The Modern Security Podcast Clint Gibler

In this episode, Clint interviews Mike Hanley, Chief Security Officer and SVP of Engineering at GitHub. They discuss the importance of balancing engineering and security, and how GitHub focuses on building secure defaults. Mike also shares how GitHub uses AI internally, including the use of GitHub Copilot for code generation and other AI capabilities in their product features. They explore the potential impact of AI on cybersecurity and the need for organizations to embrace AI to enhance productivity and security. The conversation explores the potential of AI in developer tools and its impact on security. It emphasizes the importance of human oversight and the need to address legacy code and infrastructure. The future of shifting left and the role of AI in security education are also discussed. The conversation concludes with a discussion on AI's potential in code refactoring and the future of cybersecurity and development.

Takeaways

-Balancing engineering and security is crucial for effective and secure software development.
-Building secure defaults and embedding security in the development process can lead to better security outcomes.
-AI can be used to enhance productivity and security in software development, such as with GitHub Copilot.
-AI has the potential to transform workflows in areas like incident response and code scanning. AI has tremendous potential in developer tools and is still in the early stages of development.
-AI can improve security practices but should not replace human oversight and traditional security measures.
-The future of shifting left involves integrating security practices earlier in the development process.
-Fine-tuning AI for custom use cases and addressing legacy code and infrastructure are important challenges.
-AI can play a significant role in security education and code refactoring.
-The future of cybersecurity and development will involve a combination of AI and human expertise.

Chapters

00:00 Introduction and Background
03:15 Balancing Engineering and Security
08:10 Building Secure Defaults
13:41 The Role of AI at GitHub
25:19 AI Applications in Security
32:02 Impact of GitHub Copilot
32:30 The Potential of AI in Developer Tools
34:04 The Impact of AI on Security
36:18 The Importance of Human Oversight
39:09 The Future of Shifting Left
40:21 Fine-Tuning AI for Custom Use Cases
41:36 Addressing Legacy Code and Infrastructure
43:20 The Need for AI in Security
45:32 The Role of AI in Security Education
46:42 AI's Potential in Code Refactoring
50:03 The Future of Cybersecurity and Development

In this episode, Clint and Rob Wood, Chief Information Security Officer at the Centers for Medicare and Medicaid Services (CMS), discuss scaling and managing security at a massive scale in a government setting. They explore the challenges of working with vendors, incentivizing behavior, and building centralized platforms and data ingestion pipelines.



Chapters

00:00 Introduction and Scaling Security at Massive Scale

09:13 Context and Incentives in Government

19:19 Incentivizing Behavior and Initiatives

38:50 Building a Centralized Platform as a Service

47:23 Data Ingestion Pipeline and Security Data Lake

57:27 Onboarding Data Sources and Teams

58:26 Moving Away from Legacy Infrastructure

59:25 Focus and Clean Pipelines

01:00:21 Making Security a People-Aligned Function

In this next episode of the #modernsecuritypodcast, Clint and Letty Lourenco discuss the importance of user experience in security and how to create secure and user-friendly products. They explore the concept of secure by default and the need for secure defaults and self-service options. The conversation concludes with advice on educating and onboarding users, making security usable, and collecting user feedback.

Takeaways
-User experience is crucial in security, and products should be designed with secure defaults and self-service options.
-Building a cross-functional security team that includes both security experts and developers can help create robust and user-friendly security solutions.
-Applying product principles, such as secure by default and actionable guidance, can enhance the user experience in security.
-Leveraging established design patterns and information architecture can help create effective and reusable self-service patterns in security. Effective communication and clear instructions are crucial in security to ensure users understand what actions to take.
-Just-in-time guidance can enhance the user experience by providing relevant instructions in the context of the task at hand.
-Learning from other industries and their guidance patterns can help improve security communication and design.
-The user experience design process involves collaboration, research, testing, and iterative feedback to create effective and usable security solutions.
-Educating and onboarding users from the beginning helps establish security practices and make security a priority.
-Making security usable for users requires removing complexity and using language and analogies that resonate with them.
-Collecting user feedback and listening to users' needs and concerns is essential for improving security solutions.

Chapters

00:00 - Secure by Default
04:12 - Building a Cross-Functional Security Team
11:20 - User Experience in Security
24:10 - Security-Flavored User Experience Strategies and Examples
45:38 - Applying Right Size Privilege Principle
50:02 - Creating an Effective and Reusable Self-Service Pattern
53:54 - Effective Communication and Clear Instructions
57:22 - Just-in-Time Guidance
59:14 - Learning from Other Industries
01:03:02 - User Experience Design Process
01:09:31 - Iterative Feedback and Design Review
01:12:23 - Educating and Onboarding Users
01:13:51 - Making Security Usable for Users
01:15:19 - Abstracting Complexity and Collecting User Feedback

In this episode of the Modern Security Podcast we were joined by Jamie Finnigan, Director of Product Security  @HashiCorp , and discussed how the security team prioritizes their time, rolling out developer-friendly security tooling, and much more.


2:08 - Intro to Jamie Finnigan
7:41 - The Product Security Org at HashiCorp
11:27 - How do you determine what to focus on?
16:40 - What does success look like for security at HashiCorp
20:50 - The difference between outputs and outcomes
25:52 - The Creation of Bandit
30:37 - HashiCorp Product Security Model
34:14 - Developer-Friendly Security Tooling
39:56 - Tool selection
46:09 - Eliminating SSRF via Secure Defaults
53:22 - Overview of the Secure Defaults Approach
59:16 - Empathy in Security

In this episode of the Modern Security Podcast, we interviewed John Steven about scaling security teams and implementing secure by default culture.

6:23 - Intro to John Steven
9:28 - Interesting efforts with AppSec & ProdSec to scale security
10:20 - How to embrace secure defaults
24:01 - Threat Modeling problems
43:02 - Secure Control Efficacy Pyramid
58:50 - Overcoming secure default friction
1:04:12 - Advice for CISOs and startups

For our first episode of The Modern Security Podcast, we had a wide ranging conversation with Dev Akhawe, Head of Security at Figma, on:


3:50 - The rise of security *engineering*


22:42 - Career advice


29:08 - How secure defaults can effectively scale your security team’s effectiveness, eliminating classes of vulnerabilities, and how to embrace them at your company


38:41 - What makes a security tool great


1:01:25 - How to automatically get continuous visibility into the code your company is writing and scale just-in-time developer education



#modernsecuritypodcast