The Secure Developer

In today’s episode, Guy Podjarny speaks with Johnathan Keith, the Director of Information Security/CISO for ViacomCBS Digital. With over 20 years of experience in information security, cybersecurity, cloud security, and cloud architecture, Johnathan has worked as a subject matter expert across several industries, including banking and finance, government agencies, and media and entertainment. His areas of expertise are in container security, infrastructure as code, application security, and network security. He has a Master’s degree in Science and Information Systems with an emphasis on cybersecurity as well as several industry-leading certificates. He is currently managing an InfoSec team of security architects and security engineers, with initiatives to advance container security and zero trust throughout the entire ViacomCBS Digital organization. In today’s episode, Johnathan shares his cloud-first approach, how his organization came to embrace DevSecOps, and the importance of establishing trust. Tune in today! Follow UsOur WebsiteOur LinkedIn

How do you protect sensitive healthcare information for millions of people while at the same time keeping up with fast-paced development demands? On today’s episode of The Secure Developer, we speak with Robert Wood who has been grappling with this question over the past year. Robert has an established career in the private cybersecurity sector having worked for a range of startups of varying sizes, from teams as small as six to numbering well over a hundred people. He has since been driven to public service and for the past six months, he has been working at The Center for Medicare & Medicaid (CMS) as their chief information security officer.In our discussion, we look at the intersection between government and security to interrogate how to make modern security approaches thrive in an environment that poses unique challenges but essentially functions from a place of integrity and good intentions. Robert shares how he’s had to adjust to working at a government agency after his history working in startups, like becoming accustomed to the decentralized goals in government versus the singular focus of product development at a startup. He explains how risk aversion can cause stagnation, which in turn causes its own vulnerabilities and risks, and how he would like to see this issue addressed in the future. Tuning in you’ll hear why Robert is a big proponent of the security champions model and how CMS has been able to utilize an information system security officer. Join us today for a fascinating peek behind the curtain of how CMS is run and how it has the potential to innovate! Follow UsOur WebsiteOur LinkedIn

Having worked at large and small companies, Rinki Sethi has a range of product security perspectives. She was the VP and CISO at Rubrik, has been at the forefront of developing cutting-edge online security infrastructure at companies like IBM, Palo Alto Networks, Intuit, and eBay, and she is currently the Vice President and Chief Information Security Officer at Twitter. In today’s episode, Rinki shares her journey into cybersecurity and what piqued her interest at a young age. We then gain insights into some of the work that she has done and what she has learned about security champions in the different organizations she has worked at. While there is not a universal approach to embedding security within a company, Rinki shares some of the core principles. We talk about Twitter, what it has been like there for her, and the direction she sees the company going. Rounding off the conversation, we touch on another one of Rinki’s passions: inclusivity and diversity in cybersecurity. She talks about the work that leaders have to do to move the needle to make spaces more representative. Be sure to tune in today to hear more! Follow UsOur WebsiteOur LinkedIn

Cloud native technology is agile, flexible, distributed, and like anything new, it can be scary. But nothing worth doing is ever too easy, right? Today’s guest, Simon Maple, Field CTO at Snyk, has recently co-authored a report called The State of Cloud Native Application Security, and he joins us on the show to share some of the main findings that came out of the survey which formed the basis of the report. Almost 600 people took part in the survey, with a good mix of roles amongst the respondents. We discuss the reasons that people are choosing to move over to cloud native technologies, and the major concerns that they have with regard to adopting the new technology. The results from the survey reveal the significant impact that a company’s level of automation has on security, and we explore why this is the case. This conversation also covers the types of companies which are utilizing cloud native technology, the different opinions of developers and security people in terms of who should be dealing with security related issues, and Simon and Guy’s projections about what security is going to look like in the future. Follow UsOur WebsiteOur LinkedIn

In today’s episode of the Secure Developer, Guy Podjarny is joined by Ashish Rajan, who is currently the Global Head of Security for a forward-thinking product company called PageUp in Melbourne, Australia. Ashish has been described as something of a cybersecurity influencer, due in large part to his very successful Cloud Security Podcast, which is on the cusp of hitting the 40,000-download mark. He also has a passion for building communities by speaking and organizing meetups and conferences in the cybersecurity space. In today’s conversation, Guy and Ashish talk about the challenges of starting in a new security position when working remotely during the COVID pandemic and how to build trust and validity. Ashish expands on the concept of security champions and why this title can be given to anyone in a company with an interest in incorporating security into their day-to-day tasks, so tune in today for an in-depth discussion on cloud security and what the future holds! Follow UsOur WebsiteOur LinkedIn

