The Secure Developer

Today’s guest is someone we have wanted to have on the show for a long time, and we are so happy to finally welcome him. Dev Akhawe is the Head of Security at Figma, the first state-of-the-art interface design tool that runs entirely in your browser. Before that, Dev worked at Dropbox, as Director of Security Engineering, leading application security, infrastructure security, and abuse prevention for the Dropbox products. He also holds a Ph.D. in Computer Science from UC Berkeley, where his thesis focused on web application security. In this episode, Dev pulls back the curtain and gives us a look at what security at Figma looks like. The relatively small organization has a culture where the security team earns their trust and works openly. This has resulted in far greater cohesion between the security team and developers. We also hear about Dev’s time at Dropbox, and how working on an application with many products exposed him to the gamut of security issues that companies can face. Along with this, we discuss some of the positive changes in how startups are thinking about security, the value of exposing people to different parts of an organization, the place of security champions, and having a curious mindset as a security professional. Dev's approach to security is empathetic, collaborative, and solution-driven, and if you would like to hear more, be sure to tune in today! Follow UsOur WebsiteOur LinkedIn

Without connecting people, what are you building? How are you managing the things in your companies versus leading your people? Welcome back to The Secure Developer. Today’s guest is Amanda Honea-Frias, who has a great personal story about how she got into security. Starting off a unique career with roles ranging from construction, DevOps, network engineering, technical support, and pen testing, all the way to building and evolving application security businesses, she has been on the team at several enterprise companies, including Belkin, Amazon Web Services, JIRA security and, most recently, the Cisco Security & Trust organization. Amanda is passionate about being part of the change by bringing good management and leadership into her company. Tuning in today, you’ll hear about the differences between small organizations and big organizations, building empathy and putting it to work through influence and not manipulation. She offers her insight on the differences she’s noted as she moves positions, how teams are working and interacting together, and so much more. You don’t want to miss out on today’s episode! Follow UsOur WebsiteOur LinkedIn

Welcome back to The Secure Developer. On today’s episode, Guy Podjarny is joined by Nicolas Chaillan. Nicolas is the United States Air Force's first Chief Software Officer, responsible for enabling Air Force programs in the transition from Agile to DevSecOps to establish Force-wide DevSecOps capabilities and best practices, including continuous authority to operate processes and streamline technology adoption. In addition to his public service, Nicolas is a technology entrepreneur, software developer, cyber expert, and inventor who has founded 12 companies and been recognized as one of France's youngest entrepreneurs. He has also created and sold over 180 innovation software products to 45 Fortune 500 companies. In this episode, Nicolas talks about security and DevSecOps at a very large scale and in a highly security conscious surrounding. You’ll hear about his career trajectory, what it means to be a CSO, and his approaches for mitigating risk, “failing fast”, and redefining our understanding of security versus compliance. He also shares some interesting perspectives on the role of open source in government security, transparency with commercial parties, and the importance of continuous learning, as well as his advice and predications for someone in his shoes. Tune in today! Follow UsOur WebsiteOur LinkedIn

Welcome back to The Secure Developer. On today's episode, Guy Podjarny, President and Founder of Snyk, is joined by James Turnbull. James is an engineering leader, author of 11 books, and open source developer, and is currently the VP of Engineering at Timber, working on the open source observability platform, Vector. He was formerly the CTO-in-resident at Microsoft, CTO and Founder of Empatico, and CTO at Kickstarter. He has held leadership roles at Docker, Venmo, and Puppet and was the chair of O'Reilly's Velocity conference. As someone who has been a core part of the DevOps journey, James is especially qualified to discuss how it's similar or different to security. Tuning in, you’ll hear about James’ journey, why he made the transition from security to operations, and why he considers people a key part of DevOps solutions. You’ll also find out where the lines between the two world meet and how one can benefit from the other. Tune in today! Follow UsOur WebsiteOur LinkedIn

A secure organization requires a large amount of buy-in from beyond those immediately concerned with security. This can prove a challenge at certain companies and facilitating a shared vision of priorities is something that security leads should know the importance of. Joining us on the show to talk about his role and team at Pearson, is DevSecOps Lead, Nick Vinson. Currently heading up the team of engineers focussing on security, Nick has been a driving force in getting the company up to speed on the security front for the last couple of years. We get to hear from Nick about his longer-term history in DevSecOps and how he landed in his present role. From there, we dive into the ins and outs of general security as well as aspects specific to Pearson. Nick shares his philosophy towards team involvement and embedding security-focussed members, as well as unpacking Pearson's approach to security champions and emphasizing the importance of this work. We talk about the primary goals for Nick and his team, the importance of adoption and investment in this area, and Nick's perspective on the most effective ways to achieve this. Our guest also illuminates some specific practices around tests, challenges, and expectations, and listeners can expect to come away with some great insider knowledge on running forward-facing security. For all this and a whole lot more from Nick and Guy, be sure to listen in! Follow UsOur WebsiteOur LinkedIn

