The Secure Developer

Today’s guest is Lucas Moody, Head of Security Innovation and Operations at Rubrik, here to talk about what being forward-thinking about security in 2020 looks like. We open with Lucas sketching out his impressive career in Silicon Valley and how his role as the first CISO at Palo Alto Networks is informing his current work at Rubrik. Here we explore what it means to work on security as far as operations and product innovation too, and Lucas compares his experience doing this at Palo Alto, a security company first, versus at Rubrik which is more focused on data management, resiliency and recovery, and backup. From there, we move onto the topic of how the shift to cloud and SaaS has changed tech companies and is leading to exciting evolutions in the roles of CIOs, CSOs, and CISOs. Shifting to the idea of security DNA, we discuss how firms should think about security as part of their day to day operations with Lucas next. Before closing, we talk about how the pandemic affected the security strategy at Rubrik, and Lucas details some of the major shifts they made away from infrastructure-related projects to things like identity and access so that security work could still effectively be done remotely. Finally, Lucas shares a few top tips for how firms can level up their security foo as far as throwing old playbooks out and having an independent red team. Be sure to tune in! Follow UsOur WebsiteOur LinkedIn

On The Secure Developer, we often hear a lot of opinions and experiences from people who are working in development, so today we’re turning to the data, to figure out what works and what doesn’t in the world of DevOps and SecDevOps. Joining us for a panel discussion on the topic is Alanna Brown, Senior Marketing Director at Puppet and mastermind behind the State of DevOps Report, Gareth Rushgrove, Product Director at Snyk and curator of Devops Weekly, and Alyssa Miller, Application Security Advocate, also at Synk. In this show, we get a lay of the land and take a look at the state of where things stand. In this section of the discussion, we hear about vulnerabilities and the mixed bag of data that our panelists have seen around remediation. While there are some positive developments in the space, there are also some areas, like on the container side, where there is great room for improvement. The conversation then moves to security practices and which security controls are effectively deployed and which are not. We gain great insights into the role that integration plays in the efficacy of controls. While it’s not all sunshine and roses, there are encouraging shifts happening around security thinking. From there, we move onto talking about infrastructure as code security and shared responsibility. Again, the panelists present their varied data findings, which paints an interesting picture. Finally, we wrap the show up with consolidating the discussion, where the panelists highlight what they think is key going forward. To hear more from this fascinating, data-rich discussion, tune in today! Follow UsOur WebsiteOur LinkedIn

Bringing large organizations in line with modern security practices can be a tricky task, especially when they don’t understand how valuable security is to the business and your customers. Today we speak with Geoff Kershner, Chief Security Officer at Medallia, who brings 25 years of experience to bear on leveling up the security of big organizations. After sharing highlights from his career, Geoff talks about the shift from consulting to running Medallia’s security team. We then dive into what their security team looks like and Geoff explains his security philosophy. We discuss how Geoff integrates security into Medallia’s engineering teams through security champion programs and the benefit that upskilling their security practices has for employees. Considering the often hybrid nature of their work, Geoff details how Medallia’s security champions function both workflow-wise and in terms of their role expectations. Focusing on more specifics, we ask Geoff what he looks for in new hires, how his security and developer teams work together, and how product and cloud security are managed. We also touch on how Geoff evaluates security tools and how leveling up security requires being able to adapt your security message to bring your organization along with you, instead of combating them. With a treasure trove of experience, our discussion with Geoff is filled with insights. Tune in to hear more about growing security within big organizations. Follow UsOur WebsiteOur LinkedIn

It’s been well accepted by now that we’re all humans and if you want to incentivize developers to do well in terms of security then you should recognize them! So, today on The Secure Developer, we will be having another one of our mix episodes, where we compile a sequence of snippets from conversations out of different episodes of the show and our theme for this episode is celebrating success! We feature segments from our interviews with Kyle Randolph, Zach Powers, Siren Hofvander, Mike Hanley, Leif Dreizler, and Eric Ellett, who talk about how success is celebrated at Optimizely, One Medical, Cybercom, Cisco, and Segment. A common theme from our show today is the idea that a little bit of swag goes a long way! Cash rewards tend to incentivize developers to only perform for the money, whereas surprise gifts like shirts, mugs, and hoodies keep things interesting and retain more association with the success they award than money in the bank. Some other interesting methods for celebrating success are public acknowledgments, ‘Cake for No Reason Day’, awards in the form of training and certifications, gamification, and a whole lot more! Tune in and hear how the few firms that do celebrate success are upholding this much-needed tradition. Follow UsOur WebsiteOur LinkedIn

Welcome to the first episode in a series where we reflect on the lessons given to us by our previous guests. This episode is a deep focus on security champions — developers with extra training who provide input from the security side of things. Our first perspective comes from episode 59 featuring Steve White, Field CISO of Pivotal, now a part of VMware. Steve shares his enthusiasm for security champion programs and speaks about their role in helping their teams make incremental security changes. After talking about why we should be moving security into the early development cycle, Steve gives advice on giving developers one security problem to focus on at a time. From Steve, we dive into episode 42 where we spoke to Kate Whalen from The Guardian. She highlights the value of organizing meetings for developers who are interested in security. These spaces, she explains, are for engineers to ask questions and come to an understanding that security is a shared responsibility. Next, we listen to Omer Levi Hevroni from episode 24, who was a maven for Asurion — their version of a security champion. He talks about the productivity challenges of being a security champion and needing to complete your tasks. Mirroring Kate’s points, Omer emphasizes the importance of having a community to share your experiences with and how conferences and online channels like Slack can serve this need. Our last perspective is provided by Yashvier Kosaraju from episode 66. Yashvier discusses having a security partner on a security team to complement having a security champion on the development team. We talk about the advantages of this system as it allows you to perform a security review on a project as it’s being created, ensuring that timelines aren’t affected. Our guest’s experiences are filled with insight and wisdom. Tune in for more on how you can develop your own security champion program. Follow UsOur WebsiteOur LinkedIn

