A podcast about security for developers, covering tools and best practices.
Ep. #82, Two Angles of Application and Product Security with Mike Shema
In episode 82 of The Secure Developer, Guy Podjarny is joined by Mike Shema, host of the Application Security Weekly show, who has firsthand insights into the trends and movements in the industry. We hear about Mike’s moderator role at Square and how it ties into the organization’s engineering-biased security approach. We learn about their partnership strategy, how they split up cloud and governance security, and the benefits of specialist teams. Mike candidly shares how his empathy for developers has grown over the years, and as such, he is cognizant of not playing the gatekeeper role.
Ep. #81, Exposing the SourMint Scandal with Danny Grander
In episode 81 of The Secure Developer, Guy Podjarny is joined by Danny Grander, Co-founder and Chief Security Officer at Snyk, to discuss SourMint - a malicious SDK that has been integrated into popular apps, seeing a total of 1.2 billion downloads per month. This was before it was exposed by the Snyk research team! Here, we summarize the scandal and unpack exactly what SourMint is, with details on how it tracks Android and iOS user behaviour while allowing for remote command execution. Guy and Danny also reflect on the challenge of protecting people who are using old versions of apps that still have malicious SDK integrated into them.
Ep. #80, Four Years On: Reflections from Our First-Ever Guest with Kyle Randolph
In episode 80 of The Secure Developer, Guy Podjarny is joined by Kyle Randolph, VP of Security, Privacy, Compliance, and Assurance at Episerver (who recently acquired Optimizely, where he was CISO). Kyle was our first ever guest on the show back in episode 1, four years ago, so we thought it a good idea to invite him back on to see how things have changed over these past four years. In this conversation, we reflect on some of the insights Kyle shared on the debut show and how these perspectives have since evolved as well as subjects such as Tool Adoption, Control Streamlining and the Paved Road approach. The show wraps up with a look at the idea of celebration and security championing, where Kyle shares why we can never celebrate security wins enough.
Ep. #79, Training Security Champions with Brendan Dibbell, Toast
In episode 79 of The Secure Developer, Guy Podjarny is joined by Brendan Dibbell, Application Security Engineer Team Lead at Toast, a restaurant technology company based in Boston, Massachusetts. Brendan shares how they manage cloud security at Toast and what the interaction between the AppSec and the engineering team looks like, and discusses their security champion program, how it differs from the security training for regular developers, and the benefits of having created their own curriculum. Hear how Brendan and his team measure the success of their programs, focusing on the progress rather than on a set of objectives, and talks about what metrics have and have not worked along the way.
Ep. #78, Approaches to Security from Across the Industry with Sacha Faust, Amazon Payments
In episode 78 of The Secure Developer, Guy Podjarny is joined by Sacha Faust, Head of Security Intelligence at Amazon Payments and formerly at Lyft. He weighs in on his experiences at Lyft versus Azure and Amazon. We also explore what it means to go deep on a bug, hearing Sacha’s ideas about learning from bug failures so you can make an impact you can measure, and the complexities of truly fixing something.
Ep. #77, Collaborating on Solutions with Andy Steingruebl, Chief Security Officer at Pinterest
In episode 77 of The Secure Developer, Guy Podjarny is joined by Andy Steingruebl, CSO at Pinterest to talk about DevSecOps, collaboration and measuring security performance. After talking about how he splits up his teams, Andy touches on the fact that many issues spill over from one area to another, meaning the lines that divide them are often blurred and issues are tackled on a case-by-case basis. We also dive into the difficult questions of how to measure security performance, hearing Andy's approach that highlights measuring the applicability of a security control. And lots more!