Most would agree we should build more security into our development practices. Between the increasing pace of development, the shortage of security practitioners and the fact most vulnerabilities are simply bugs, it seems clear we should build security into the dev process and not bolt it on later. So now that we agree we should do it… how do we get it done?!
To help this conversation, I’m excited to announce my new podcast, “The Secure Developer”. Each episode will feature a new guest, sharing their experience on building security into their companies, discussing tools that can help, and reviewing good and bad practices seen in the real world. The goal of the podcast is to arm developers and AppSec teams with better ways to upgrade their security posture, one step at a time!
We’re creating this podcast through Heavybit, an amazing program for developer tooling companies which we recently joined, with alumni including Stripe, PagerDuty, CircleCI and more. You can subscribe to the podcast on iTunes, SoundCloud or various other ways via the links on the Heavybit podcast page. You can also follow us on twitter at TheSecureDev.
I’m excited and humbled by the list of guests we have in the queue, and hope you’ll enjoy the conversations!
Here are the first two episodes we’ve aired.
Episode 1: Kyle Randolph on building AppSec at Optimizely
In this inaugural episode, Kyle Randolph talks about how he built an Application Security practice at Optimizely over the past couple of years. Kyle also talks about his AppSec experience at Twitter and Adobe, and how they were different from Optimizely.
What I liked best about this conversation is the advice on how to get started with AppSec. Invaluable tips like keeping the AppSec team close to engineering so they’re seen as a trusted advisor; logging security tradeoffs you make during development; and ways to celebrate security champions in engineering.
Episode 2: Gergely Nemeth on Node security
In this chapter Gergely Nemeth talks about including security in consulting work at RisingStack, in comparison to building security into the product their own Node.js monitoring product, Trace.
Gergely and I also spoke a fair bit about Node.js security, following his great Node.js security checklist blog post. We touch on Regular Expression Denial of Service (ReDoS) in Node, vulnerable npm packages, and thinking like an attacker using attack trees.
More to come
We have a great lineup of speakers in the queue, with topics ranging from building security into a continuous pipeline, through HTTPS, to how Capture The Flag competitions work. Subscribe on iTunes, SoundCloud or elsewhere so you won’t miss an episode.
If you’re interested in coming on as a guest on the show, or want us to cover a specific topic, ping us on Twitter at @TheSecureDev. Enjoy, and stay secure!