Episode Summary

Join Jeremiah Grossman, application security pioneer and former CEO of WhiteHat Security, as he reflects on decades of innovation in the industry, from the early days of OWASP to today’s AI-driven development landscape. Explore critical discussions about the escalating costs of security, aligning developer incentives, and the future challenges posed by AI-generated vulnerabilities. Packed with insights, this episode dives deep into the strategies and frameworks shaping the way we build and secure modern software.

Show Notes

In this episode of The Secure Developer, we sit down with Jeremiah Grossman, a pioneer in application security and former CEO of WhiteHat Security. Jeremiah shares fascinating insights from his decades of experience shaping the security landscape, including the origins of the OWASP project and his role in raising awareness about critical vulnerabilities like SQL injection and cross-site scripting.

The conversation delves into how the industry has evolved over the past two decades, from the early days when nearly every application was riddled with vulnerabilities to today’s more robust frameworks and heightened security awareness. Despite these advancements, Jeremiah and Danny discuss why security spending remains high while organizations continue to struggle with improving their overall security posture.

Key topics include:

• The misalignment of incentives in software development that prioritizes speed over security.
• The emerging role of cyber insurance in shaping organizational security practices.
• The challenges of unknown assets and their contribution to breaches, highlighting the importance of asset inventory and attack surface management.
• The impact of AI on software development, particularly the risks and opportunities presented by AI-generated code and new attack surfaces.

Jeremiah also shares his thoughts on aligning incentives for secure development, including innovative approaches like developer performance metrics and reward structures for secure coding. The episode concludes with a look at Jeremiah’s current focus on venture capital and fostering innovation in security, as well as his personal passion for Brazilian jiu-jitsu and its parallels with the security industry.

This episode is a deep dive into the critical challenges and opportunities facing modern security professionals, offering actionable insights and thought-provoking discussions for developers, CISOs, and security practitioners alike.

Links

• OWASP (Open Web Application Security Project)
• Black Hat
• Node.js
• Brave Browser
• Chromium
• Cornell Study on AI Code Vulnerabilities
• Snyk - The Developer Security Company

Follow Us

• Our Website
• Our LinkedIn

Episode Summary

In this episode of The Secure Developer, host Danny Allan sits down with David Mytton, founder and CEO of Arcjet, former CEO of Server Density, and co-founder of Console.dev. David shares his insights into bridging the “developer-security gap” with Arcjet, a cutting-edge middleware SDK designed to empower developers with advanced security tools like rate limiting and bot protection. The conversation dives into the evolution of developer tools, the growing role of AI in coding, and the future of secure software development in modern environments. David also offers a fascinating perspective on sustainable computing and the impact of clean energy in the tech industry.

Show Notes

In this thought-provoking episode of The Secure Developer, host Danny Allan sits down with David Mytton, founder and CEO of Arcjet, to explore the evolving intersection of development, security, and AI. David, a serial entrepreneur with deep roots in cloud monitoring and developer tools, shares his journey from co-founding Server Density to building Arcjet, a groundbreaking solution for developers managing runtime security.

The conversation begins with David’s take on why developers should prioritize security early in the development lifecycle. He highlights the challenges developers face in modern environments, where traditional security tools often fail to integrate seamlessly with serverless and edge computing platforms. David introduces Arcjet as an innovative SDK that empowers developers to implement rate-limiting, bot detection, and other security measures directly in their applications, offering a developer-first approach to runtime protection.

Delving deeper, the discussion shifts to the rise of WebAssembly as a transformative technology. David explains how WebAssembly enables near-native performance across platforms while providing unparalleled isolation—making it a perfect fit for modern security needs. He contrasts this with traditional intrusion detection systems and outlines how Arcjet leverages WebAssembly to fill the gaps left by legacy tools.

The episode also explores the broader evolution of the developer ecosystem. From the increasing adoption of AI-powered coding tools to the growing interest in languages like Rust, David shares his perspective on how these trends are reshaping software development. He also discusses the challenges of balancing AI-generated code with the need for security and the potential for AI to exacerbate vulnerabilities if not carefully managed.

As the conversation wraps up, David touches on his research in sustainable computing and its implications for the tech industry. He highlights the positive strides being made toward greener computing practices and how developers can contribute to a more sustainable future.

