The Future Of API Security With FireTail’s Jeremy Snyder

The Secure Developer

Player FM - Internet Radio Done Right

63 subscribers

הוסף לפני eight שנים

תוכן מסופק על ידי Snyk. כל תוכן הפודקאסטים כולל פרקים, גרפיקה ותיאורי פודקאסטים מועלים ומסופקים ישירות על ידי Snyk או שותף פלטפורמת הפודקאסט שלהם. אם אתה מאמין שמישהו משתמש ביצירה שלך המוגנת בזכויות יוצרים ללא רשותך, אתה יכול לעקוב אחר התהליך המתואר כאן https://he.player.fm/legal.

How to Be a Better Human

1
Throwing good parties and building community (w/ Priya Parker) 38:16

לפני 24 weeks38:16

הפעל מאוחר יותר

רשימות

לייק

אהבתי

38:16

Many of us are entering the new year with a similar goal — to build community and connect more with others. To kick off season five, Priya Parker shares ideas on how to be the host with the most. An expert on building connection, Priya is the author of “The Art of Gathering: How We Meet and Why It Matters.” Whether it's a book club, wedding, birthday or niche-and-obscurely themed party, Priya and Chris talk about how to create meaningful and fun experiences for all of your guests — including yourself. For the full text transcript, visit go.ted.com/BHTranscripts . For the full text transcript, visit go.ted.com/BHTranscripts Want to help shape TED’s shows going forward? Fill out our survey here ! Learn more about TED Next at ted.com/futureyou Hosted on Acast. See acast.com/privacy for more information.…

לפני שנה 38:00

MP3•בית הפרקים

Episode Summary

Jeremy Snyder is the co-founder and CEO of FireTail, a company that enables organizations to adopt AI safely without sacrificing speed or innovation. In this conversation, Jeremy shares his deep expertise in API and AI security, highlighting the second wave of cloud adoption and his pivotal experiences at AWS during key moments in its growth from startup onwards.

Show Notes

In this episode of The Secure Developer, host Danny Allan sits down with Jeremy Snyder, the Co-founder and CEO of FireTail, to unravel the complexities of API security and explore its critical intersection with the burgeoning field of Artificial Intelligence. Jeremy brings a wealth of experience, tracing his journey from early days in computational linguistics and IT infrastructure, through a pivotal period at AWS during its startup phase, to eventually co-founding FireTail to address the escalating challenges in API security driven by modern, decoupled software architectures.

The conversation dives deep into the common pitfalls and crucial best practices for securing APIs. Jeremy clearly distinguishes between authentication (verifying identity) and authorization (defining permissions), emphasizing that failures in authorization are a leading cause of API-related data breaches. He sheds light on vulnerabilities like Broken Object-Level Authorization (BOLA), explaining how seemingly innocuous practices like using sequential integer IDs can expose entire datasets if server-side checks are missed. The discussion also touches on the discoverability of backend APIs and the persistent challenges surrounding multi-factor authentication, including the human element in security weaknesses like SIM swapping.

Looking at current trends, Jeremy shares insights from FireTail's ongoing research, including their annual "State of API Security" report, which has uncovered novel attack vectors such as attempts to deploy malware via API calls. A significant portion of the discussion focuses on the new frontier of AI security, where APIs serve as the primary conduit for interaction—and potential exploitation. Jeremy details how AI systems and LLM integrations introduce new risks, citing a real-world example of how a vulnerability in an AI's web crawler API could be leveraged for DDoS attacks. He speculates on the future evolution of APIs, suggesting that technologies like GraphQL might become more prevalent to accommodate the non-deterministic and data-hungry nature of AI agents. Despite the evolving threats, Jeremy concludes with an optimistic view, noting that the gap between business adoption of new technologies and security teams' responses is encouragingly shrinking, leading to more proactive and integrated security practices.

Links

Follow Us

167 פרקים

#Security #Software Development #Tech News #Heavybit #Tech #News

The Future Of API Security With FireTail’s Jeremy Snyder

The Secure Developer

63 subscribers

published לפני שנה

שתפו

MP3•בית הפרקים

Episode Summary

Show Notes

Links

Follow Us

167 פרקים

#Security #Software Development #Tech News #Heavybit #Tech #News

כל הפרקים

The Secure Developer

1
Open Authorization In The World Of AI With Aaron Parecki 36:07

לפני 16 ימים36:07

36:07

Episode Summary How do we apply the battle-tested principles of authentication and authorization to the rapidly evolving world of AI and Large Language Models (LLMs)? In this episode, we're joined by Aaron Parecki , Director of Identity Standards at Okta , to explore the past, present, and future of OAuth. We dive into the lessons learned from the evolution of OAuth 1.0 to 2.1, discuss the critical role of standards in securing new technologies, and unpack how identity frameworks can be extended to provide secure, manageable access for AI agents in enterprise environments. Show Notes In this episode, host Danny Allan is joined by a very special guest, Aaron Parecki, the Director of Identity Standards at Okta, to discuss the critical intersection of identity, authorization, and the rise of artificial intelligence. Aaron begins by explaining the history of OAuth, which was created to solve the problem of third-party applications needing access to user data without the user having to share their actual credentials. This foundational concept of delegated access has become ubiquitous, but as technology evolves, so do the challenges. Aaron walks us through the evolution of the OAuth standard, from the limitations of OAuth 1 to the flexibility and challenges of OAuth 2, such as the introduction of bearer tokens. He explains how the protocol was intentionally designed to be extensible, allowing for later additions like OpenID Connect to handle identity and DPoP to enhance security by proving possession of a token. This modular design is why he is now working on OAuth 2.1—a consolidation of best practices—instead of a complete rewrite. The conversation then shifts to the most pressing modern challenge: securing AI agents and LLMs that need to interact with multiple services on a user's behalf. Aaron details the new "cross-app access" pattern he is working on, which places the enterprise Identity Provider (IDP) at the center of these interactions. This approach gives enterprise administrators crucial visibility and control over how data is shared between applications, solving a major security and management headache. For developers building in this space today, Aaron offers practical advice: leverage individual user permissions through standard OAuth flows rather than creating over-privileged service accounts. Links Okta OpenID Foundation IETF The House Files PDX (YouTube Channel) WIMSE AuthZEN Working Group aaronpk on GitHub Snyk - The Developer Security Company Follow Us Our Website Our LinkedIn…

The Secure Developer

1
The Evolution Of Platform Engineering With Massdriver CEO Cory O’Daniel 40:01

לפני 4 weeks40:01

40:01

Episode Summary Dive into the ever-evolving world of platform engineering with Cory O’Daniel , CEO and co-founder of Massdriver . This episode explores the journey of DevOps, the challenges of building and scaling infrastructure, and the crucial role of creating effective abstractions to empower developers. Cory shares his insights on the shift towards platform engineering as a means to build more secure and efficient software by default. Show Notes In this episode of The Secure Developer, host Danny Allan sits down with Cory O’Daniel, CEO and co-founder of Massdriver, to discuss the dynamic landscape of platform engineering. Cory, a seasoned software engineer and first-time CEO, shares his extensive experience in the Infrastructure as Code (IaC) space, tracing his journey from early encounters with EC2 to founding Massdriver. He offers candid advice for developers aspiring to become CEOs, emphasizing the importance of passion and early customer engagement. The conversation delves into the evolution of DevOps over the past two decades, highlighting the constant changes in how software is run, from mainframes to serverless containers and now AI. Cory argues that the true spirit of DevOps lies in operations teams producing products that developers can easily use. He points out the challenge of scaling operations expertise, suggesting that IT and Cloud practices need to mature in software development to create better abstractions for developers, rather than expecting developers to become infrastructure experts. A significant portion of the discussion focuses on the current state of abstractions in IaC. Cory contends that existing public abstractions, like open-source Terraform modules, are often too generic and don't account for specific business logic, security, or compliance requirements. He advocates for operations teams building their own prescriptive modules that embed organizational standards, effectively shifting security left by design rather than by burdening developers. The episode also touches upon the potential and limitations of AI in the operations space, with Cory expressing skepticism about AI's current ability to handle the contextual complexities of infrastructure without significant, organization-specific training data. Finally, Cory shares his optimism for the future of platform engineering, viewing it as a return to the original intentions of DevOps, where operations teams ship software with ingrained security and compliance, leading to more secure systems by default. Links MassDriver Ansible Chef Terraform DevOps is Bullshit Elephant in the Cloud Docker Postgres OpenTofu Helm Redis Elixir Snyk - The Developer Security Company Follow Us Our Website Our LinkedIn…