On today’s episode, Guy Podjarny, President and Co-founder of Snyk, is joined by VP of Developer Relations, Simon Maple. Simon takes the role of hosting this episode and chats to Guy about the key 2020 podcast themes. They discuss the importance of security champions and celebrating success, as well as what we can look forward to in 2021. Measuring security programs will be a hot topic, as well as to adapt cloud security practices to help developers secure their infrastructure as code. Listen in as Guy shares his observations on the impact of COVID on security companies and relationships between development and security teams. Trust is crucial, as is automation and the ability to work well remotely. Find out what Guy has learned from the guests he has interviewed, including some concrete tips and methodologies that you can apply in your own organizations. That’s a wrap for 2020! Make sure to tune in to hear Guy’s reflections on the past year, and some projections for the year ahead. Follow UsOur WebsiteOur LinkedIn

Today’s guest, Mike Shema, is no stranger to podcasts. As the host of the Application Security Weekly show, he has firsthand insights into the trends and movements in the industry. When he is not on air, Mike works with developers at Square to protect applications, their data, and their users. With a broad range of AppSec experience, from manual security testing to building a commercial web scanner and helping teams build secure products, he has seen it all. In this episode, we hear about Mike’s moderator role at Square and how it ties into the organization’s engineering-biased security approach. We learn about their partnership strategy, how they split up cloud and governance security, and the benefits of specialist teams. Mike candidly shares how his empathy for developers has grown over the years, and as such, he is cognizant of not playing the gatekeeper role. The conversation goes to tooling, where Mike sheds light on his ‘why bother?’ addition to the age-old question of whether to build or buy. Moving away from his work at Square, we then take a look at some of the industry developments he has picked up on as a podcast host himself. He talks about how developers have leapfrogged security teams over the past few years and why this is a good thing for the industry. Be sure to tune in to hear this and much more. Follow UsOur WebsiteOur LinkedIn

Many developers and publishers serve as unwitting vehicles for malware. Today we speak with Snyk co-founder and Chief Security Officer Danny Grander about SourMint — a malicious SDK that has been integrated into popular apps, seeing a total of 1.2 billion downloads per month. That was before it was exposed by the Snyk research team. We open our conversation by summarizing the scandal and unpacking what SourMint is, with details on how it tracks Android and iOS user behavior while allowing for remote command execution. We then dive into how Mintegral, the creators of the SDK, hid its behavior before exploring the range of apps affected by SourMint. After chatting about the role that Snyk plays in hunting for malicious code, Danny shares insights into how they discovered SourMint. We talk about SourMint’s victims and how we can assign responsibility to both developers and marketplace vendors. Near the end of the episode, we reflect on the challenge of protecting people who are using old versions of apps that still have malicious SDK integrated into them. While the scale of SourMint’s reach seems unprecedented, it's a story that’s becoming increasingly common. Tune in to hear what we can do to protect ourselves from malicious code. Follow UsOur WebsiteOur LinkedIn

In episode 80 of The Secure Developer, Guy Podjarny is joined by Kyle Randolph, VP of Security, Privacy, Compliance, and Assurance at Episerver (who recently acquired Optimizely, where he was CISO). Kyle was our first ever guest on the show back in episode 1, four years ago, so we thought it a good idea to invite him back on to see how things have changed over these past four years. In this conversation, we reflect on some of the insights Kyle shared on the debut show and how these perspectives have since evolved as well as subjects such as Tool Adoption, Control Streamlining and the Paved Road approach. The show wraps up with a look at the idea of celebration and security championing, where Kyle shares why we can never celebrate security wins enough. Follow UsOur WebsiteOur LinkedIn

In today’s episode, Guy Podjarny talks to Brendan Dibbell, the application security engineer team lead at Toast, a restaurant technology company based in Boston, Massachusetts. Before moving into security, he spent years as a software developer, building mission-critical systems such as identity management, payment processing, and healthcare platforms, but has always been a vocal advocate for security. Brendan shares how they manage cloud security at Toast and what the interaction between the AppSec and the engineering team looks like, and discusses their security champion program, how it differs from the security training for regular developers, and the benefits of having created their own curriculum. Tuning in, listeners will hear how Brendan and his team measure the success of their programs, focusing on the progress rather than on a set of objectives, and talks about what metrics have and have not worked along the way. Later on, our guest explains why interrupting your workflow to solve every little risk that pops up is problematic and why it is far more important to stay focused on the bigger picture while not neglecting to address the smaller issues as you go. Follow UsOur WebsiteOur LinkedIn