This episode offers a rich blend of technical insights, forward-thinking ideas, and practical advice for developers and security professionals navigating the ever-changing landscape of software security and development.

Links

• Arcjet
• Console
• Acquia
• Rust Programming Language
• University of Oxford
• Snyk - The Developer Security Company

Follow Us

• Our Website
• Our LinkedIn

Episode Summary

Imagine if AI could detect and fix vulnerabilities in your code faster and with greater precision than ever before. That future is already here! In today’s episode, we’re joined by Berkay Berabi, an AI researcher and Senior Software Engineer at Snyk, to dive into the cutting-edge world of AI-powered vulnerability detection. Berkay offers insight into how Snyk is leveraging a hybrid AI approach to detect and fix vulnerabilities in code, combining human-driven expertise with machine learning for greater accuracy and scalability. He also introduces CodeReduce, a game-changing tool by Snyk that strips away irrelevant code, streamlining the detection process and addressing the challenges posed by complex, multi-step data flows. Through rigorous model testing, Snyk ensures that AI-generated fixes are validated to prevent errors, making the process faster and more reliable.

Show Notes

In this fascinating episode of The Secure Developer, host Danny Allan sits down with Berkay Berabi, an AI researcher at Snyk, to explore the groundbreaking CodeReduce technology and its implications for software security. Berabi, who transitioned from electrical engineering to AI research, shares insights into how Snyk is revolutionizing vulnerability detection and remediation using artificial intelligence.

The conversation delves deep into the technical aspects of CodeReduce, explaining how this innovative approach reduces complex code structures by up to 50 times their original size while maintaining vulnerability detection capabilities. Berabi explains the sophisticated process of code reduction, analysis, and fix generation, highlighting how AI models can better understand and address security vulnerabilities when working with simplified code. The discussion also covers the challenges of different AI models, from T5 to StarCoder and Mixtral, exploring their varying capabilities, accuracies, and performance trade-offs.

The episode critically examines the future of AI in software development, addressing both opportunities and concerns. Berabi and Allan discuss recent findings about AI-generated code potentially introducing new vulnerabilities, referencing Gartner's prediction that by 2027, 25% of software vulnerabilities could be created by AI-generated code. They explore how tools like CodeReduce and other AI-powered security measures might help mitigate these risks while examining the broader implications of AI assistance in software development. This episode offers valuable insights for developers, security professionals, and anyone interested in the intersection of AI and software security.

Links

• DeepCode AI Fix Research Paper
• DeepCode AI Fix Blog Post

Follow Us

• Our Website
• Our LinkedIn

Episode Summary

Are you ready to revolutionize your coding experience with cutting-edge AI tools? In this episode of The Secure Developer, host Danny Allan is joined by Jeff Wang, Head of Business at Codeium, to take a deep dive into the transformative power of generative AI in software development. Discover how coding assistants have evolved from simple auto-complete functions to sophisticated AI-driven tools, the significant impact these advancements have had on productivity and innovation, and how Codeium is addressing some of the security challenges they pose. Tuning in, you’ll learn how you can stay ahead in the rapidly changing tech landscape and supercharge your development process.

Show Notes

In this insightful episode of The Secure Developer, host Danny Allan sits down with Jeff Wang from Codeium to explore the rapidly evolving world of AI-powered coding assistants. As organizations increasingly look to harness the power of Generative AI in software development, Jeff provides a comprehensive overview of how these tools transform the coding landscape.

The conversation starts with a journey through the history of coding assistants, from early autocomplete features to today's sophisticated AI-driven tools. Jeff explains how Large Language Models (LLMs) have revolutionized code generation, offering unprecedented levels of accuracy and efficiency. He delves into the various features of modern coding assistants, including chat functions for code understanding and debugging, highlighting how these tools cater to both junior and senior developers.

Security concerns are a key focus of the discussion, with Jeff addressing how Codeium tackles data privacy and protection. He outlines strategies such as air-gapped deployments and local data processing to ensure that sensitive code remains secure. The episode also touches on the challenges of measuring the impact of these tools, with Jeff sharing insights on how companies are quantifying success through metrics like code generation percentage and developer productivity.