In today’s episode of The Secure Developer, Guy Podjarny is joined by Dr. David A. Wheeler, an expert in both open source and developing secure software. David is the Director of Open Source Supply Chain Security at the Linux Foundation and teaches a graduate course in developing secure software at George Mason University. He has a PhD in information technology, a masters in computer science, and a certificate in informations security, all from GMU, and he is also a Certified Information Systems Security Professional (CISSP) and Senior Member of the Institute of Electrical and Electronics Engineers (IEEE). Today’s discussion revolves around open source security (or OSS), in which David is an expert, not just from the perspective of consuming open source but also creating and even governing open source. Tuning in, you’ll learn about some of the primary security concerns in open source and the necessity to educate developers about secure software, and David shares some of the tools, tests, and initiatives that you include in your security arsenal. Ultimately, David believes that knowledge is critical, and this episode will educate users and developers alike about common OSS vulnerabilities and how to counter them. Tune in today! Follow UsOur WebsiteOur LinkedIn

With experience in many different facets of the tech world, Daniel Bryant makes for a very interesting guest. Daniel started out as an academic, with the hopes of becoming a lecturer, but it didn’t take long for him to realize that he preferred being involved in the practical side of things. He is currently working for Ambassador Labs, and in this episode, we pick his brain regarding all things development! Daniel shares his opinion on ethics in the field and no code/low code platforms. We discuss what he believes are the most important elements in ensuring optimal development and where the biggest obstacles lie. We also dive into Europe’s new General Data Protection Regulation and the influence it is having on the development world, the changes that Daniel is seeing in the level of interest being shown for certain topics at the conferences he attends, and what he thinks the future of development looks like! Don’t miss out on this informative episode. Follow UsOur WebsiteOur LinkedIn

Today's guest, Justin Cormack, comes from the DevOps side of things. Justin is the CTO at Docker and is passionate about security, software development, and the open source community. He also sits on the CNCF Technical Oversight Committee, where he helps projects and communities grow. In this conversation, we hear more about what Justin's position as CTO involves and how Docker is getting back to its roots as a developer-focused company that concentrates on developers' needs. We also discuss what Justin has seen in terms of how companies use containers. Given that containers are still relatively new, their problems require unique solutions, and Justin unpacks some of the security-related concerns that Docker clients face. He acknowledges that they have not always prioritized security. However, with continued feedback from users, they can manage risks more effectively. Our conversation also touches on public and private images in Docker, updates and vulnerabilities, the value of not having to opt-in to security when using Docker, and building software from open source components. This was an insightful conversation, so be sure to tune in today! Follow UsOur WebsiteOur LinkedIn

Today’s guest is someone we have wanted to have on the show for a long time, and we are so happy to finally welcome him. Dev Akhawe is the Head of Security at Figma, the first state-of-the-art interface design tool that runs entirely in your browser. Before that, Dev worked at Dropbox, as Director of Security Engineering, leading application security, infrastructure security, and abuse prevention for the Dropbox products. He also holds a Ph.D. in Computer Science from UC Berkeley, where his thesis focused on web application security. In this episode, Dev pulls back the curtain and gives us a look at what security at Figma looks like. The relatively small organization has a culture where the security team earns their trust and works openly. This has resulted in far greater cohesion between the security team and developers. We also hear about Dev’s time at Dropbox, and how working on an application with many products exposed him to the gamut of security issues that companies can face. Along with this, we discuss some of the positive changes in how startups are thinking about security, the value of exposing people to different parts of an organization, the place of security champions, and having a curious mindset as a security professional. Dev's approach to security is empathetic, collaborative, and solution-driven, and if you would like to hear more, be sure to tune in today! Follow UsOur WebsiteOur LinkedIn

Without connecting people, what are you building? How are you managing the things in your companies versus leading your people? Welcome back to The Secure Developer. Today’s guest is Amanda Honea-Frias, who has a great personal story about how she got into security. Starting off a unique career with roles ranging from construction, DevOps, network engineering, technical support, and pen testing, all the way to building and evolving application security businesses, she has been on the team at several enterprise companies, including Belkin, Amazon Web Services, JIRA security and, most recently, the Cisco Security & Trust organization. Amanda is passionate about being part of the change by bringing good management and leadership into her company. Tuning in today, you’ll hear about the differences between small organizations and big organizations, building empathy and putting it to work through influence and not manipulation. She offers her insight on the differences she’s noted as she moves positions, how teams are working and interacting together, and so much more. You don’t want to miss out on today’s episode! Follow UsOur WebsiteOur LinkedIn