The Secure Developer

1
The Future Of API Security With FireTail’s Jeremy Snyder 38:00

לפני 6 weeks38:00

38:00

Episode Summary Jeremy Snyder is the co-founder and CEO of FireTail , a company that enables organizations to adopt AI safely without sacrificing speed or innovation. In this conversation, Jeremy shares his deep expertise in API and AI security, highlighting the second wave of cloud adoption and his pivotal experiences at AWS during key moments in its growth from startup onwards. Show Notes In this episode of The Secure Developer, host Danny Allan sits down with Jeremy Snyder, the Co-founder and CEO of FireTail, to unravel the complexities of API security and explore its critical intersection with the burgeoning field of Artificial Intelligence. Jeremy brings a wealth of experience, tracing his journey from early days in computational linguistics and IT infrastructure, through a pivotal period at AWS during its startup phase, to eventually co-founding FireTail to address the escalating challenges in API security driven by modern, decoupled software architectures. The conversation dives deep into the common pitfalls and crucial best practices for securing APIs. Jeremy clearly distinguishes between authentication (verifying identity) and authorization (defining permissions), emphasizing that failures in authorization are a leading cause of API-related data breaches. He sheds light on vulnerabilities like Broken Object-Level Authorization (BOLA), explaining how seemingly innocuous practices like using sequential integer IDs can expose entire datasets if server-side checks are missed. The discussion also touches on the discoverability of backend APIs and the persistent challenges surrounding multi-factor authentication, including the human element in security weaknesses like SIM swapping. Looking at current trends, Jeremy shares insights from FireTail's ongoing research, including their annual "State of API Security" report, which has uncovered novel attack vectors such as attempts to deploy malware via API calls. A significant portion of the discussion focuses on the new frontier of AI security, where APIs serve as the primary conduit for interaction—and potential exploitation. Jeremy details how AI systems and LLM integrations introduce new risks, citing a real-world example of how a vulnerability in an AI's web crawler API could be leveraged for DDoS attacks. He speculates on the future evolution of APIs, suggesting that technologies like GraphQL might become more prevalent to accommodate the non-deterministic and data-hungry nature of AI agents. Despite the evolving threats, Jeremy concludes with an optimistic view, noting that the gap between business adoption of new technologies and security teams' responses is encouragingly shrinking, leading to more proactive and integrated security practices. Links FireTail Rapid7 Snyk - The Developer Security Company Follow Us Our Website Our LinkedIn…

The Secure Developer

1
The Case For Steward Ownership And Open Source With Melanie Rieback 44:11

לפני 8 weeks44:11

44:11

Episode Summary Is the traditional Silicon Valley startup model harming the security industry? In this episode of The Secure Developer, Danny Allan talks with Melanie Rieback , founder of Radically Open Security, about shaking up the industry with nonprofit business models. Tuning in, you’ll learn about the inner workings of Radically Open Security as a non-profit organization and the positive impact its donations have had on the open source ecosystem. We discuss the benefits of a steward-ownership business model, why it pairs so well with open source, and its power to reform venture capital and align incentives with long-term sustainability. For those interested in diving deeper, Melanie shares resources from her startup incubator, Nonprofit Ventures , and her free online Post Growth Entrepreneurship course . Tune in to learn why reforming our business models is vital for preserving and protecting our open source ecosystem and, by extension, security! Show Notes In this episode, Snyk CTO Danny Allan chats with Dr. Melanie Rieback, founder of Radically Open Security, about her journey from academia and pen testing to founding a cybersecurity company with a radically different business model. Melanie shares the motivations behind creating a not-for-profit organization that donates 90% of its profits to the NLnet Foundation, supporting open source and digital rights initiatives. They discuss the discontent with traditional cybersecurity business practices, including lack of transparency and ethical concerns like selling zero-days. Melanie explains Radically Open Security's structure, operating as a collective primarily using contractors, and how this model has allowed them to grow to 50 people while serving major clients and offering pro-bono work for nonprofits and critical open source projects like the Tor Project and Tails. The conversation then broadens to discuss alternative business models like steward ownership, where profit rights are separated from voting rights, aiming to lock value within the company and prevent mission drift often caused by traditional VC funding. They explore the concept of "Post Growth Entrepreneurship," which Melanie teaches, focusing on non-extractive business models and reforming finance itself. The discussion touches upon whether the tech industry, particularly open source, is moving towards more sustainable and ethical models, citing examples like Signal, Proton, Mastodon, and Mozilla. Melanie emphasizes that the culture of open source developers is often inherently altruistic, not greedy, but can be compromised by traditional funding systems. Finally, Melanie offers resources for listeners interested in learning more about these alternative models. Links Radically Open Security Radically Open Security on LinkedIn NLnet Foundation Nonprofit Ventures Post Growth Entrepreneurship Course Snyk - The Developer Security Company Follow Us Our Website Our LinkedIn…

The Secure Developer

1
Advancing AppSec With AI With Akira Brand 34:52

לפני 10 weeks34:52

34:52

Episode Summary In this episode of The Secure Developer, Danny Allan sits down with Akira Brand , AVP of Application Security at PRA Group , to explore the evolving landscape of application security and AI. Akira shares her unconventional journey from opera to cybersecurity, discusses why AppSec is fundamentally a customer service role and breaks down how AI is reshaping security workflows. Tune in to hear insights on integrating security seamlessly into development, AI’s role in secure coding, and the future of AppSec in a rapidly shifting tech landscape. Show Notes In this engaging episode, The Secure Developer welcomes Akira Brand, AVP of Application Security at PRA Group, for an in-depth discussion on the intersection of AI and application security. Akira’s unique background in opera and stage direction offers a fresh perspective on fostering collaboration in security teams and influencing organizational culture. Key Topics Covered: From Opera to AppSec: Akira shares her journey from classical music to cybersecurity and how her experience in stage direction translates into leading security teams. AppSec as a Customer Service Role: The importance of serving software engineers by providing security solutions that fit seamlessly into their workflows. The ‘Give Them the Pickle’ Approach: How meeting developers where they are and educating them can lead to better security adoption. AI’s Role in Secure Development: How AI-driven tools are transforming the way security is integrated into the software development lifecycle. Challenges in Security Culture: Why security is still an afterthought in many development processes and how to change that mindset. Future of AI in Security: The promise and risks of AI-assisted security tools and the need for standards to keep pace with rapid technological advancements. Links PRA Group Turing School Brian Holt Frontend Masters Resilia Snyk - The Developer Security Company Follow Us Our Website Our LinkedIn…

The Secure Developer

1
Authentication, Authorization, And The Future Of AI Security With Alex Salazar 38:36

לפני 12 weeks38:36

38:36

Episode Summary In this episode of The Secure Developer, host Danny Allan sits down with Alex Salazar , founder and CEO of Arcade , to discuss the evolving landscape of authentication and authorization in an AI-driven world. Alex shares insights on the shift from traditional front-door security to back-end agent interactions, the challenges of securing AI-driven agents, and the role of identity in modern security frameworks. The conversation delves into the future of AI, agentic workflows, and how organizations can navigate authentication, authorization, and security in this new era. Show Notes Danny Allan welcomes Alex Salazar, an experienced security leader and CEO of Arcade, to explore the transformation of authentication and authorization in AI-powered environments. Drawing from his experience at Okta, Stormpath, and venture capital, Alex provides a unique perspective on securing interactions between AI agents and authenticated services. Key topics discussed include: The Evolution of Authentication & Authorization: Traditional models focused on front-door access (user logins, SSO), whereas AI-driven agents require secure back-end interactions. Agentic AI and Security Risks: How AI agents interact with services on behalf of users, and why identity becomes the new perimeter in security. OAuth and Identity Challenges: Adapting OAuth for AI agents, ensuring least-privilege access, and maintaining security compliance. AI Hallucinations & Risk Management: Strategies for mitigating LLM hallucinations, ensuring accuracy, and maintaining human oversight. The Future of AI & Agentic Workflows: Predictions on how AI will continue to evolve, the rise of specialized AI models, and the intersection of AI and physical automation. Alex and Danny also discuss the broader impact of AI on developer productivity, with insights into how companies can leverage AI responsibly to boost efficiency without compromising security. Links Arcade.dev - Make AI Actually Do Things Okta - Identity OAuth - Authorization Protocol LangChain - Applications that Can Reason Hugging Face - The AI Community Building the Future Snyk - The Developer Security Company Follow Us Our Website Our LinkedIn…

The Secure Developer

1
Rethinking Secure Communication With Mrinal Wadhwa 40:32

לפני 14 weeks40:32

40:32

Episode Summary In this episode of The Secure Developer, Danny Allan sits down with Mrinal Wadhwa , CTO at Ockam , to explore the evolving landscape of secure communication in distributed systems. They discuss the challenges of securing microservices, IoT networks, and Kubernetes environments and how traditional TLS-based security models may no longer be sufficient. Mrinal shares insights into Ockam’s approach to end-to-end encrypted, mutually authenticated channels and the impact of WebAssembly, passkeys, and modern cryptographic identity management on security. Tune in for a deep dive into how organizations can rethink security at runtime to minimize risks in today’s complex digital ecosystems. Show Notes Security in modern applications is more challenging than ever, with microservices architectures, IoT deployments, and distributed computing environments introducing new risks. In this episode, Danny Allan welcomes Mrinal Wadhwa, CTO at Ockam, to discuss how secure communication models need to evolve beyond traditional TLS and perimeter-based defenses. Topics covered include: The challenges of securing microservices and Kubernetes clusters How end-to-end encryption and mutual authentication can minimize risk The importance of cryptographic identities and key rotation at scale How Ockam enables secure channels across multiple transport layers (TCP, Bluetooth, Kafka, etc.) The role of WebAssembly and passkeys in rethinking security models Shifting from perimeter-based security to secure-by-design communication Mrinal shares key insights on how organizations can rethink risk at runtime, considering the number of people and systems involved in data flow rather than just static build-time dependencies. Whether you're a security leader, developer, or architect, this episode provides actionable insights on building trust in your infrastructure without compromising performance or agility. Links Ockam Passkeys Overview Private Compute Cloud by Apple Snyk - The Developer Security Company Follow Us Our Website Our LinkedIn…

