The Secure Developer

Today we have a great conversation with DJ Schleen, who is the Vice President of Infrastructure and Developer Operations at VillageMD! DJ is an experienced DevOps practitioner, currently working as a security advocate, in his role at VillageMD in the healthcare industry. We get to have a very interesting conversation about the broad state of security and hear about his route into the professional world. DJ transitioned from the early days of hacking into web design, and then brought these skills to his career in security! We talk about some of his best practices for keeping a team on track, how he goes about improving and increasing security, and the end goal of working towards a proactive approach instead of a reactive one. DJ has an impressive track record providing thought leadership to organizations looking to integrate security into their DevOps practices, and his background as a practitioner has provided him with a strong foundation for this. DJ specializes in building progressive apps for security programs, automating security in DevOps environments, and breaking down organizational silos that inhibit the delivery of safer software. So to hear all about his work and thoughts on the field in general, listen in with us today!

Follow Us

• Our Website
• Our LinkedIn

In early 2021, Codecov experienced a serious security breach, and today on the show we are joined by their CEO and CTO to get an insider's perspective on the events! We have an enlightening conversation with Jerrod Engelberg and Eli Hooten about what exactly happened, how they reacted, and the important foundations that were already in place that allowed them to handle it in the way that they did. This extra special episode is jam-packed with useful reflections and lessons for listeners from all backgrounds, and just hearing how it all played out is worth the admission alone. Our guests talk about the central importance of the human element to security work, how conversations with the internal and external network connected to the company were key to their process, and why transparency trumps all other concerns for Codecov. We also get into some of the ethics and important conversations that need to happen before any danger is even detected! So to hear all this, and a whole lot more, on a vital, first-hand experience, join us today!

Follow Us

• Our Website
• Our LinkedIn

On The Secure Developer, we often hear a lot of opinions and experiences from people who are working in development, so today we’re turning to the data, to figure out what works and what doesn’t in the world of DevOps and SecDevOps. Joining us for a panel discussion on the topic is Alanna Brown, Senior Marketing Director at Puppet and mastermind behind the State of DevOps Report, Gareth Rushgrove, Product Director at Snyk and curator of Devops Weekly, and Alyssa Miller, Application Security Advocate, also at Synk. In this show, we get a lay of the land and take a look at the state of where things stand. In this section of the discussion, we hear about vulnerabilities and the mixed bag of data that our panelists have seen around remediation. While there are some positive developments in the space, there are also some areas, like on the container side, where there is great room for improvement. The conversation then moves to security practices and which security controls are effectively deployed and which are not. We gain great insights into the role that integration plays in the efficacy of controls. While it’s not all sunshine and roses, there are encouraging shifts happening around security thinking. From there, we move onto talking about infrastructure as code security and shared responsibility. Again, the panelists present their varied data findings, which paints an interesting picture. Finally, we wrap the show up with consolidating the discussion, where the panelists highlight what they think is key going forward. To hear more from this fascinating, data-rich discussion, tune in today!

Follow Us

• Our Website
• Our LinkedIn

In episode 59 of The Secure Developer, Guy Podjarny talks to Steve White, Field CISO at Pivotal. Steve spends his time helping organizations envision and implement new ways of integrating security into their software development, deployment, and operations life cycle. Most recently, his focus has been on cybersecurity, helping build a cybersecurity consulting practice for Microsoft and then leading security teams for companies such as Amazon, Sonos, and CenturyLink.

On today’s show we talk with Steve White, Field CISO for Pivotal, where he gets to regularly exercise his passion for working at the intersection of application security, development, infrastructure, and operations. Steve spends his time helping organizations envision and implement new ways of integrating security into their software development, deployment, and operations life cycle. Most recently, his focus has been on cybersecurity, helping build a cybersecurity consulting practice for Microsoft and then leading security teams for companies such as Amazon, Sonos, and CenturyLink. Prior to joining Pivotal, Steve was the Chief Security Officer at ForgeRock. In this episode we are going to get a broader perspective from Steve on digital transformation within organizations. We also hear from Steve why he recommends making small incremental changes, we discuss the idea of a security champion, as well as the best practices for helping developers understand the importance of cybersecurity work. Finally, Steve shares more about how to recognize when organizations are having challenges with digital transformation, and why it is key to focus only on the actual threats and not the imaginary ones. So don’t miss out on today’s enlightening conversation with Steve White of Pivotal.

Transcript

[00:01:32] Guy Podjarny: Hello, everyone. Welcome back to The Secure Developer. Today, we’re going to get a bit of a broader market perspective here from someone who works with a lot of security and development through the years across the enterprise, and that is Steve White who is a Field CISO at VMware.

Steve, welcome to the show. Thanks for coming on.

[00:01:49] Steve White: Thanks, Guy. Thanks for having me.

[00:01:50] Guy Podjarny: Steve, we’re going to go broad in a sec. But before we do that, tell us a little bit about yourself and your path to where you are today.

[00:01:58] Steve White: Absolutely. Well, the first thing I’ll say about my path was, like many, it was accidental in a lot of cases. I started my career really honestly back before security was even a profession, the early security practitioners. We were sys admins and network admins and the people running the systems. We didn’t have things like firewalls and we didn’t have things like anti-malware software. We kind of invented this space, trying to protect our systems. The first firewall I ever used was a bit of software running on a Sun server.

