The Secure Developer

Welcome back to The Secure Developer. On today’s episode, Guy Podjarny is joined by Nicolas Chaillan. Nicolas is the United States Air Force's first Chief Software Officer, responsible for enabling Air Force programs in the transition from Agile to DevSecOps to establish Force-wide DevSecOps capabilities and best practices, including continuous authority to operate processes and streamline technology adoption. In addition to his public service, Nicolas is a technology entrepreneur, software developer, cyber expert, and inventor who has founded 12 companies and been recognized as one of France's youngest entrepreneurs. He has also created and sold over 180 innovation software products to 45 Fortune 500 companies. In this episode, Nicolas talks about security and DevSecOps at a very large scale and in a highly security conscious surrounding. You’ll hear about his career trajectory, what it means to be a CSO, and his approaches for mitigating risk, “failing fast”, and redefining our understanding of security versus compliance. He also shares some interesting perspectives on the role of open source in government security, transparency with commercial parties, and the importance of continuous learning, as well as his advice and predications for someone in his shoes. Tune in today! Follow UsOur WebsiteOur LinkedIn

Welcome back to The Secure Developer. On today's episode, Guy Podjarny, President and Founder of Snyk, is joined by James Turnbull. James is an engineering leader, author of 11 books, and open source developer, and is currently the VP of Engineering at Timber, working on the open source observability platform, Vector. He was formerly the CTO-in-resident at Microsoft, CTO and Founder of Empatico, and CTO at Kickstarter. He has held leadership roles at Docker, Venmo, and Puppet and was the chair of O'Reilly's Velocity conference. As someone who has been a core part of the DevOps journey, James is especially qualified to discuss how it's similar or different to security. Tuning in, you’ll hear about James’ journey, why he made the transition from security to operations, and why he considers people a key part of DevOps solutions. You’ll also find out where the lines between the two world meet and how one can benefit from the other. Tune in today! Follow UsOur WebsiteOur LinkedIn

A secure organization requires a large amount of buy-in from beyond those immediately concerned with security. This can prove a challenge at certain companies and facilitating a shared vision of priorities is something that security leads should know the importance of. Joining us on the show to talk about his role and team at Pearson, is DevSecOps Lead, Nick Vinson. Currently heading up the team of engineers focussing on security, Nick has been a driving force in getting the company up to speed on the security front for the last couple of years. We get to hear from Nick about his longer-term history in DevSecOps and how he landed in his present role. From there, we dive into the ins and outs of general security as well as aspects specific to Pearson. Nick shares his philosophy towards team involvement and embedding security-focussed members, as well as unpacking Pearson's approach to security champions and emphasizing the importance of this work. We talk about the primary goals for Nick and his team, the importance of adoption and investment in this area, and Nick's perspective on the most effective ways to achieve this. Our guest also illuminates some specific practices around tests, challenges, and expectations, and listeners can expect to come away with some great insider knowledge on running forward-facing security. For all this and a whole lot more from Nick and Guy, be sure to listen in! Follow UsOur WebsiteOur LinkedIn

On today’s episode, Guy Podjarny, President and Co-founder of Snyk, is joined by VP of Developer Relations, Simon Maple. Simon takes the role of hosting this episode and chats to Guy about the key 2020 podcast themes. They discuss the importance of security champions and celebrating success, as well as what we can look forward to in 2021. Measuring security programs will be a hot topic, as well as to adapt cloud security practices to help developers secure their infrastructure as code. Listen in as Guy shares his observations on the impact of COVID on security companies and relationships between development and security teams. Trust is crucial, as is automation and the ability to work well remotely. Find out what Guy has learned from the guests he has interviewed, including some concrete tips and methodologies that you can apply in your own organizations. That’s a wrap for 2020! Make sure to tune in to hear Guy’s reflections on the past year, and some projections for the year ahead. Follow UsOur WebsiteOur LinkedIn

Today’s guest, Mike Shema, is no stranger to podcasts. As the host of the Application Security Weekly show, he has firsthand insights into the trends and movements in the industry. When he is not on air, Mike works with developers at Square to protect applications, their data, and their users. With a broad range of AppSec experience, from manual security testing to building a commercial web scanner and helping teams build secure products, he has seen it all. In this episode, we hear about Mike’s moderator role at Square and how it ties into the organization’s engineering-biased security approach. We learn about their partnership strategy, how they split up cloud and governance security, and the benefits of specialist teams. Mike candidly shares how his empathy for developers has grown over the years, and as such, he is cognizant of not playing the gatekeeper role. The conversation goes to tooling, where Mike sheds light on his ‘why bother?’ addition to the age-old question of whether to build or buy. Moving away from his work at Square, we then take a look at some of the industry developments he has picked up on as a podcast host himself. He talks about how developers have leapfrogged security teams over the past few years and why this is a good thing for the industry. Be sure to tune in to hear this and much more. Follow UsOur WebsiteOur LinkedIn