The Secure Developer

1
The Future Of Security, Privacy And Control With Wayne Chang 39:22

לפני 16 weeks39:22

39:22

Episode Summary In this episode of The Secure Developer, Danny Allan , CTO of Snyk, sits down with Wayne Chang , Founder and CEO of SpruceID , to explore the evolving landscape of digital identity and security. From self-sovereign identity to the role of AI in authentication, they discuss the future of identity management, the risks of centralized systems, and the benefits of decentralized approaches. They also dive into how policy, compliance, and emerging technologies like passkeys and zero-knowledge proofs are shaping the security ecosystem. Show Notes The world of digital identity is changing fast, and in this episode of The Secure Developer , we explore how security professionals and developers can navigate this evolving space. Host Danny Allan is joined by Wayne Chang, Founder and CEO of SpruceID, to discuss key trends and challenges in identity management. Topics Discussed: Wayne's Background: From health tech to digital identity, how Wayne’s early struggles with integrating health records led to his passion for self-sovereign identity. The Evolution of Digital Identity: Why usernames and passwords are no longer the gold standard, and how newer methods like passkeys and cryptographic credentials improve security. Decentralization vs. Centralization: The trade-offs between federated identity systems (like OAuth and SSO) and self-hosted identity wallets. The Role of AI in Identity Security: How AI is both a tool for improving security and a threat vector for identity fraud. Privacy and Compliance: How regulations like GDPR, CCPA, and emerging state-level laws influence digital identity strategies. The Future of Authentication: The move from multi-factor authentication to "myriad factor authentication," leveraging multiple signals for seamless and secure access. Wayne and Danny also discuss real-world use cases, including the development of mobile driver's licenses, emerging digital identity wallets, and the challenges of ensuring privacy and security while maintaining usability. The conversation highlights how organizations can stay ahead with better authentication practices and privacy-preserving architectures as fraud becomes more sophisticated. Links SpruceID - Identity infrastructure for the digital world NIST - The National Institute of Standards and Technology NIST SP 800-63 - Digital Identity Guidelines ACLU Digital ID State Legislative Recommendations Snyk - The Developer Security Company Follow Us Our Website Our LinkedIn…

The Secure Developer

1
Building Security Culture With Dustin Lehr 38:15

לפני 18 weeks38:15

38:15

Episode Summary Security is more than just a checklist—it’s a cultural movement. In this episode, Dustin Lehr , Co-founder of Katilyst , joins Danny Allan to explore the intersection of security, engineering, and culture. They discuss how to foster security champions, scale security programs, and build a culture where developers naturally integrate security into their workflows. Dustin shares insights from his extensive career, offering practical strategies for creating lasting change in security practices. Show Notes Security isn’t just about tools—it’s about people. In this episode of The Secure Developer , Dustin Lehr, Co-founder of Katilyst, joins Danny Allan to discuss the importance of building a strong security culture within engineering teams. Dustin shares his journey from software engineering to security leadership, emphasizing how security should be an extension of software quality. He highlights how security champions programs can empower developers to take ownership of security without disrupting their workflow. Key topics include: The evolution of software development and how security fits in Best practices for launching and sustaining a security champions program The psychology of change and how to influence developer behavior The role of AI in security culture—what works and what doesn’t Metrics and strategies for measuring the success of security initiatives With real-world insights and actionable advice, this episode is a must-listen for security and engineering leaders looking to scale security through culture, not just technology. Links Katilyst – Dustin Lehr’s company focused on security culture Security Champion Program Success Guide – A free resource for building effective security champion programs Snyk - The Developer Security Company Follow Us Our Website Our LinkedIn…

The Secure Developer

1
Securing And Defending Like Brazilian Jiu-Jitsu With Jeremiah Grossman 36:57

לפני 20 weeks36:57

36:57

Episode Summary Join Jeremiah Grossman , application security pioneer and former CEO of WhiteHat Security , as he reflects on decades of innovation in the industry, from the early days of OWASP to today’s AI-driven development landscape. Explore critical discussions about the escalating costs of security, aligning developer incentives, and the future challenges posed by AI-generated vulnerabilities. Packed with insights, this episode dives deep into the strategies and frameworks shaping the way we build and secure modern software. Show Notes In this episode of The Secure Developer , we sit down with Jeremiah Grossman, a pioneer in application security and former CEO of WhiteHat Security. Jeremiah shares fascinating insights from his decades of experience shaping the security landscape, including the origins of the OWASP project and his role in raising awareness about critical vulnerabilities like SQL injection and cross-site scripting. The conversation delves into how the industry has evolved over the past two decades, from the early days when nearly every application was riddled with vulnerabilities to today’s more robust frameworks and heightened security awareness. Despite these advancements, Jeremiah and Danny discuss why security spending remains high while organizations continue to struggle with improving their overall security posture. Key topics include: The misalignment of incentives in software development that prioritizes speed over security. The emerging role of cyber insurance in shaping organizational security practices. The challenges of unknown assets and their contribution to breaches, highlighting the importance of asset inventory and attack surface management. The impact of AI on software development, particularly the risks and opportunities presented by AI-generated code and new attack surfaces. Jeremiah also shares his thoughts on aligning incentives for secure development, including innovative approaches like developer performance metrics and reward structures for secure coding. The episode concludes with a look at Jeremiah’s current focus on venture capital and fostering innovation in security, as well as his personal passion for Brazilian jiu-jitsu and its parallels with the security industry. This episode is a deep dive into the critical challenges and opportunities facing modern security professionals, offering actionable insights and thought-provoking discussions for developers, CISOs, and security practitioners alike. Links OWASP (Open Web Application Security Project) Black Hat Node.js Brave Browser Chromium Cornell Study on AI Code Vulnerabilities Snyk - The Developer Security Company Follow Us Our Website Our LinkedIn…

The Secure Developer

1
The Development Of Security With David Mytton 34:23

לפני 22 weeks34:23

34:23

Episode Summary In this episode of The Secure Developer, host Danny Allan sits down with David Mytton , founder and CEO of Arcjet , former CEO of Server Density , and co-founder of Console.dev . David shares his insights into bridging the “developer-security gap” with Arcjet, a cutting-edge middleware SDK designed to empower developers with advanced security tools like rate limiting and bot protection. The conversation dives into the evolution of developer tools, the growing role of AI in coding, and the future of secure software development in modern environments. David also offers a fascinating perspective on sustainable computing and the impact of clean energy in the tech industry. Show Notes In this thought-provoking episode of The Secure Developer , host Danny Allan sits down with David Mytton, founder and CEO of Arcjet, to explore the evolving intersection of development, security, and AI. David, a serial entrepreneur with deep roots in cloud monitoring and developer tools, shares his journey from co-founding Server Density to building Arcjet, a groundbreaking solution for developers managing runtime security. The conversation begins with David’s take on why developers should prioritize security early in the development lifecycle. He highlights the challenges developers face in modern environments, where traditional security tools often fail to integrate seamlessly with serverless and edge computing platforms. David introduces Arcjet as an innovative SDK that empowers developers to implement rate-limiting, bot detection, and other security measures directly in their applications, offering a developer-first approach to runtime protection. Delving deeper, the discussion shifts to the rise of WebAssembly as a transformative technology. David explains how WebAssembly enables near-native performance across platforms while providing unparalleled isolation—making it a perfect fit for modern security needs. He contrasts this with traditional intrusion detection systems and outlines how Arcjet leverages WebAssembly to fill the gaps left by legacy tools. The episode also explores the broader evolution of the developer ecosystem. From the increasing adoption of AI-powered coding tools to the growing interest in languages like Rust, David shares his perspective on how these trends are reshaping software development. He also discusses the challenges of balancing AI-generated code with the need for security and the potential for AI to exacerbate vulnerabilities if not carefully managed. As the conversation wraps up, David touches on his research in sustainable computing and its implications for the tech industry. He highlights the positive strides being made toward greener computing practices and how developers can contribute to a more sustainable future. This episode offers a rich blend of technical insights, forward-thinking ideas, and practical advice for developers and security professionals navigating the ever-changing landscape of software security and development. Links Arcjet Console Acquia Rust Programming Language University of Oxford Snyk - The Developer Security Company Follow Us Our Website Our LinkedIn…

The Secure Developer

1
Securing The Future: How AI Is Transforming Vulnerability Detection With Berkay Berabi 29:45

לפני 24 weeks29:45

29:45

Episode Summary Imagine if AI could detect and fix vulnerabilities in your code faster and with greater precision than ever before. That future is already here! In today’s episode, we’re joined by Berkay Berabi , an AI researcher and Senior Software Engineer at Snyk , to dive into the cutting-edge world of AI-powered vulnerability detection. Berkay offers insight into how Snyk is leveraging a hybrid AI approach to detect and fix vulnerabilities in code, combining human-driven expertise with machine learning for greater accuracy and scalability. He also introduces CodeReduce , a game-changing tool by Snyk that strips away irrelevant code, streamlining the detection process and addressing the challenges posed by complex, multi-step data flows. Through rigorous model testing, Snyk ensures that AI-generated fixes are validated to prevent errors, making the process faster and more reliable. Show Notes In this fascinating episode of The Secure Developer, host Danny Allan sits down with Berkay Berabi, an AI researcher at Snyk, to explore the groundbreaking CodeReduce technology and its implications for software security. Berabi, who transitioned from electrical engineering to AI research, shares insights into how Snyk is revolutionizing vulnerability detection and remediation using artificial intelligence. The conversation delves deep into the technical aspects of CodeReduce, explaining how this innovative approach reduces complex code structures by up to 50 times their original size while maintaining vulnerability detection capabilities. Berabi explains the sophisticated process of code reduction, analysis, and fix generation, highlighting how AI models can better understand and address security vulnerabilities when working with simplified code. The discussion also covers the challenges of different AI models, from T5 to StarCoder and Mixtral, exploring their varying capabilities, accuracies, and performance trade-offs. The episode critically examines the future of AI in software development, addressing both opportunities and concerns. Berabi and Allan discuss recent findings about AI-generated code potentially introducing new vulnerabilities, referencing Gartner's prediction that by 2027, 25% of software vulnerabilities could be created by AI-generated code. They explore how tools like CodeReduce and other AI-powered security measures might help mitigate these risks while examining the broader implications of AI assistance in software development. This episode offers valuable insights for developers, security professionals, and anyone interested in the intersection of AI and software security. Links DeepCode AI Fix Research Paper DeepCode AI Fix Blog Post Follow Us Our Website Our LinkedIn…

