Skip to main content

The best security advice from 100 episodes of The Secure Developer podcast

著者:

Sam Hepburn

wordpress-sync/blog-feature-tsd-100

2021年8月2日

0 分で読めます

Technology, culture, and process all have to change to ensure safe software is delivered faster. It’s a lot to tackle. But you don’t have to do it alone.

The Secure Developer, a podcast from Snyk’s founder Guy Podjarny, just hit 100 episodes of thought-provoking conversations with security experts at a wide cross-section of companies. From big enterprises like Nike, LinkedIn, Twitter, and United Healthcare, to niche players like Optimizely and Toast, Guy asks the questions and uncovers the insights that can help leaders and teams embrace security more smoothly.

“I created this podcast to arm developers and AppSec teams with better ways to upgrade their security posture, one step at a time,” Guy says. “The fact that there’s a big and growing community of dev and security leaders who are eager to learn and tune into the podcast makes it a true privilege to host the show.”

In Episode 100: Best security advice, Guy focuses on the tried and true advice his guests have offered that is guaranteed to improve anyone’s security chops. Here’s a bit of what you’ll hear:

Focus on actual threats

In episode 59, Steve White, Field CISO at Pivotal, reminded listeners how important it is to not lose perspective when it comes to threats. “Focus on the actual threats to your organization, not the science lab projects that your neighbor has dreamed up,” he said. “Keep your organization focused on combating those threats. That, to me, is like my number one advice for any security team. Focus on the real threats, not necessarily all of the imaginary ones.”

And don’t forget the power of curiosity, suggested Shannon Lietz, the DevSecOps Leader of Intuit, in episode 58. “Somebody who’s looking... to try and up-level [their security], I would say the one question you should ask yourself is how many adversaries does my application have? Because it's the curiosity around that question that will lead you to better places. I think just having that goal of trying to solve that question will lead you to find people that you can contribute to, or collaborate with that will help you answer that question.”

Don’t boil the ocean

Getting security right is so critical it’s easy to overreach, as Brendan Dibbell, Staff Product Security Engineer at Toast, explained to Guy in episode 79. But sometimes less really is more. “I would say that people should focus on two things: focus on helping other people take ownership of security, so that you have ownership over fewer things in security, and focus on taking security one step at a time,” Brendan offered. “You don't have to be better overnight. You can take baby steps. It's going to be okay.”

Collaborate with the rest of the org

In today’s world, security teams can’t give the impression they’re in an ivory tower. Andy Steingruebl, CSO at Pinterest, told Guy (in episode 77) it’s time for everyone to work on getting along. “There are several ways to solve a lot of different problems, and the human element is what's really necessary to up your game, not just technical expertise,” Andy said. “That matters, but ultimately getting to a workable solution that people will implement is what matters. Not just building it and then having no one adopt it. Building something and having no one use it is the same as not having built it at all.”

The power of automation

Application security always has a lot of moving parts, so if there’s an opportunity to streamline the process, take it,  said The Secure Developer’s first ever guest Kyle Randolph, the Principal Security Engineer at Optimizely. Kyle reiterated that view in episode 80. “Wherever we can build security in without relying on an engineer to make that decision, that's great,” he explained. “So investing more in tooling, making security into components, I think that's like gold because you keep on benefiting from it without needing more humans.”

There’s a lot more to the podcast, but we don’t want to spoil it for you. Listen online or subscribe to The Secure Developer wherever you listen to podcasts.

wordpress-sync/blog-feature-tsd-100

セキュリティチャンピオンプログラムの構築方法

Snykは、セキュリティチャンピオンプログラムを成功させた、または失敗した20人以上のセキュリティリーダーとのインタビューを実施しました。このガイドを参照し、開発者を中心とした効果的なセキュリティチャンピオンプログラムの進め方を学びましょう。