Looking to the future, Jeff and Danny explore the potential trajectories of AI in software development. They discuss the possibility of more complex, multi-step AI processes and the integration of AI across the entire software development lifecycle. The conversation concludes with thought-provoking insights on how AI coding assistants are improving productivity and enabling developers and organizations to "dream bigger" and tackle more ambitious projects.

This episode offers listeners a deep dive into the cutting-edge world of AI-assisted coding, providing valuable insights for developers, technology leaders, and anyone interested in the future of software development. Tune in to understand how these tools reshape the industry and why they're becoming essential to modern development practices.

Links

• Codeium

Follow Us

• Our Website
• Our LinkedIn

Episode Summary

In this episode of The Secure Developer, David Imhoff, Director of DevSecOps and Product Security at Kroger, shares insights on implementing DevSecOps in large organizations. He discusses balancing regulatory compliance with business objectives, fostering a security culture, and the challenges of risk mitigation. David also explores the importance of asset management, security champions, and the potential impact of AI on cybersecurity practices.

Show Notes

In this episode of The Secure Developer, host Danny Allan speaks with David Imhoff, Director of DevSecOps and Product Security at Kroger, about implementing security programs in large organizations. David shares his experience transitioning from blue team operations to engineering and back to security, emphasizing the importance of understanding both security and engineering perspectives to create effective DevSecOps programs.

The conversation delves into the challenges of starting a security program in a large retail organization, with David highlighting the importance of understanding regulatory requirements, such as HIPAA, and aligning security measures with business objectives. He discusses the use of the NIST Cybersecurity Framework for measuring and reporting security posture to the board, and the process of balancing security needs with business risk appetite.

David explains Kroger's approach to building a security culture, including the implementation of a security champions program and the use of Objectives and Key Results (OKRs) to drive security initiatives. He details the company's strategies for centralizing security policies while allowing flexibility in implementation across different engineering teams. The discussion also covers the integration of security tools into the development pipeline, including the use of GitHub Actions for vulnerability scanning and management.

The episode explores various security technologies employed at Kroger, including Software Composition Analysis (SCA), Static Application Security Testing (SAST), API security, and secrets scanning. David shares insights on the challenges of prioritizing security alerts and the ongoing effort to provide a cohesive view of risk across multiple tools. The conversation concludes with a discussion on the potential impact of AI on security practices, including the new challenges it presents in areas such as data poisoning and model management, as well as the potential for AI to improve threat modeling processes.

Links

• NIST Cybersecurity Framework

Follow Us

• Our Website
• Our LinkedIn

Episode Summary

In this special episode of “The Secure Developer,” host Danny Allan interviews Snyk founder Guy Podjarny about the origins and evolution of Snyk. Guy shares his journey from conceptualizing Snyk in the shower to building it into a developer-first security platform. They discuss the challenges and successes of integrating security into the developer workflow, the importance of open-source security, and the impact of AI on the industry. Guy also provides insights into Snyk’s focus on remediation and the future of autonomous developer security.

Show Notes

In this episode of The Secure Developer, host Danny Allan sits down with Guy Podjarny, founder of Snyk, for an engaging conversation about the company's journey and its impact on the DevSecOps landscape. Guy shares the story of Snyk's inception, from the initial idea sparked in a shower to its development into a leading developer-first security platform. He discusses the challenges faced in the early days, including the need to balance depth and breadth in their security solutions and how these experiences shaped Snyk's approach to integrating security seamlessly into the developer workflow.

Guy delves into the pivotal moments that defined Snyk's evolution, such as the decision to focus on open-source security and the subsequent expansion into container and infrastructure as code security. He highlights the importance of making security tools that developers love and can easily adopt, which has been a cornerstone of Snyk’s philosophy. The conversation also touches on the strategic acquisitions that bolstered Snyk's capabilities, particularly the acquisition of DeepCode, which brought innovative AI-driven static analysis into the fold.

As the discussion moves forward, Guy and Danny explore the future of security in the AI era. They consider the potential of AI to revolutionize how vulnerabilities are detected and fixed, envisioning a future where code can be autonomously corrected without developer intervention. Guy emphasizes the need for a holistic approach to security, one that combines static analysis with runtime insights to provide comprehensive protection.