The Secure Developer

1
Revolutionizing Coding - The Future Of AI-Driven Development With Jeff Wang 34:50

לפני 46 weeks34:50

34:50

Episode Summary Are you ready to revolutionize your coding experience with cutting-edge AI tools? In this episode of The Secure Developer, host Danny Allan is joined by Jeff Wang , Head of Business at Codeium , to take a deep dive into the transformative power of generative AI in software development. Discover how coding assistants have evolved from simple auto-complete functions to sophisticated AI-driven tools, the significant impact these advancements have had on productivity and innovation, and how Codeium is addressing some of the security challenges they pose. Tuning in, you’ll learn how you can stay ahead in the rapidly changing tech landscape and supercharge your development process. Show Notes In this insightful episode of The Secure Developer, host Danny Allan sits down with Jeff Wang from Codeium to explore the rapidly evolving world of AI-powered coding assistants. As organizations increasingly look to harness the power of Generative AI in software development, Jeff provides a comprehensive overview of how these tools transform the coding landscape. The conversation starts with a journey through the history of coding assistants, from early autocomplete features to today's sophisticated AI-driven tools. Jeff explains how Large Language Models (LLMs) have revolutionized code generation, offering unprecedented levels of accuracy and efficiency. He delves into the various features of modern coding assistants, including chat functions for code understanding and debugging, highlighting how these tools cater to both junior and senior developers. Security concerns are a key focus of the discussion, with Jeff addressing how Codeium tackles data privacy and protection. He outlines strategies such as air-gapped deployments and local data processing to ensure that sensitive code remains secure. The episode also touches on the challenges of measuring the impact of these tools, with Jeff sharing insights on how companies are quantifying success through metrics like code generation percentage and developer productivity. Looking to the future, Jeff and Danny explore the potential trajectories of AI in software development. They discuss the possibility of more complex, multi-step AI processes and the integration of AI across the entire software development lifecycle. The conversation concludes with thought-provoking insights on how AI coding assistants are improving productivity and enabling developers and organizations to "dream bigger" and tackle more ambitious projects. This episode offers listeners a deep dive into the cutting-edge world of AI-assisted coding, providing valuable insights for developers, technology leaders, and anyone interested in the future of software development. Tune in to understand how these tools reshape the industry and why they're becoming essential to modern development practices. Links Codeium Follow Us Our Website Our LinkedIn…

The Secure Developer

1
Implementing A DevSecOps Program For Large Organizations With David Imhoff 40:29

לפני 48 weeks40:29

40:29

Episode Summary In this episode of The Secure Developer, David Imhoff , Director of DevSecOps and Product Security at Kroger , shares insights on implementing DevSecOps in large organizations. He discusses balancing regulatory compliance with business objectives, fostering a security culture, and the challenges of risk mitigation. David also explores the importance of asset management, security champions, and the potential impact of AI on cybersecurity practices. Show Notes In this episode of The Secure Developer, host Danny Allan speaks with David Imhoff, Director of DevSecOps and Product Security at Kroger, about implementing security programs in large organizations. David shares his experience transitioning from blue team operations to engineering and back to security, emphasizing the importance of understanding both security and engineering perspectives to create effective DevSecOps programs. The conversation delves into the challenges of starting a security program in a large retail organization, with David highlighting the importance of understanding regulatory requirements, such as HIPAA, and aligning security measures with business objectives. He discusses the use of the NIST Cybersecurity Framework for measuring and reporting security posture to the board, and the process of balancing security needs with business risk appetite. David explains Kroger's approach to building a security culture, including the implementation of a security champions program and the use of Objectives and Key Results (OKRs) to drive security initiatives. He details the company's strategies for centralizing security policies while allowing flexibility in implementation across different engineering teams. The discussion also covers the integration of security tools into the development pipeline, including the use of GitHub Actions for vulnerability scanning and management. The episode explores various security technologies employed at Kroger, including Software Composition Analysis (SCA), Static Application Security Testing (SAST), API security, and secrets scanning. David shares insights on the challenges of prioritizing security alerts and the ongoing effort to provide a cohesive view of risk across multiple tools. The conversation concludes with a discussion on the potential impact of AI on security practices, including the new challenges it presents in areas such as data poisoning and model management, as well as the potential for AI to improve threat modeling processes. Links NIST Cybersecurity Framework Follow Us Our Website Our LinkedIn…

The Secure Developer

1
The Evolution of Snyk, The Developer Security Company, With Guy Podjarny 50:56

לפני 1 year50:56

50:56

Episode Summary In this special episode of “The Secure Developer,” host Danny Allan interviews Snyk founder Guy Podjarny about the origins and evolution of Snyk. Guy shares his journey from conceptualizing Snyk in the shower to building it into a developer-first security platform. They discuss the challenges and successes of integrating security into the developer workflow, the importance of open-source security, and the impact of AI on the industry. Guy also provides insights into Snyk’s focus on remediation and the future of autonomous developer security. Show Notes In this episode of The Secure Developer, host Danny Allan sits down with Guy Podjarny, founder of Snyk, for an engaging conversation about the company's journey and its impact on the DevSecOps landscape. Guy shares the story of Snyk's inception, from the initial idea sparked in a shower to its development into a leading developer-first security platform. He discusses the challenges faced in the early days, including the need to balance depth and breadth in their security solutions and how these experiences shaped Snyk's approach to integrating security seamlessly into the developer workflow. Guy delves into the pivotal moments that defined Snyk's evolution, such as the decision to focus on open-source security and the subsequent expansion into container and infrastructure as code security. He highlights the importance of making security tools that developers love and can easily adopt, which has been a cornerstone of Snyk’s philosophy. The conversation also touches on the strategic acquisitions that bolstered Snyk's capabilities, particularly the acquisition of DeepCode, which brought innovative AI-driven static analysis into the fold. As the discussion moves forward, Guy and Danny explore the future of security in the AI era. They consider the potential of AI to revolutionize how vulnerabilities are detected and fixed, envisioning a future where code can be autonomously corrected without developer intervention. Guy emphasizes the need for a holistic approach to security, one that combines static analysis with runtime insights to provide comprehensive protection. This episode offers a deep dive into the philosophy, challenges, and innovations that have driven Snyk’s success. It provides listeners with valuable insights into the evolution of developer-first security and the role of AI in shaping the future of software development. Whether you're a developer, security professional, or tech enthusiast, this conversation is packed with lessons and foresight that you won’t want to miss. Tune in to hear from one of the leading minds in DevSecOps and learn how Snyk continues to lead the charge in making security an integral part of the development process. Links Snyk Open Source Snyk Code DevSecCon Follow Us Our Website Our LinkedIn…

The Secure Developer

1
Secrets Management With Doppler's Brian Vallelunga 26:15

לפני 1 year26:15

26:15

Episode Summary In this episode of The Secure Developer we're joined by Brian Vallelunga , Founder and CEO of Doppler , to discuss the importance of secrets management in modern application development. Brian shares his journey in creating Doppler, a secrets manager designed for developers and DevOps teams, and highlights the challenges organizations face in managing sensitive data such as API keys, database credentials, and certificates. The conversation explores best practices for secure secret storage, the need for industry-wide adoption of secrets rotation, and the potential impact of AI on the future of secrets management and identity-based authentication. Show Notes In this insightful episode of The Secure Developer, we sit down with Brian Vallelunga, Founder and CEO of Doppler, to dive deep into the critical topic of secrets management in modern application development. Brian shares Doppler's unique founding story, which began as a crypto machine learning marketplace but pivoted to address the pressing need for effective secrets management solutions. Throughout the conversation, Brian and Danny explore the challenges developers and organizations face when managing sensitive data, such as API keys, database credentials, and certificates. They discuss best practices for secure secret storage, emphasizing the importance of encryption, seamless integration with developer workflows, and creating a positive developer experience. The discussion also touches on the industry's struggle with secrets rotation and the need for standardization across providers to enable effective rotation strategies. Brian and Danny consider the potential role of compliance requirements, such as SOC 2, in driving the adoption of robust secrets management practices. Looking to the future, the pair explores the impact of artificial intelligence on secrets management and the potential shift towards identity-based authentication. They envision a world where AI agents dynamically provision infrastructure and manage the connections between various services, with secrets managers facilitating seamless authentication. Tune in to this engaging episode to gain valuable insights into the evolving landscape of secrets management and discover how industry leaders like Snyk and Doppler are working to secure the future of application development. Links Twilio Stripe Nullify Vercel Kubernetes Amazon Web Services GitHub Copilot Magic Snyk - The Developer Security Company Follow Us Our Website Our LinkedIn Follow Us Our Website Our LinkedIn…