Many developers and publishers serve as unwitting vehicles for malware. Today we speak with Snyk co-founder and Chief Security Officer Danny Grander about SourMint — a malicious SDK that has been integrated into popular apps, seeing a total of 1.2 billion downloads per month. That was before it was exposed by the Snyk research team. We open our conversation by summarizing the scandal and unpacking what SourMint is, with details on how it tracks Android and iOS user behavior while allowing for remote command execution. We then dive into how Mintegral, the creators of the SDK, hid its behavior before exploring the range of apps affected by SourMint. After chatting about the role that Snyk plays in hunting for malicious code, Danny shares insights into how they discovered SourMint. We talk about SourMint’s victims and how we can assign responsibility to both developers and marketplace vendors. Near the end of the episode, we reflect on the challenge of protecting people who are using old versions of apps that still have malicious SDK integrated into them. While the scale of SourMint’s reach seems unprecedented, it's a story that’s becoming increasingly common. Tune in to hear what we can do to protect ourselves from malicious code. Follow UsOur WebsiteOur LinkedIn

In episode 80 of The Secure Developer, Guy Podjarny is joined by Kyle Randolph, VP of Security, Privacy, Compliance, and Assurance at Episerver (who recently acquired Optimizely, where he was CISO). Kyle was our first ever guest on the show back in episode 1, four years ago, so we thought it a good idea to invite him back on to see how things have changed over these past four years. In this conversation, we reflect on some of the insights Kyle shared on the debut show and how these perspectives have since evolved as well as subjects such as Tool Adoption, Control Streamlining and the Paved Road approach. The show wraps up with a look at the idea of celebration and security championing, where Kyle shares why we can never celebrate security wins enough. Follow UsOur WebsiteOur LinkedIn

In today’s episode, Guy Podjarny talks to Brendan Dibbell, the application security engineer team lead at Toast, a restaurant technology company based in Boston, Massachusetts. Before moving into security, he spent years as a software developer, building mission-critical systems such as identity management, payment processing, and healthcare platforms, but has always been a vocal advocate for security. Brendan shares how they manage cloud security at Toast and what the interaction between the AppSec and the engineering team looks like, and discusses their security champion program, how it differs from the security training for regular developers, and the benefits of having created their own curriculum. Tuning in, listeners will hear how Brendan and his team measure the success of their programs, focusing on the progress rather than on a set of objectives, and talks about what metrics have and have not worked along the way. Later on, our guest explains why interrupting your workflow to solve every little risk that pops up is problematic and why it is far more important to stay focused on the bigger picture while not neglecting to address the smaller issues as you go. Follow UsOur WebsiteOur LinkedIn

Today, we’re going to explore approaches to security at companies of different scales with Sacha Faust, Head of Security Intelligence at Amazon Payments. Sacha has held numerous roles in security and development across the industry spectrum, and we kick things off hearing about his journey in the space. The first part of the episode is about the difference between security engineering at startups versus established companies and Sacha weighs in on his experiences at Lyft versus Azure and Amazon. At Lyft, Sacha’s approach was all about empowering teams and taking advantage of the fast-growing environment to build things into the company’s fabric. In contrast, teams are bigger and processes more established at larger firms, and Sacha talks about the depth versus breadth-focused approach required. Here we explore what it means to go deep on a bug, hearing Sacha’s ideas about learning from bug failures so you can make an impact you can measure, and the complexities of truly fixing something. We move on to the subject of Sacha’s time as a developer next, and he talks about the lessons he learned about the intricacies of that world and the empathy they gave him when he switched back to engineering. His empowerment-first approach was very much born during that time as was his belief in the value of diversity of experience for building one's career as well as one’s teams. For insights into security work at different scales and a few gems about the people side of security from Sacha too, be sure to tune in. Follow UsOur WebsiteOur LinkedIn

Today’s guest is Andy Steingruebl, Chief Security Officer at Pinterest, here to talk about DevSecOps, collaboration, and measuring security performance at his place of work! We open with a few details from Andy’s background and how he got into security by working on UNIX systems. After talking about how he splits up his teams, Andy touches on the fact that many issues spill over from one area to another, meaning the lines that divide them are not set in stone and issues get tackled on a case-by-case basis. We shift from security to engineering next, talking about the interaction between application security teams and agile development teams building software. As is often the case, Andy has found that the more communication between the two the better, and he describes how the company culture at Pinterest helps to bolster this practice even further. Secure by default is always a big goal, and Andy talks about the line between using preexisting web frameworks with security baked in and allowing developers to be creative. We dive with Andy into the difficult question of how to measure security performance next, hearing his approach that highlights measuring the applicability of a security control. Wrapping up for the day, we close with some golden advice from Andy regarding security being about people and collaboration, something we would all do well to remember. Be sure to tune in today! Follow UsOur WebsiteOur LinkedIn