On today’s episode, Guy Podjarny, President and Co-Founder of Snyk talks to Nitzan Blouin. Nitzan’s background combines engineering and product management. She built six QA test departments from scratch while bulletproofing big data with mobile products. Nowadays, she’s leading Spotify’s product security team. In this episode, Nitzan digs into changing culture, something that she has managed a couple of times before in a variety of contexts. She shares a bit about her journey from quality assurance to security and how they are essentially two sides of the same coin. We get a step-by-step process from Nitzan, about how she sought to create a plan that would solve security as an engineering problem at Spotify. She also has some tips about interaction models, hiring a diverse team, and talking to your customers. Tune in today for more on changing culture, from Nitzan Blouin! Follow UsOur WebsiteOur LinkedIn

Security teams often adopt an untrusting and policing approach to development, creating confrontational relationships that only increase risk. For many companies, this culture of gatekeeping prevents the adoption of DevSecOps practices. But now the data is out! Having used agile practices to integrate DevSecOps into Comcast’s development cycle, Larry Maccherone has shown that DevSpecOps significantly reduces risk. On today’s episode, our conversation with Larry focuses on his experience transforming Comcast’s development team. We open by talking about Larry’s career and how he’s learned the importance of visualizing data in order to explain his research. Larry shares the pushback that he experienced from security teams when implementing DevOps practices and how getting this approach to work involved a gradual onboarding process. We discuss the challenges that arise when you follow some DevOps practices but not others before diving into Larry’s research. Despite having results that prove the value of DevSecOps, Larry talks about the unique problem that, “You’re never a prophet in your own town,” meaning that people often fail to recognize innovation when it is developed in-house. Near the end of the episode, Larry talks about cloud tech before giving advice on taking your security to the next level. An episode filled with insights, tune in to it and learn how you can transform your dev team. Follow UsOur WebsiteOur LinkedIn

Today, we talk about business, technology, and development as it relates to cloud security with Teri Radichel, CEO of 2nd Sight Lab and author of Cybersecurity for Executives in the Age of Cloud. Teri begins by explaining how she got into the world of cloud security after experiencing a breach in her prior web application development and hosting company. From there, we explore what cloud security is all about and Teri starts by defining cloud systems in contrast to physically rented servers. She mentions a concern in the form of the new distributions of responsibility between client and host, and then sketches out some of the novel security challenges posed by the unique architecture of cloud-based apps. We get into a few of the main places that breaches occur and then discuss how necessary – and possible – it is for people from executives to developers to become more security savvy. This brings up the issue of the fine line between raising justified alarm bells and fear-mongering, and we hear why Teri believes talking about security is of utmost importance. Other big takeaways from today’s conversation are Teri’s thoughts on the way teams are distributed, and we touch on the need for developers and security people to understand each other's roles more, the importance of ‘builders’ and ‘auditors’, and how to make the job of security teams easier, thus put them to best use! Make sure you tune in for all this as well as Teri’s thoughts on how cloud systems can optimize security, and some valuable lessons from her about personal and professional growth! Follow UsOur WebsiteOur LinkedIn

Today’s episode of The Secure Developer features some fantastic content from a panel at DevSecCon London. Clint Gibler, Research Director at the NCC Group is joined by Doug DePerry, Director of Defense at Datadog, Tash Norris, Head of Product Security at Moonpig, Jesse Endahl, CSO at Fleetsmith, and Zane Lackey, CSO at Signal Sciences. The discussion begins with a dive into building a good security culture within a company and ways to get other members of an organization interested in security. Some of the strategies explored include cross-departmental relationship building, incentivizing conversations with the security team through swag and food, and embedding security within development teams. We then turn our attention to metrics. There are often competing priorities between developers and security, which can cause tension. The panel shares some of the security metrics that have and have not worked for them, and we also hear different takes on the often-divisive bug count metric. Next up is a dive into working with limited personnel and financial resources, one of the most common constraints security teams face. We hear how the panel approaches prioritization, adding value to the organization as a whole, and the importance of making the security capabilities digestible to the developers. After this, the panel explores risk quantification and subsequent communication. While it's difficult to quantify risk precisely, there are some effective strategies such as risk forecasting. Along with this, techniques on communicating with executives in resonant ways to convey the severity of potential threats are also shared. Other topics covered include policy-driven vs technical-driven security and skilling up less technical teams, how to know when security is ‘done,’ and incentives for upholding security protocols! Follow UsOur WebsiteOur LinkedIn

Chaos engineering is a powerful practice where experiments are run to build confidence that a system operates as expected. While the practice shapes the way that large-scale systems are built, it is underutilized in the security space. Verica, a continuous verification company that uses chaos engineering to make systems more secure, is looking to remedy this shortfall, and its co-founder and CTO, Aaron Rinehart joins us today. Aaron has been expanding the possibilities of chaos engineering in its application to other safety-critical portions of the IT domain, notably cybersecurity. In this episode, we learn more about Aaron’s diverse background. Having worked as a developer before making his move into security, he understands systems intricately, giving him unique insights. We then dive into chaos engineering, the proactive approach it takes, and the intentional feedback loop it provides. Aaron believes that these experiments are great learning moments because there is not a high cognitive load that comes with unplanned system failures. After, we turn our attention to how chaos engineering ensures systems' stability is accelerated in a controlled and managed way. Along with this, we explore why it’s not necessary to wait for production to test different security controls, what security chaos engineering offers instant response teams, and some fascinating use cases. Be sure to tune in today! Follow UsOur WebsiteOur LinkedIn