more, make sure you tune in today! Follow UsOur WebsiteOur LinkedIn

If you are interested in improving diversity in security, this is the episode for you! Over the years we have had some very wise guests come on this show and share their views on diversity, why it matters, and how it can be improved. In this episode, we bring you a collection of insights, techniques, and approaches that may help you on this front. Tuning in, you’ll hear how Nitzan Blouin from Spotify built a team that is 75% female, information about Tad Whitaker’s Day of ‘Shecurity’ and the innovative way he trains women for jobs in security, as well as insight into the internship program at Snyk and how it improved diversity. We also hear some great tips from Vandana Verma from Snyk, Tanya Janca from We Hack Purple, and Rinki Sethi from Twitter. Tune in for all this and more! Follow UsOur WebsiteOur LinkedIn

Security as a field is constantly evolving. As a result, it requires a high degree of awareness, including staying up to date with the latest developments in potential new threats. It was the challenge of working in security that drew Patrick O'Doherty to the field in the first place. Today on the show, we speak with Patrick about his time as a Senior Security Engineer at Intercom, his current role at Oso as an Engineer, and what he has discovered on his security journey. Patrick shares what he learned while being part of the security solutions team at Intercom and how they built common infrastructure and coding patterns. We also discuss the role of empathy in security, why it’s essential for your goals to be aligned with the people you’re trying to help, and why we should all work to be more aware of third-party threat exposures. Tune in today! Follow UsOur WebsiteOur LinkedIn

Supply chain security is a multifaceted, complex, and currently unsolved problem, and today’s guest is determined to change that. Jonathan Meadows has worked for major industry players throughout his career, and is currently the Head of Cloud Cybersecurity at Citigroup. As you’ll discover in more detail today, the issues that exist within supply chain security can only be solved by a group effort on behalf of all enterprises involved at all levels of the chain. Without open source collaboration, everyone is left vulnerable. In this episode, Jonathan shares the various open source communities that he is involved with, the numerous different elements of supply chain security that need to be addressed, and where and how to start, as well as how he feels about the future of this sector that he is so invested in. Tune in today! Follow UsOur WebsiteOur LinkedIn

Being passionate about security at a time when industry hadn’t caught on yet, Bryan D. Payne found himself working for the National Security Agency (NSA). During his time there, and in the years that followed where he focused his efforts on research, he learned a number of valuable lessons which he was able to take with him first to a small start up and then to the giant that is Netflix. In today’s conversation, Bryan and I discuss what his role as the Engineering Director of Product and Application Security at Netflix consisted of, the company culture, and how the teams within the company work together to achieve the most effective results. We also get into Bryan’s thoughts on detection methods, data integrity, and how to deal with mistakes that are inevitable when working in the security sphere. Follow UsOur WebsiteOur LinkedIn

Today’s guest is the CISO at Carta, a software company that helps other companies manage their valuations, investments, and equity plans. Garrett Held has many years of experience in many different arenas within the security space, as well as a degree in business and economics; the combination of these passions led him to develop the program which forms the basis of today’s conversation. Frustrated with the traditional risk assessment model, Garrett came up with a new one, built around the idea of credit card balances and credit scores. In this episode, he explains how the model works, why it is beneficial, the process that went into creating it, and how you can do something similar in your own organization. Tune in today to hear from a true security pioneer! Follow UsOur WebsiteOur LinkedIn

Today we have a fun episode lined up for you! Over the last year of 2021, we’ve been honored to have some incredibly smart people on the show to share their views and practices in the DevSecCon space with us all. And in each episode, they were asked a slightly open-ended question: if you took out your crystal ball and you thought about someone sitting in your position or your type of role in five years’ time, what would be most different about their reality? For this special installment, we’ve put together some highlights of these brilliant answers! Hear perspectives that cover everything from changes on the data, AI, and ML front to the idea of ownership when it comes to security. We also touch on the increased fragmentation in the DevOps scene that we’re going to need to work with, bigger picture concerns about how regulation might be different in five years, and some final optimistic predictions on ways we could all be in a much better place! We hear some golden nuggets from the likes of Robert wood from CMS, cybersecurity influencer Ashish Rajan, Liz Rice from eBPF pioneers Isovalent, our very own Simon Maple who weighs in with his concrete expectations of what will happen, Dev Akhawe, Daniel Bryant, Rinki Sethi, and so many more! So to hear what these top industry professionals have to say about the future, join us today! Follow UsOur WebsiteOur LinkedIn