The Secure Developer

1
Special Update! 2:32

לפני 1 year2:32

2:32

Special news about the future of The Secure Developer! Follow Us Our Website Our LinkedIn

The Secure Developer

1
Unravelling Trends In Data Security With Danny Allan 36:58

לפני 1 year36:58

36:58

Episode Summary Are you curious about the ever-changing landscape of data security? In this episode, we are joined by Danny Allan , the newly appointed Chief Technology Officer at Snyk, to delve into the evolving landscape of data security. In our conversation, we discussed his professional background and how he went from hacking security systems at university to becoming a security expert at Snyk. Hear about his experience in dynamic application security testing and the challenges and opportunities of working for large companies. We unpack how controlling human actions can reduce security vulnerabilities, the nuances of running cloud-hosted services, and how the techniques used for static application security testing have changed. Danny explains the importance of considering security aspects during the early stages of software development and how governance has integrated into data security measures. Gain valuable insights into the ever-changing landscape of data security, AI’s potential role in revolutionizing security practices, and much more. Show Notes In this episode, Guy Podjarny is joined by Danny Allan, the new CTO at Snyk. Danny shares his fascinating career journey that has taken him in and out of the application security space over the past 20+ years. They discuss how application security practices like static analysis (SAST) and dynamic scanning (DAST) have evolved, with SAST becoming much faster and easier to integrate earlier in the development cycle. Danny reflects on what has changed and what has surprisingly stayed the same since his earlier days in AppSec. The conversation digs into the intersections between application security, data security, cloud security, and how these domains are becoming more interconnected as the same teams take on responsibilities across these areas. Danny draws insights from his recent experience at Veeam, highlighting how practices like data immutability and multi-person authorization grew in importance to combat ransomware threats. Looking ahead, Danny and Guy explore the potential impact of AI/ML on application security. From automating threat modeling to personalizing vulnerability findings based on developer interests to generating rules and fixes, Danny sees AI unlocking many opportunities to transform AppSec practices. Overall, this episode provides a unique perspective spanning Danny's 20+ year career in security. His experiences illustrate the evolution of AppSec tooling and processes, the blurring of domains like app/data/cloud security, and how AI could radically reshape the future of application security. Links VMware Veeam Snyk - The Developer Security Company Follow Us Our Website Our LinkedIn Follow Us Our Website Our LinkedIn…

The Secure Developer

1
The Crucial Role Of Consolidated Platforms In DevSecOps With John Delmare 29:10

לפני 1 year29:10

29:10

Episode Summary Explore the role of consolidated platforms in software development with our guest, John Delmare , Global Application and Cloud Security Lead of Accenture. This episode dives into the growing complexity in the developer space and how these platforms streamline processes and foster collaboration among distributed teams. We discuss balancing application and cloud security, the financial and time-saving benefits of integrated platforms, and the role of best-of-breed technology in an evolving tooling landscape. Tune in for a preview of future secure development practices and practical advice on navigating this dynamic space. Show Notes In this engaging episode of The Secure Developer, host Simon Maple chats with John Delmare, Managing Director of Accenture and Global Application and Cloud Security Lead, about the movement towards platform consolidation in the field of DevSecOps. They dive into an in-depth exploration of the potential advantages and barriers that emerge from the reduction of tool sprawl. Using his extensive experience and insights, Delmare sheds light on how this development can enhance efficiency for developers and, at the same time, benefit companies by making processes more streamlined, cost-efficient, and effective. Not losing sight of the role of best-of-breed tools, the conversation takes a turn into how such tools fare in the current scenario, whether they still hold relevance, or if the consolidation trend is set to overshadow them. More intriguingly, Delmare and Maple delve into the potential implications of emerging technologies like General Artificial Intelligence (GenAI) on the strategies for security tooling. Further enriching the conversation, they emphasize the critical need for a common ground between security and development teams. Platform consolidation comes into play here by offering shared data views and aligning the teams towards unified goals, making the perfect case for seamless DevSecOps practices. This episode is packed with insights that would cater to developers, security professionals, and decision-makers in the IT industry, offering them a clearer view of the current trends and allowing them to make strategically sound decisions. Tune in to be part of this insightful conversation. Links Accenture Snyk - The Developer Security Company Follow Us Our Website Our LinkedIn Follow Us Our Website Our LinkedIn…

The Secure Developer

1
Redefining Cybersecurity With Sean Catlett 49:19

לפני 1 year49:19

49:19

Episode Summary In this episode of The Secure Developer, Guy Podjarny and guest Sean Catlett discuss the shift from traditional to engineering-first security practices. They delve into the importance of empathy and understanding business operations for enforcing better security. Catlett emphasizes utilizing AI for generic tasks to focus on crafting customized security strategies. Show Notes In this episode of The Secure Developer, host Guy Podjarny chats with experienced CISO Sean Catlett about transforming traditional security cultures into a more modern, engineering-first approach. Together, they delve into the intricacies of this paradigm shift and the resulting impact on organizational dynamics and leadership perspectives. Starting with exploring how an empathetic understanding of a business's operational model can significantly strengthen security paradigms, the discussion progresses toward the importance of creating specialized security protocols per unique business needs. They stress that using AI and other technologies for generic tasks can free up teams to concentrate on building tailored security solutions, thereby amplifying their efficiency and impact on the company's growth. In the latter part of the show, Catlett and Podjarny investigate AI's prospective role within modern security teams and lay out some potential challenges. Recognizing the rapid evolutionary pace of such technologies, they believe keeping up with AI advancements is crucial for capitalizing on its benefits and pre-empting potential pain points. AI-curious listeners will find this episode brimming with valuable insights as Catlett and Podjarny demystify the complexities and highlight the opportunities of the current security landscape. Tune in to learn, grow, and transform your security strategy. Links Slack FedRAMP GitHub Copilot ChatGPT Snyk - The Developer Security Company Follow Us Our Website Our LinkedIn Follow Us Our Website Our LinkedIn…

The Secure Developer

1
Inside The Matrix Of Container Security: A Deep Dive Into Container Breakout Vulnerabilities 51:00

לפני 1 year51:00

51:00

Episode Summary In this special episode, our guest host, Liran Tal , interviews Snyk's Staff Security Researcher, Rory McNamara , about newly discovered high-impact container breakout vulnerabilities. Liran and Rory go deep into the vulnerabilities and cover everything you need to know, how the vulnerabilities were discovered, and much more. Show Notes In this informative episode of The Secure Developer, guest host Liran Tal chats with Snyk security researcher Rory McNamara about his ground-breaking discoveries related to Docker vulnerabilities. McNamara's diligent investigations have spotlighted significant container breakout weaknesses, prompting a deep-dive exploration of the complexities of Docker’s security scene. Refreshingly candid about the intricacies involved in tracking down these vulnerabilities, McNamara shares the detective-like processes he uses to trace the connections between key components and functionalities. As they discuss the eye-opening potential for exploitation, Rory highlights how using strace helped him decode the problematic underbelly of Docker. Listening to this episode opens up a world of understanding about software supply chain security and the wider implications of these emerging vulnerabilities. Ideal for both security leaders wanting to stay on the cutting edge and developers interested in the nitty-gritty, this conversation not only reveals the problems but also offers solutions. McNamara drives home the importance of timely updates, adopting the principle of least privilege, and layering security measures for optimal protection. This is a must-listen for anyone wanting to deepen their understanding of today's vital security challenges. Links Leaky Vessels Blog Post Docker Kubernetes OWASP Top 10 Firecracker Snyk - The Developer Security Company Follow Us Our Website Our LinkedIn Follow Us Our Website Our LinkedIn…

The Secure Developer

1
Threat Modeling In The Age Of Artificial Intelligence With Laura Bell Main 45:15

לפני 1 year45:15

45:15

Episode Summary Laura Bell Main , CEO at SafeStack , discusses the two-fold implications of AI for threat modeling in DevSecOps. She highlights challenges in integrating AI systems, the importance of data verifiability, and the potential efficiencies AI tools can introduce. With guidance, she suggests it's possible to manage the complexities and ensure the responsible utilization of AI. Show Notes In this intriguing episode of The Secure Developer, listen in as Laura Bell Main, CEO at SafeStack, dives into the intricate world of AI and its bearing on threat modeling. Laura provides a comprehensive glimpse into the dynamic landscape of application security, addressing its complexities and the pivotal role of artificial intelligence. Laura elucidates how AI has the potential to analyze vulnerabilities, identify risks, and make repetitive tasks efficient. As she delves deeper, she explores how AI can facilitate processes and significantly enhance security measures within the DevSecOps pipeline. She also highlights a crucial aspect - AI is not just an enabler but should be seen as a partner in achieving your security objectives. However, integrating AI into existing systems is not without its hurdles. Laura illustrates the complexities of utilizing third-party AI models, the vital importance of data verifiability, and the possible pitfalls of over-reliance on an LLM. As the conversation advances, Laura provides insightful advice to tackle these challenges head-on. She underscores the importance of due diligence, the effective management of AI integration, and the necessity of checks and balances. With proactive measures and responsible use, she affirms that AI has the potential to transform threat modeling. Don't miss this episode as Laura provides a thoughtful overview of the intersection of AI and threat modeling, offering important insights for anyone navigating the evolving landscape of DevSecOps. Whether you're a developer, a security enthusiast, or a tech leader, this episode is packed with valuable takeaways. Links Agile Application Security Security for Everyone Microsoft STRIDE OWASP Top 10 for Large Language Model Applications Snyk - The Developer Security Company Follow Us Our Website Our LinkedIn Follow Us Our Website Our LinkedIn…