Fast-forward a career from there, I learned to really appreciate all facets of security during those early years. I moved into some application development roles. Ultimately, senior tech leader role and then moved into security full-time, trying to help build up a security consulting practice for Microsoft. Then from there, I’ve held a number of internal security roles at places like Amazon, CenturyLink Cloud, and Sonos. Then I was the Chief Security Officer at ForgeRock. Now, I’m a Field CISO at Pivotal VMware and spend my time really focusing on how can I best help organizations think through and strategize around this transformation into cloud native. How do we take what had become traditional enterprise security mechanisms and methods, and how do these change based on sort of this move to interesting things like containers and microservices and agile development? That’s why I spend my time thinking about and looking at today.

[00:03:35] Guy Podjarny: Who do you typically work with? Who’s the peer in the companies you work with or maybe the profile of the companies?

[00:03:42] Steve White: It has to be the larger global enterprises, so those companies who are primarily going through digital transformations. Companies who are writing a lot of their own custom code that they derive significant business value from, and they’re working to transform how they write that code from sort of the traditional monolithic waterfall method into now the microservice-oriented cloud native 12- factor apps, right? As those companies who are making that transformation because it brings business value to them.

I'm working primarily with their security leadership and security engineering and architecture organizations.

[00:04:29] Guy Podjarny: Within those organizations, within the enterprises that you work with, who is the sort of typical profile or role of a person who works wit...

In episode 58 of The Secure Developer, Guy Podjarny talks to Shannon Lietz, DevSecOps Leader and Director at Intuit. Shannon is a multi-award winning leader and security innovation visionary with 20 years of experience in motivating high performance teams.

Today on The Secure Developer, we interview Shannon Lietz from Intuit. She is a multi-award winning leader and security innovation visionary with 20 years of experience in motivating high-performance teams. Her accolades include winning the Scott Cook Innovation Award in 2014 for developing a new cloud security program to protect sensitive data in AWS. She has a development, security, and operations background, working for several Fortune 500 companies. Currently, she is at Intuit where she leads a team of DevSecOps engineers. In this episode, she talks about the future of security and the progress the industry has made in closing the vulnerability gaps by, inter alia, maintaining continuous testing, ongoing production, and building sufficient capability within teams to know a good test from a bad one. But the problem is a long way from solved, and she shares with enthusiasm about the new buzzword called “securability” and how this measure can be standardized to uplift the security industry as a whole.

Transcript

[0:01:27.9] Guy Podjarny: Hello, everyone. Welcome back to The Secure Developer. Thanks for tuning in. Today, we have really maybe one of the originators, the pioneers of DevSecOps with us and really a bright security mind in Shannon Lietz from Intuit. Thank for coming out to the show, Shannon.

[0:01:42.2] Shannon Lietz: Super excited to be here. I love this show.

[0:01:46.4] Guy Podjarny: Shannon, we have a whole bunch of topics to cover. Before we dig in, tell us a little bit about yourself. What is it you do? How you got into security?

[0:01:53.5] Shannon Lietz: Awesome. Yeah, I've been in this industry for over 30 years and that makes me a dinosaur, as I always say. I feel the placement journey on an ad is to really try and help the industry and take some of the lessons I've learned over that long career and really try to make a change.

My goal at this point is really to make a dent in the security problem as a goal for my life and my career.

As part of it, I got into this basically with lots of curiosity and didn't even realize it was a mostly male journey. Nobody told me when I decided that computers were fun. I learned through lots of hard knocks, but basically this wasn't a path carved out for women. I thought, “You know what? The heck with it. I always do things that people tell me I shouldn't be doing.” I started out with computers at a really young age and eventually, learned how to do some really neat things that again, shouldn't have been done.

At the time, they called it hacking. I thought, “Well, you know what? I want to be a hacker, so cool.” Then eventually, it became illegal and I was like, “Okay, that's not a job.” My dad was horrified by the fact that this could be a problem. Eventually, it turned into actually it was a job. You just had to do it a certain way. That was the beginning. I mean, when I started in computers, nothing was really illegal per se. The Computer Fraud and Abuse Act was interesting and that shaped some of this industry.

Along the way, there's lots of trials and tribulations. Yeah, I started there and I've been a developer, so I've written code. I'm so sorry to anybody who's still maintaining my code, God forbid. Then as you look back on 30 years, you’re like, “Wow, I could have done a lot of better things.”

Then I got into the security and I've even done ops. I always said that if I needed to make money and pay my bills that I would ops for food, and so I ops for food. Then eventually, I smooshed it all together and created a term that some love and some hate and whether – here we are.

[0:03:50.9] Guy Podjarny: Yeah. Definitely has become the terminology of choice, the depth of the – we had a rugged DevOps, we had also some variance, but it's very clear that DevSecOps is the term that emerged.

[0:04:02.0] Shannon Lietz: That's cool, because I've got a new one coming.

[0:04:06.0] Guy Podjarny: We’ve got some great further pioneering here to air on the show. Just a little bit from a companies and industries’ experience and so we don’t completely jumped around, like a whole bunch of things. I think right now, you are at Intuit, right? Before that, you were at ServiceNow?

[0:04:23.9] Shannon Lietz: I was. I was at that wonderful other cloud company. I like cloud companies as they seem to be fun. I was also at Sony before that. I mean, my track record is pretty much financial. I did telco work. I mean, I've had about 22 companies that worked for in this period. I've been at ...