This episode offers a deep dive into the philosophy, challenges, and innovations that have driven Snyk’s success. It provides listeners with valuable insights into the evolution of developer-first security and the role of AI in shaping the future of software development. Whether you're a developer, security professional, or tech enthusiast, this conversation is packed with lessons and foresight that you won’t want to miss. Tune in to hear from one of the leading minds in DevSecOps and learn how Snyk continues to lead the charge in making security an integral part of the development process.

Links

• Snyk Open Source
• Snyk Code
• DevSecCon

Follow Us

• Our Website
• Our LinkedIn

Episode Summary

In this episode of The Secure Developer we're joined by Brian Vallelunga, Founder and CEO of Doppler, to discuss the importance of secrets management in modern application development. Brian shares his journey in creating Doppler, a secrets manager designed for developers and DevOps teams, and highlights the challenges organizations face in managing sensitive data such as API keys, database credentials, and certificates. The conversation explores best practices for secure secret storage, the need for industry-wide adoption of secrets rotation, and the potential impact of AI on the future of secrets management and identity-based authentication.

Show Notes

In this insightful episode of The Secure Developer, we sit down with Brian Vallelunga, Founder and CEO of Doppler, to dive deep into the critical topic of secrets management in modern application development. Brian shares Doppler's unique founding story, which began as a crypto machine learning marketplace but pivoted to address the pressing need for effective secrets management solutions.

Throughout the conversation, Brian and Danny explore the challenges developers and organizations face when managing sensitive data, such as API keys, database credentials, and certificates. They discuss best practices for secure secret storage, emphasizing the importance of encryption, seamless integration with developer workflows, and creating a positive developer experience.

The discussion also touches on the industry's struggle with secrets rotation and the need for standardization across providers to enable effective rotation strategies. Brian and Danny consider the potential role of compliance requirements, such as SOC 2, in driving the adoption of robust secrets management practices.

Looking to the future, the pair explores the impact of artificial intelligence on secrets management and the potential shift towards identity-based authentication. They envision a world where AI agents dynamically provision infrastructure and manage the connections between various services, with secrets managers facilitating seamless authentication.

Tune in to this engaging episode to gain valuable insights into the evolving landscape of secrets management and discover how industry leaders like Snyk and Doppler are working to secure the future of application development.

Links

• Twilio
• Stripe
• Nullify
• Vercel
• Kubernetes
• Amazon Web Services
• GitHub Copilot
• Magic
• Snyk - The Developer Security Company

Follow Us

• Our Website
• Our LinkedIn

Follow Us

• Our Website
• Our LinkedIn

Special news about the future of The Secure Developer!

Follow Us

• Our Website
• Our LinkedIn

Episode Summary

Are you curious about the ever-changing landscape of data security? In this episode, we are joined by Danny Allan, the newly appointed Chief Technology Officer at Snyk, to delve into the evolving landscape of data security. In our conversation, we discussed his professional background and how he went from hacking security systems at university to becoming a security expert at Snyk. Hear about his experience in dynamic application security testing and the challenges and opportunities of working for large companies. We unpack how controlling human actions can reduce security vulnerabilities, the nuances of running cloud-hosted services, and how the techniques used for static application security testing have changed. Danny explains the importance of considering security aspects during the early stages of software development and how governance has integrated into data security measures. Gain valuable insights into the ever-changing landscape of data security, AI’s potential role in revolutionizing security practices, and much more.

Show Notes

In this episode, Guy Podjarny is joined by Danny Allan, the new CTO at Snyk. Danny shares his fascinating career journey that has taken him in and out of the application security space over the past 20+ years.

They discuss how application security practices like static analysis (SAST) and dynamic scanning (DAST) have evolved, with SAST becoming much faster and easier to integrate earlier in the development cycle. Danny reflects on what has changed and what has surprisingly stayed the same since his earlier days in AppSec.

The conversation digs into the intersections between application security, data security, cloud security, and how these domains are becoming more interconnected as the same teams take on responsibilities across these areas. Danny draws insights from his recent experience at Veeam, highlighting how practices like data immutability and multi-person authorization grew in importance to combat ransomware threats.