The Secure Developer

1
Generative AI, Security, And Predictions For 2024 1:06:43

לפני 1 year1:06:43

1:06:43

In this engaging episode, hosts Simon Maple and Guy Podjarny delve into the transformative role of AI in software development and its implications for security practices. The discussion starts with a retrospective look at 2023, highlighting key trends and developments in the tech world. In particular, they discuss how generative AI is reshaping the landscape, altering the traditional roles of developers and necessitating a shift in security paradigms. Simon and Guy explore AI-generated code challenges and opportunities, emphasizing the need for innovative security strategies to keep pace with this rapidly evolving technology. They dissect the various aspects of AI in development, from data security concerns to integrating AI tools in software creation. The conversation is rich with insights on how companies adapt to these changes, with real-world examples illustrating the growing reliance on AI in the tech industry. This episode is a must-listen for anyone interested in the future of software development and security. Simon and Guy's expertise provides listeners with a comprehensive understanding of AI's current development state and offers predictions on how these trends will continue to shape the industry in 2024. Their analysis highlights the technical aspects and delves into the broader implications for developers and security professionals navigating this new AI-driven era. Links Github Copilot NIST (National Institute of Standards and Technology) CNCF (Cloud Native Computing Foundation) Backstage by Spotify Roadie (Backstage Hosting) Snyk AI Fixing Snyk - The Developer Security Company Follow Us Our Website Our LinkedIn Follow Us Our Website Our LinkedIn…

The Secure Developer

1
AI, Cybersecurity, And Data Governance With Henrik Smith 45:42

לפני 2 years45:42

45:42

Episode Summary Guy explores AI security challenges with Salesforce's VP of Security, Henrik Smith . They discuss the fine line between authentic and manipulated AI content, stressing the need for strong operational processes and collaborative, proactive security measures to safeguard data and support secure innovation. Show Notes In this episode, host Guy Podjarny sits down with Henrik Smith, VP of Security at Salesforce, to delve into the intricacies of AI and its impact on security. As the lines between real and artificially generated data become increasingly blurred, they explore the current trends shaping the AI landscape, particularly in voice impersonation and automated decision-making. During the conversation, Smith articulates the pitfalls organizations face as AI grows easier to access and misuse, potentially bypassing security checks in the rush to leverage new capabilities. He urges listeners to consider the importance of established processes and the responsible use of AI, especially regarding sensitive data and upholding data governance policies. The episode also dives into security as a facilitator rather than an inhibitor within the development process. Smith shares his experiences and strategies for fostering cross-departmental collaboration at Salesforce, underscoring the value of shifting left and fixing issues at their source. He highlights how security can and should act as an enabling service within organizations, striving to resolve systemic risks and promoting a culture of secure innovation. Whether an experienced security professional or a tech enthusiast intrigued by AI, this episode promises to offer valuable insights into managing AI's security challenges and harnessing its potential responsibly. Links Snyk's 2023 AI-Generated Code Security Report Salesforce Snyk - The Developer Security Company Follow Us Our Website Our LinkedIn Follow Us Our Website Our LinkedIn…

The Secure Developer

1
The AI Security Report 43:15

לפני 2 years43:15

43:15

Episode Summary In this episode of The Secure Developer, our co-hosts Simon Maple and Guy Podjarny discuss the rise of AI in code generation. Drawing from Snyk's 2023 AI Code Security Report , they examine developers' concerns about security and the importance of auditing and automated controls for AI-generated code. Show Notes In this compelling episode of The Secure Developer, hosts Simon Maple and Guy Podjarny delve into the fascinating and fast-paced world of artificial intelligence (AI) in code generation. Drawing insights from Snyk's 2023 AI Code Security Report, the hosts discuss the exponential rise in the adoption of AI code generation tools and the impact this has on the software development landscape. Simon and Guy reveal alarming statistics showing that most developers believe AI-generated code is inherently more secure than human-written code, but they also express deep-seated concerns about security and data privacy. This dichotomy sets the stage for a stimulating discussion about the potential risks and rewards of integrating AI within the coding process. A significant point of discussion revolves around the need for more stringent auditing for AI-generated code and much tighter automated security controls. The hosts echo the industry’s growing sentiment about the importance of verification and quality assurance, regardless of the perceived assurance of AI security. This episode challenges conventional thinking and provides critical insights into software development's rapidly evolving AI realm. It's an insightful listen for anyone interested in understanding the interplay of AI code generation, developer behaviors, and security landscapes. Links Snyk's 2023 AI-Generated Code Security Report GitHub Copilot Snyk - The Developer Security Company Follow Us Our Website Our LinkedIn Follow Us Our Website Our LinkedIn…

The Secure Developer

1
The Evolution Of Data, AI, And Security In Tech With Tomasz Tunguz 46:13

לפני 2 years46:13

46:13

Episode Summary In this episode, Tomasz Tunguz of Theory Ventures discusses the intersection of AI, technology, and security. We explore how AI is revolutionizing software development, data management challenges, and security's vital role in this dynamic landscape. Show Notes In this episode of The Secure Developer, Guy Podjarny engages in a deep and insightful conversation with Tomasz Tunguz, founding partner of Theory Ventures. They delve into the fascinating world of AI security and its burgeoning impact on the software development landscape. Tomasz brings a unique investor's lens to the discussion, shedding light on how early-stage software companies are leveraging AI to revolutionize market strategies. The conversation navigates through the complexities of AI in the realm of security. Tomasz highlights key trends such as data loss prevention, categorization of AI-related companies, and the significant security challenges in this dynamic space. The episode also touches on the critical role of data governance and compliance in the age of AI, exploring how these elements are becoming increasingly intertwined with security concerns. A significant part of the discussion is dedicated to the future of AI-powered software development. Guy and Tomasz ponder the evolution of coding, predicting a shift towards higher levels of abstraction and the potential challenges this may pose for security. They speculate on the profound changes AI could bring, transforming how software is developed and the implications for developers and security professionals. This episode provides a comprehensive look into the intersection of AI, technology, and security. It's a must-listen for anyone interested in understanding AI's current and future landscape in the tech world, especially from a security standpoint. The insights and predictions offered by Tomasz Tunguz make it an engaging and informative session, perfect for professionals and enthusiasts alike who are keen to stay ahead. Links Theory Ventures OpenAI GitHub Amazon Web Services (AWS) Google Cloud Microsoft Azure Monte Carlo Gable Snyk - The Developer Security Company Follow Us Our Website Our LinkedIn Follow Us Our Website Our LinkedIn…

The Secure Developer

1
The Need For Diverse Perspectives In AI Security With Dr. Christina Liaghati 36:29

לפני 2 years36:29

36:29

Episode Summary In this episode, Dr. Christina Liaghati discusses incorporating diverse perspectives, early security measures, and continuous risk evaluations in AI system development. She underscores the importance of collaboration and shares resources to help tackle AI-related risks. Show Notes In this enlightening episode of The Secure Developer, Dr. Christina Liaghati of MITRE offers valuable insights on the necessity of integrating security considerations right from the design phase in AI system development. She underscores the fact that cybersecurity issues can’t be fixed solely at the end of the development process; rather, understanding and mitigating vulnerabilities require continual iterative discovery and investigation throughout the system's lifecycle. Dr. Liaghati emphasizes the need for incorporating diverse perspectives into the process, specifically highlighting the value of expertise from fields like psychology and human-centered design to grasp the socio-technical issues associated with AI use fully. She sounds a cautionary note about the inherent risks when AI is applied in critical sectors like healthcare and transportation, which calls for thorough discussions about these deployments. Additionally, she introduces listeners to MITRE's ATLAS project, a community-focused initiative that seeks to holistically address the challenges posed by AI, drawing lessons from past experiences in cybersecurity. She points out the ATLAS project as a resource for learning about adversarial machine learning, particularly useful for those coming from a traditional cybersecurity environment or the traditional AI side. Importantly, she talks about the potential of AI technology as a tool to improve day-to-day activities, exemplified by email management. These discussions underscore the importance of knowledgeable and informed debates about integrating AI into various aspects of our society and industries. The episode serves as a useful guide for anyone venturing into the world of AI security, offering a balanced perspective on the potential challenges and opportunities involved. Links MITRE ATLAS Project Arsenal CALDERA Plugin for Adversary Emulation IBM's Adversarial Robustness Toolbox (ART) Microsoft's Counterfit Tool MIT AI 101 Course (free) Women in CyberSecurity (WiCyS) MITRE's Twitter Account MITRE's LinkedIn Page Snyk - The Developer Security Company Follow Us Our Website Our LinkedIn Follow Us Our Website Our LinkedIn…

