The Secure Developer

Today’s guest is the CISO at Carta, a software company that helps other companies manage their valuations, investments, and equity plans. Garrett Held has many years of experience in many different arenas within the security space, as well as a degree in business and economics; the combination of these passions led him to develop the program which forms the basis of today’s conversation. Frustrated with the traditional risk assessment model, Garrett came up with a new one, built around the idea of credit card balances and credit scores. In this episode, he explains how the model works, why it is beneficial, the process that went into creating it, and how you can do something similar in your own organization. Tune in today to hear from a true security pioneer! Follow UsOur WebsiteOur LinkedIn

Today we have a fun episode lined up for you! Over the last year of 2021, we’ve been honored to have some incredibly smart people on the show to share their views and practices in the DevSecCon space with us all. And in each episode, they were asked a slightly open-ended question: if you took out your crystal ball and you thought about someone sitting in your position or your type of role in five years’ time, what would be most different about their reality? For this special installment, we’ve put together some highlights of these brilliant answers! Hear perspectives that cover everything from changes on the data, AI, and ML front to the idea of ownership when it comes to security. We also touch on the increased fragmentation in the DevOps scene that we’re going to need to work with, bigger picture concerns about how regulation might be different in five years, and some final optimistic predictions on ways we could all be in a much better place! We hear some golden nuggets from the likes of Robert wood from CMS, cybersecurity influencer Ashish Rajan, Liz Rice from eBPF pioneers Isovalent, our very own Simon Maple who weighs in with his concrete expectations of what will happen, Dev Akhawe, Daniel Bryant, Rinki Sethi, and so many more! So to hear what these top industry professionals have to say about the future, join us today! Follow UsOur WebsiteOur LinkedIn

As the year of 2021 draws to a close, we use this episode to look back on the last 12 months, and Guy is joined by Simon Maple to go through some reflections on the major themes, lessons, and takeaways from the show! Simon takes on the role of host, turning the microphone around and probing Guy for his highlights from the 22 episodes we aired during the year. We are so happy to have been able to have these conversations, hosting interesting chats with experts from many different backgrounds and positions, and as we see in this year-end review, there are so many exciting and inspiring changes happening in the DevSec world! Guy talks about hiring people with development experience for security work, the need for empathy, how to adapt education about security for developers, and more. We also have time to look forward to the new year, imagining some of the challenges and key areas we will encounter together. A big thank you to all our listeners for tuning in this year, and here's to another year of insightful conversations and progress in the space! Follow UsOur WebsiteOur LinkedIn

Today on The Secure Developer, we look at how to modernize security in DevSecOps. To guide us through this, we are joined by Tim Crothers, Senior Vice President and Chief Security Officer at Mandiant. Tim is a seasoned security leader with over 20 years of experience building and running information security programs, large and complex incident response engagements, and threat and vulnerability assessments. He has a wealth of experience in cyber threat intelligence, reverse engineering, and computer forensics. He has authored 17 books to date and presents regular training and speaking engagements at information security conferences. As someone who has been in the world of IT since the 80s, Tim explains how he has seen DevSecOps evolve over time, how security has changed its approach over the years, and what DevSecOps means to him. We discuss the differences between controls and guardrails, how often developers are allowed to override guardrails, and to what degree these are left to the decisions of development teams. To find out what Tim considers to be the optimal setup for the split of responsibility between development teams and security teams, what he looks for when hiring new people into his product security team, and what his top three KPIs are, tune in today! Follow UsOur WebsiteOur LinkedIn

Welcome back to another installment of The Secure Developer, where we have another fascinating conversation lined up! Today your host Guy Podjamy sits down with Rohit Parchuri, Chief Information Security Officer at Yext, to pick his powerhouse brain about DevSecOps frameworks. Rohit is an accomplished security leader with an established record building, structuring, and institutionalizing security principles and disciplines in the cloud hosting, network hardware, cloud software, and healthcare domains. In this episode, the listener hears a comprehensive understanding of the differences between a health platform and a tech platform, the crucial component of building a culture or security mindset across a company, and the challenges of weaving security into fast-paced and leading-edge organizations. We then touch on the 3 frameworks which Rohit delineates before he starts building a program, before diving deep into the different approaches needed for more heavily regulated industries versus the less regulated spaces. Plus, you'll get a sneak peek into Rohit's favorite interview question, and his hard-won take on the need for dual skills in security as well as the programming landscape. Finally, we look to the future and hear some exciting and pretty accurate projections into what cybersecurity will look like in 5 years time. Press play to hear all this and more! Follow UsOur WebsiteOur LinkedIn