Looking ahead, Danny and Guy explore the potential impact of AI/ML on application security. From automating threat modeling to personalizing vulnerability findings based on developer interests to generating rules and fixes, Danny sees AI unlocking many opportunities to transform AppSec practices.

Overall, this episode provides a unique perspective spanning Danny's 20+ year career in security. His experiences illustrate the evolution of AppSec tooling and processes, the blurring of domains like app/data/cloud security, and how AI could radically reshape the future of application security.

Links

• VMware
• Veeam
• Snyk - The Developer Security Company

Follow Us

• Our Website
• Our LinkedIn

Follow Us

• Our Website
• Our LinkedIn

Episode Summary

Explore the role of consolidated platforms in software development with our guest, John Delmare, Global Application and Cloud Security Lead of Accenture. This episode dives into the growing complexity in the developer space and how these platforms streamline processes and foster collaboration among distributed teams. We discuss balancing application and cloud security, the financial and time-saving benefits of integrated platforms, and the role of best-of-breed technology in an evolving tooling landscape. Tune in for a preview of future secure development practices and practical advice on navigating this dynamic space.

Show Notes

In this engaging episode of The Secure Developer, host Simon Maple chats with John Delmare, Managing Director of Accenture and Global Application and Cloud Security Lead, about the movement towards platform consolidation in the field of DevSecOps.

They dive into an in-depth exploration of the potential advantages and barriers that emerge from the reduction of tool sprawl. Using his extensive experience and insights, Delmare sheds light on how this development can enhance efficiency for developers and, at the same time, benefit companies by making processes more streamlined, cost-efficient, and effective.

Not losing sight of the role of best-of-breed tools, the conversation takes a turn into how such tools fare in the current scenario, whether they still hold relevance, or if the consolidation trend is set to overshadow them. More intriguingly, Delmare and Maple delve into the potential implications of emerging technologies like General Artificial Intelligence (GenAI) on the strategies for security tooling.

Further enriching the conversation, they emphasize the critical need for a common ground between security and development teams. Platform consolidation comes into play here by offering shared data views and aligning the teams towards unified goals, making the perfect case for seamless DevSecOps practices.

This episode is packed with insights that would cater to developers, security professionals, and decision-makers in the IT industry, offering them a clearer view of the current trends and allowing them to make strategically sound decisions. Tune in to be part of this insightful conversation.

Links

• Accenture
• Snyk - The Developer Security Company

Follow Us

• Our Website
• Our LinkedIn

Follow Us

• Our Website
• Our LinkedIn

Episode Summary

In this episode of The Secure Developer, Guy Podjarny and guest Sean Catlett discuss the shift from traditional to engineering-first security practices. They delve into the importance of empathy and understanding business operations for enforcing better security. Catlett emphasizes utilizing AI for generic tasks to focus on crafting customized security strategies.

Show Notes

In this episode of The Secure Developer, host Guy Podjarny chats with experienced CISO Sean Catlett about transforming traditional security cultures into a more modern, engineering-first approach. Together, they delve into the intricacies of this paradigm shift and the resulting impact on organizational dynamics and leadership perspectives.

Starting with exploring how an empathetic understanding of a business's operational model can significantly strengthen security paradigms, the discussion progresses toward the importance of creating specialized security protocols per unique business needs. They stress that using AI and other technologies for generic tasks can free up teams to concentrate on building tailored security solutions, thereby amplifying their efficiency and impact on the company's growth.

In the latter part of the show, Catlett and Podjarny investigate AI's prospective role within modern security teams and lay out some potential challenges. Recognizing the rapid evolutionary pace of such technologies, they believe keeping up with AI advancements is crucial for capitalizing on its benefits and pre-empting potential pain points.

AI-curious listeners will find this episode brimming with valuable insights as Catlett and Podjarny demystify the complexities and highlight the opportunities of the current security landscape. Tune in to learn, grow, and transform your security strategy.

Links

• Slack
• FedRAMP
• GitHub Copilot
• ChatGPT
• Snyk - The Developer Security Company

Follow Us

• Our Website
• Our LinkedIn

Follow Us

• Our Website
• Our LinkedIn