The Secure Developer

1
(Rewind) The Changing Landscape Of Security With Dev Akhawe 44:14

לפני 2 years44:14

44:14

This week, we're rewinding to play one of our favorite episodes from the archive! We'll be back with a brand-new episode in two weeks! Today’s guest is someone we have wanted to have on the show for a long time, and we are so happy to finally welcome him. Dev Akhawe is the Head of Security at Figma, the first state-of-the-art interface design tool that runs entirely in your browser. Before that, Dev worked at Dropbox, as Director of Security Engineering, leading application security, infrastructure security, and abuse prevention for the Dropbox products. He also holds a Ph.D. in Computer Science from UC Berkeley, where his thesis focused on web application security. In this episode, Dev pulls back the curtain and gives us a look at what security at Figma looks like. The relatively small organization has a culture where the security team earns their trust and works openly. This has resulted in far greater cohesion between the security team and developers. We also hear about Dev’s time at Dropbox, and how working on an application with many products exposed him to the gamut of security issues that companies can face. Along with this, we discuss some of the positive changes in how startups are thinking about security, the value of exposing people to different parts of an organization, the place of security champions, and having a curious mindset as a security professional. Dev's approach to security is empathetic, collaborative, and solution-driven, and if you would like to hear more, be sure to tune in today! Follow Us Our Website Our LinkedIn…

The Secure Developer

1
SAIF - Effective Risk Management And AI Security Standards With Royal Hansen 54:24

לפני 2 years54:24

54:24

As AI adoption continues to grow, it's important that effective risk management strategies and industry security standards evolve along with it. To discuss this, we are joined by Royal Hansen, the VP of Engineering for Privacy, Safety, and Security at Google, where he drives the overall information security strategy for the company’s technical infrastructure (and keeps billions of people safe online). Royal cut his teeth as a software developer for Sapient before building a cyber-security practice in the financial services industry at @stake, American Express, Goldman Sachs, and Morgan Stanley. In this episode, he explains why adhering to a bold and responsible framework is critical as AI capabilities are integrated into products worldwide and provides an overview of Google’s Secure AI Framework (SAIF), designed to help mitigate risks specific to AI systems. Royal unpacks each of the six core elements of SAIF, emphasizes the importance of collaboration, shares how he uses AI in his personal life, and much more. Today’s conversation outlines a practical approach to addressing top-of-mind AI security concerns for consumers and security and risk professionals alike, so be sure to tune in! Follow Us Our Website Our LinkedIn…

The Secure Developer

1
AI Safety, Security, And Play With David Haber 52:12

לפני 2 years52:12

52:12

Security is changing quickly in the fast-paced world of AI. During this episode, we explore AI safety and security with the help of David Haber, who co-founded Lakera.ai. David is also the creator of Gandalf, an AI tool that makes Large Language Models (LLMs) accessible to everyone. Join us as we dive into the world of prompt injections, AI behavior, and its corresponding risks and vulnerabilities. We discuss questions about data poisoning and protections and explore David’s motivation to create Gandalf and how he has used it to gain vital insights into the complex topic of LLM security. This episode also includes a foray into the two approaches to informing an LLM about sensitive data and the pros and cons of each. Lastly, David emphasises the importance of considering what is known about each model on a case-by-case basis and using that as a starting point. Tune in to hear all this and more about AI safety, security, and play from a veritable expert in the field, David Haber! Follow Us Our Website Our LinkedIn…

The Secure Developer

1
The Intersection Of Integrity And Security With Guy Rosen 43:27

לפני 2 years43:27

43:27

On episode 126 of The Secure Developer we had a fascinating conversation with Guy Rosen, who is the current CISO at Meta. In our chat, we are able to mine Guy's vast experience, expertise, and perspective on what being CISO at a huge tech company in today's climate requires, focusing on how security and integrity concerns come together and play out. In his role at Meta, Guy oversees both of these areas, and listeners will get to hear how he distinguishes the two worlds, and also where they overlap and intersect. We spend some time talking about human and technological resources for these fields, how Guy thinks about skills and hiring, and of course the impact of AI on the field right now. We also hear from our guest about issues such as privacy, account takeover, and the complexity of the policies that govern online abuse. So join us to catch it all in this great conversation! Follow Us Our Website Our LinkedIn…

The Secure Developer

1
What AI Means For Cybersecurity With Sam Curry 53:34

לפני 2 years53:34

53:34

Artificial Intelligence is innovating at a faster than ever before. Could there be a better response than fear? Sam Curry is the VP and Chief Information Security Officer at Zscaler, and he joins us to share his perspective on what AI means for cyber security. Tune in to hear how AI is advancing cybersecurity and the potential threats it poses to data and metadata protection. Sam delves into the nature of fearmongering and a more appropriate response to technological development before revealing the process behind AI integration at Zscaler, why many companies are opting to build internal AI systems, and the three buckets of AI in the security world. Sam shares his opinion on eliminating the offensive use of AI, touches on how AI uses mechanical twerks to get around security checks, and discusses the preparation of InfoSec cycles. After we explore the possibility of deception in a DevOps context, Sam reveals his concerns for the malicious use of AI and stresses the importance of advancing in alignment with technological progress. Tune in to hear all this and much more! Follow Us Our Website Our LinkedIn…

The Secure Developer

1
The Five Pillars Of MLSecOps With Ian Swanson 1:00:02

לפני 2 years1:00:02

1:00:02

At the rate at which AI is infiltrating operations around the globe, AI regulation and security is becoming an increasingly pressing topic. As external regulations are put in place, it’s important to ensure that your internal compliance measures are up to scratch and your systems are safe. Joining us today to discuss the security of ML systems and AI applications is Ian Swanson, the Co-Founder and CEO of Protect AI. In this episode, Ian breaks down the five pillars of ML SecOps: supply chain vulnerabilities, model provenance, GRC (governance, risk, and compliance), trusted AI, and adversarial machine learning. We learn the key differences between software development and machine learning development lifecycles, and thus the difference between DevSecOps and ML SecOps. Ian identifies the risks and threats posed to different AI classifications and explains how to level up your GRC practice and why it’s essential to do so! Given the unnatural rate of adoption of AI and the dynamic nature of machine learning, ML SecOps is essential, particularly with the new regulations and third-party auditing that is predicted to grow as an industry. Tune in as we investigate all things ML SecOps and protecting your AI! Follow Us Our Website Our LinkedIn…

The Secure Developer

1
Securing Supply Chains In C++, Java, And JavaScript With Liran Tal And Roy Ram 38:08

לפני 2 years38:08

38:08

In this episode of The Secure Developer, we delve into the subject of supply chain security across various ecosystems and languages, guided by industry experts Liran Tal and Roy Ram from Snyk. Liran is the Director of Developer Advocacy at Snyk and has a background working particularly in Node.js and JavaScript. Roy is a Senior Product Manager serving as part of the product team for Snyk Code, and has a background in cybersecurity and a solid understanding of C++. With a 20-year background in Java, host Simon Maple moderates the conversation. We discuss the challenges and differences between ecosystems, such as the use of third-party libraries and issues with typosquatting and malicious packages. We also talk about the volume of dependencies that each of our ecosystems pull in, whether you should stay on the latest version or pin to a version, and the importance of software bill of materials (SBOMs). For valuable advice on securing your supply chain in different languages and ecosystems, tune in today! Follow Us Our Website Our LinkedIn…

The Secure Developer

1
Responding To A Security Incident With Rob Zuber 46:40

לפני 2 years46:40

46:40

No one wants to fall prey to a security breach, but in the event that it does occur, it’s important to have systems in place to manage it. In episode 132 of The Secure Developer, we are joined by the CTO of CircleCI, Rob Zuber to discuss the security incident CircleCI announced on January 4th. Rob shares insight into what CircleCI does, how the incident affected customers, and how they communicated it to the public. We find out how the industry responded and adapted to the incident, as well as how it was dealt with internally at CircleCI. Rob opens up about what he learned in the process and shares advice for others facing a security breach. Tune in to find out how best to prevent and manage a security incident, should this happen to you. Follow Us Our Website Our LinkedIn…

The Secure Developer

1
Exploring Data Security In Social Media With Roland Cloutier 50:21

לפני 2 years50:21

50:21

In episode 131 of The Secure Developer, you’ll hear from former TikTok CISO Roland Cloutier about the realities of securing user-generated content at scale and his belief that we need to take a strictly data-centric approach rather than a humanistic one to solve many of these privacy-related issues. Tuning in, you’ll gain some insight into what it takes to oversee a social media company's cybersecurity, data protection, and crisis management, and find out why Roland believes that an innate understanding of company culture is key to building a large and fast-growing security team in an increasingly virtual world. We also touch on some of the challenges of user identity management, the need for user-driven authentication methods, increased state-level security regulations in the data space, and more, so don’t miss today’s fascinating conversation with cyber security expert and industry veteran, Roland Cloutier! Follow Us Our Website Our LinkedIn…

The Secure Developer

1
Defining Cloud Security With Rick Doten 41:28

לפני 2 years41:28

41:28

In episode 130 of The Secure Developer, we bring cast our focus on cloud security, and to help us examine this subject we welcome Rick Doten to the show! Rick shares his insight on what cloud security is, some of its history, current concerns in the field, and his hopes and ideas for its future. Our guest generously offers some of his vast experience talking about basic controls, how to organise security teams, necessary education and skills development, and the challenges of putting theoretical security into practice. We also get to explore some helpful definitions, how to approach building the best teams for different security goals, and how our understanding of the cloud differs across app and IT spaces. So if you want to hear all this and a whole lot more from GuyPo and Rick, listen in for another great episode of the show. Follow Us Our Website Our LinkedIn…

The Secure Developer

1
The Future Of Software Supply Chain Security 19:52

לפני 2 years19:52

19:52

In this episode, we conclude our miniseries dealing with software supply chain security by considering the next five years in the space, what we need, and what we can hope for. Emily Fox, Aeva Black, Brian Behlendorf, Adrian Ludwig, Lena Smart, and of course Guy Podjarny, join Simon by sharing some insights on the areas in most need of attention, and where we can realistically expect to make progress in the near future. Listeners will hear about trust and tooling, downstream complexities, and qualifying security engineers, with the conversation ending on an optimistic note with an eye to the horizon. For most of our panel, the message of consistent attention and security prioritisation within organisations, as well as from governance is paramount to the health of any of these systems. So to hear it all in this final installment of our special, be sure to press play now! Follow Us Our Website Our LinkedIn…