Welcome to another episode of the Secure Developer! During today’s conversation, Guy Podjarny, founder of Snyk, speaks with Liz Rice, Chief Open-Source Officer with eBPF pioneers Isovalent, where she works on the Cilium project, which provides cloud native networking, observability and security. They touch on plenty of current and relevant topics, with a focus on eBPF and the CNCF and its role in security. You’ll hear all about her role and her journey into the world of cyber security, and what it was like to transition into the sometimes intimidating world of security. We touch on why containers are essentially just processes, and Liz gives us an introduction to eBPF, how it benefits security, and the renaissance it is currently experiencing. Liz tells us all about her work at CNCF and the Technical Oversight Committee, and how it is building much of the foundation for cloud native computing. Join us today to hear all this and more! Follow UsOur WebsiteOur LinkedIn

In early 2021, Codecov experienced a serious security breach, and today on the show we are joined by their CEO and CTO to get an insider's perspective on the events! We have an enlightening conversation with Jerrod Engelberg and Eli Hooten about what exactly happened, how they reacted, and the important foundations that were already in place that allowed them to handle it in the way that they did. This extra special episode is jam-packed with useful reflections and lessons for listeners from all backgrounds, and just hearing how it all played out is worth the admission alone. Our guests talk about the central importance of the human element to security work, how conversations with the internal and external network connected to the company were key to their process, and why transparency trumps all other concerns for Codecov. We also get into some of the ethics and important conversations that need to happen before any danger is even detected! So to hear all this, and a whole lot more, on a vital, first-hand experience, join us today! Follow UsOur WebsiteOur LinkedIn

Today we have a great conversation with DJ Schleen, who is the Vice President of Infrastructure and Developer Operations at VillageMD! DJ is an experienced DevOps practitioner, currently working as a security advocate, in his role at VillageMD in the healthcare industry. We get to have a very interesting conversation about the broad state of security and hear about his route into the professional world. DJ transitioned from the early days of hacking into web design, and then brought these skills to his career in security! We talk about some of his best practices for keeping a team on track, how he goes about improving and increasing security, and the end goal of working towards a proactive approach instead of a reactive one. DJ has an impressive track record providing thought leadership to organizations looking to integrate security into their DevOps practices, and his background as a practitioner has provided him with a strong foundation for this. DJ specializes in building progressive apps for security programs, automating security in DevOps environments, and breaking down organizational silos that inhibit the delivery of safer software. So to hear all about his work and thoughts on the field in general, listen in with us today! Follow UsOur WebsiteOur LinkedIn

When we started this show, we set out to create a stage for security leaders and practitioners to share their learnings and perspectives. It was our hope that we could all learn from one another and have open conversations that are not commonly had in the security community. So, to celebrate our 100th episode, we have compiled some incredible pearls of wisdom from previous guests. At the end of each show, Guy always asks guests to share one piece of advice for those looking to level up their security teams. From focusing on current threats to having a diverse team to putting effort into your personal development, there is a wide range of themes that guests have touched on. We are so incredibly grateful to everyone who has given us their time, and helped us see the positive side of security! Follow UsOur WebsiteOur LinkedIn

An initial passion for networking and telecommunications led today’s guest on a journey into the world of security. After gaining experience building security from the ground up in a few companies, he is now working as the chief information security officer (CISO) at LinkedIn. Geoff Belknap, in his second appearance on The Secure Developer, dives into the elements which he believes are key to a successful security organization, and a successful company as a whole (hint: flexibility and adaptability are non-negotiable!). We discuss the process of identifying security problems, who owns the risks, and why security is such a difficult thing to measure. Geoff also shares his perspective on changes that he expects to see happening in the CISO realm in the future, and offers some advice for any CISO’s trying to decide which company to work for. Follow UsOur WebsiteOur LinkedIn