The Secure Developer

1
Tackling Software Supply Chain Security As An Organization 33:48

לפני 2 years33:48

33:48

Continuing our mini-series on supply chain security, as we deep dive into the organisational aspects of this charge and hear from a number of our experts about solutions and initiatives to better prepare for supply chain risks and visibility issues. Simon and Guy are joined by Adrian Ludwig, Aeva Black, Jim Zemlin, Emily Fox, and Eric Brewer as we start thinking about securing the supply chain as an organisation. Guypo breaking down the four fundamental steps for doing this, and how to tackle the subject of SBOMs or Software Bill of Materials. Our guests share fascinating perspectives on how these areas relate to a company's overall preparedness and particularly to the open source space. We also cover some general advice about raising security awareness at a company, so for all this and a whole lot more, make sure to join us. Next week is our miniseries finale, where we will tackle the future of software supply chain security, so make sure you tune in for that ! Follow Us Our Website Our LinkedIn…

The Secure Developer

1
Software Supply Chain Security - Key Terms, Players, And Projects You Need To Know About 41:02

לפני 2 years41:02

41:02

When we stop to think about the software running in our production environments, a large proportion of it is very likely open source. Are there effective mechanisms to truly understand and have visibility into all of these libraries? How do you ensure that these libraries are secure? To answer these questions, we feature input from Guy Podjarny, Lena Smart, Brian Behlendorf, Aeva Black, Emily Fox, Jim Zemlin, David Wheeler and Simon Maple as we dissect some key terms and promising projects in the software supply chain security space. Tuning in, you’ll learn what the term SBOM means, why the problem of securing the open-source pipeline is such a complex one, and what organizations like the Open Source Software Foundation (SSF) and Open Source Initiative (OSI) are doing to address it. We also introduce some key players that can provide you with assistance as you work to improve your own open-source security or software supply chain security posture. For all this and more, you won’t want to miss part two of The Secure Developer’s software supply chain security series! Follow Us Our Website Our LinkedIn…

The Secure Developer

1
What Is Software Supply Chain Security And Why It's Important 30:38

לפני 2 years30:38

30:38

In this episode we are defining the key pillars of software supply chain security. This episode is part 1 of a 4 part software supply chain series where our hosts Guy Podjarny and Simon Maple combine their analysis of this space of supply chain security with a series of interviews that we’ve had a chance to do with other supply chain security experts like Eric Brewer, Google Fellow, Adrian Ludwig, Chief Trust Officer at Atlassian, Jim Zemlin, Executive Director at Linux Foundation, Nicole Perlroth, NY Times Bestselling Author, Lena Smart, CISO MongoDB, Eli Hooten, CTO CodeCov and many more. And we are going to try and create a clearer picture of what this topic involves, and what’s the state of the land. And try to help you understand what you should be doing about it. In this first episode, we’ll focus on defining the problem. We’ll break up the key pillars of Supply Chain Security, and talk about what you should care about most - and why. The second episode will get specific, covering the key terms you should know and players you should track, as well as talk about some of the most prominent or promising projects in this space, so you can deep dive. In the third episode, we’ll give examples from practitioners actually implementing supply chain security in their organizations so that you can learn and choose which of these practices you want to adopt, and we’ll talk a bit about maturity levels, how you get started vs how you continue. Then lastly, in the fourth episode we’ll cast our eyes forward, and talk about industry motions, what can and is being done to help the ecosystem deal with this problem, and what key changes you might expect to come down the road. Follow Us Our Website Our LinkedIn…

The Secure Developer

1
2022 Recap And 2023 Predictions 1:05:50

לפני 2 years1:05:50

1:05:50

As we look forward into a new year 2023, we wanted to recap some of the most important developments we saw, and conversations we had during 2022. This episode features a look back at the key events and moments from the past twelve months before we share some of the expectations and predictions we have for the year ahead. Simon and Guypo sit down to discuss market corrections, the war in Ukraine, and also the tumultuous time that the crypto space has endured, before getting into some thoughts on the biggest lessons that can be garnered from these events. The ever-present message of better preparation is obviously a strong theme, and some time is spent reflecting on a few of the great guests and their insights on the show. Guypo underlines his excitement about the possibilities he sees in the authorisation space, and we also consider the managing of potential zero days in 2023. So to hear all this, and a whole lot more, press play now! Follow Us Our Website Our LinkedIn…

The Secure Developer

1
Building Open Source Communities With Rishiraj Sharma 35:51

לפני 2 years35:51

35:51

Today our focus shifts towards products for a change, and we welcome the CEO and Co-Founder of Project Discovery, Rishiraj Sharma, to talk about their story, as well as the genesis of the Nuclei project. With some wide-ranging experience in the worlds of engineering and product management, before he entered into the security space, Rishiraj has a unique story and brings a personal perspective and philosophy to his work, and we get to unpack that a bit before discussing his approach to putting tools in the hands of developers, increasing the reach of engineers, and ultimately the big goal of making Nuclei a completely community-driven ecosystem! We get into some of the more technical aspects of their work and value offer, as Rishiraj shares how their tools have been used by different parties so far, their inclusion of manual code contributions, and how they are overcoming hurdles in CI/CD. So to hear all about and learn much more about this exciting work being done by our guest and his team, tune in! Follow Us Our Website Our LinkedIn…

The Secure Developer

1
Malicious Packages And Malicious Intent With Liran Tal 41:20

לפני 3 years41:20

41:20

Malicious attacks are a real threat, especially with the essential role of open source in mind. Today’s guest, Liran Tal, is the director of developer advocacy at Snyk and. Github Star, and he is here to share a plethora of tips you can implement today to see a marked improvement in general posture and company safety. Tune in to hear Liran’s perspective on the state of malicious attacks today in comparison to previous years, how third-party dependencies can be problematic, and how a single attack can impact thousands of users, developers and CI machines. He believes that open source is an essential tool today and that the solution lies in better security. Listeners will also learn how security sanitization is different for each ecosystem, and hear some advice for security-conscious companies cautious not to restrict innovation by tightening up their security plan. Join us to hear all this and more from today’s expert voice from Snyk. Follow Us Our Website Our LinkedIn…

The Secure Developer

1
State Of Cloud Security With Drew Wright 44:57

לפני 3 years44:57

44:57

Cloud Security is a evolving and so are the attacks in this space. The landscape is becoming increasingly complex, so the question remains how do we tackle cloud security in organisations, who owns it and how do we best prepare?. In this episode, we provide listeners with an overview of Snyk’s report on cloud security and unpack some unsettling statics. To walk us through the report, we're joined by Drew Wright, the primary author of the report, and Simon Maple, Snyk’s Field CTO. In our conversation, we delve into the main findings, how data was collected, and essential lessons from the report. We discuss the differences between the IT cloud and the app cloud, adopting an infrastructure-as-code approach, what businesses are most at risk, and why cloud security is vital for all businesses. We also talk about the recent cultural shift regarding the responsibility of security and the nuanced perspectives on why cloud security is vital. Hear about a fantastic open-source resource, how to prevent security breaches, common mistakes businesses make, and more. Tune in to ensure you are up to date on the latest developments in the space as we navigate The State of Cloud Security report with experts Drew Wright and Simon Maple. Follow Us Our Website Our LinkedIn…

ברוכים הבאים אל Player FM!

Player FM סורק את האינטרנט עבור פודקאסטים באיכות גבוהה בשבילכם כדי שתהנו מהם כרגע. זה יישום הפודקאסט הטוב ביותר והוא עובד על אנדרואיד, iPhone ואינטרנט. הירשמו לסנכרון מנויים במכשירים שונים.

תקשיבו ל-500+ נושאים

63 subscribers

דומה לThe Secure Developer

TERRO Ant Killer Bait Stations T300B - Liquid Bait to Eliminate Ants - 12 Count Stations for Effective Indoor Ant Control

EcoNour Patented Design for Car Windshield Sun Shade | Blocks 99% Heat and Keep Interior Cool | Fits Cars, SUV, Truck | Automotive Sun Screen,Visor and Summer Vehicle Accessories | Medium (64x32)

Bounty Quick Size Paper Towels, White, 8 Family Rolls = 20 Regular Rolls (Packaging May Vary)

פודקאסטים ששווה להאזין

The Secure Developer « » The Future Of API Security With FireTail’s Jeremy Snyder

The Future Of API Security With FireTail’s Jeremy Snyder

פודקאסטים ששווה להאזין

ברוכים הבאים אל Player FM!

ZELUS Weighted Vest, 6lb/8lb/12lb/16lb/20lb/25lb/30lb Weight Vest with Reflective Stripe for Workout, Strength Training, Running, Fitness, Muscle Building, Weight Loss, Weightlifting, Black(12 lb)

The Let Them Theory: A Life-Changing Tool That Millions of People Can't Stop Talking About

Pink Pony Club

Peacock TV

The Let Them Theory: A Life-Changing Tool That Millions of People Can't Stop Talking About

דומה לThe Secure Developer

מדריך עזר מהיר

The Secure Developer « »
The Future Of API Security With FireTail’s Jeremy Snyder