Welcome to the "Dev Academy Podcast," the chill spot where we talk all things code without the fluff. Join us as we break down timeless software engineering fundamentals: think security that keeps the baddies out, testing that’s actually fun, architecture that doesn’t crumble, and design that’s as sleek as it is smart. Hosted by Bartosz Pietrucha, who's seen it all from the code trenches to the top tech stages, we’re here to share stories, tips, and laughs. Whether you’re a pro coder or just starting out, we’ve got something for you.
Listen to episodes
13 recent
September 23, 2024Episode 21 hr 2 min
Cryptography for Developers with Randall Degges
Discover Web Security Dev Academy 🔥
In this episode of the Dev Academy Podcast, Randall Degges returns to discuss the intricacies of cryptography, emphasizing its importance for developers. He explains the different types of encryption, the role of HTTPS, and the significance of password hashing. The conversation delves into mutual TLS, the evolution of cryptographic hash functions, and best practices for implementing cryptography in applications. Randall encourages developers to engage with cryptography, highlighting accessible resources and tools for learning and implementation.
August 21, 2024Episode 11 hr 10 min
Mastering Threat Modeling: From Code to Security with Adam Shostack
Discover the Secrets of Web Applications Security 👉 http://links.dev-academy.com/dwog
In this episode:
Threat modeling is essential in software development to consider security implications early in the design process.
Integrating security considerations into the development process is crucial for shifting left and addressing potential risks.
ADRs can be merged with security concerns to create concise records of architectural and security decisions.
Checklists play a crucial role in systematizing and organizing tasks, reducing the mental burden, and improving focus.
Stride provides a balance between generality and specificity, making it a valuable tool for threat modeling.
Developing security skills requires exploration, experimentation, and patience, and it is not a quick or smooth process.
June 7, 20246 min
Special episode: How Alex became Security-oriented developer
Join the program until 13.06.2024: https://dev-academy.com/web-security/?ref=podcast
May 10, 2024Episode 81 hr 0 min
Essentials of Secrets and Credentials Management with Hung Ngo
Web Security Dev Academy 👉 http://links.dev-academy.com/LwyH
Subscribe & Get Free Tips & Tricks for Secure Coding ✅
Summary
In this episode, Bartosz and Hung Ngo discuss secrets management in web software development. They highlight the importance of securely managing digital authentication credentials and the risks associated with hard-coding secrets. They explore best practices such as using environmental variables, dedicated secrets management tools like HashiCorp Vault, and rotating secrets regularly. They also discuss the challenges of sharing secrets with new team members and the benefits of using a vault to securely store and access secrets. Improper secret management can lead to major issues, as seen in the Uber breach in 2022. Attackers used social engineering and MFA flooding to gain access to the system and found hard-coded credentials for a Privilege Access Management System. This allowed them to access cloud accounts and other sensitive information. Proper secrets management is crucial in different environments, such as development, testing, and production. Startups and small teams with limited resources can still implement secure practices, and there are tools available for free or at a lower cost. Future trends include automation, education, and implementing the least privileged principle.
Chapters
00:00 The Uber Breach and Social Engineering
07:25 The Importance of Secrets Management in Web Applications
09:45 The Problem of Hard-Coding Secrets
21:51 Managing Access and Rotating Secrets with a Vault
26:26 Securely Sharing Secrets with New Team Members
29:16 Recommended Tools for Secrets Management
30:42 The Impact of Improper Secret Management
33:02 The Multi-Layered Problem of Secrets Management
37:24 Secrets Management for Startups and Small Teams
41:05 Creating a Roadmap for Secrets Management
44:20 Future Trends in Secrets Management
#SecureCoding #WebDev #WebSecurity #DevSecOps
May 3, 2024Episode 71 hr 16 min
Beyond the Basics: Advanced AWS Security Tactics with Marek Šottl
Web Security Dev Academy 👉 http://links.dev-academy.com/Qwrl
Secure your spot and receive exclusive bonuses 🎉
Summary
In this conversation, Bartek and Marek discuss AWS security and the importance of understanding the fundamentals. They emphasize the need for multiple tools and a shared responsibility model in securing cloud-native applications. They highlight the significance of identity and access management (IAM) in AWS environments and the need for proper IAM setup. They also discuss the importance of basics, such as AWS Landing Zone Accelerator and billing alarms, in securing cloud environments. They stress the importance of automation and DevSecOps pipelines, including automated static code analysis and software composition analysis. The conversation focused on the importance of software composition analysis (SCA) and open source vulnerabilities in the context of application security. The growth of open source libraries and the limited number of developers maintaining them pose significant security risks. The lack of correlation between SCA, static analysis, and dynamic testing tools was identified as a gap in the current tooling landscape. The conversation also touched on the cultural aspects of threat modeling and the need for education and security champion programs within organizations. Common myths about application security and DevSecOps were debunked, including the belief that buying a tool will solve all security problems and the misconception that scanning infrastructure as code guarantees security. The future trends discussed included the use of AI in code reviews and the importance of staying up to date with the latest technologies and trends in the field.
Chapters
00:00 Introduction and Overview
02:23 Marek's Journey into AWS Security
03:47 The Future and Time Travel
05:13 Marek's AWS Security Bootcamp
06:13 The Importance of Understanding the Fundamentals
08:33 The Fundamentals of Web Security
10:46 Securing Cloud-Native Applications in AWS
12:10 Identity and Access Management (IAM) in AWS
14:30 The Significance of Basics in AWS Security
25:27 Automating Security with DevSecOps Pipelines
38:20 The Importance of Software Composition Analysis and Open Source Vulnerabilities
41:41 The Need for Correlation Between SCA, Static Analysis, and Dynamic Testing Tools
43:38 Cultural Aspects of Threat Modeling: Education and Security Champion Programs
47:01 Debunking Common Myths About Application Security and DevSecOps
57:30 The Limitations of Scanning Infrastructure as Code for Security
01:11:25 The Future of Application Security: AI in Code Reviews
01:15:15 Staying Up to Date with the Latest Trends and Technologies in Cybersecurity
#SecureCoding #WebDev #WebSecurity #DevSecOps
April 28, 2024Episode 61 hr 9 min
Maximum security of software development lifecycle with Borja Berastegui
Web Security Dev Academy 👉 http://links.dev-academy.com/xweg
Secure your spot and receive exclusive bonuses 🎉
In this conversation, Bartosz and Borja discuss common security mistakes in web application development and how developers can enhance security in the software development lifecycle (SDLC). They highlight the importance of security awareness and training for developers, as well as the need for architectural reviews and threat modeling exercises. They also mention the value of integrating static code analysis tools to identify potential vulnerabilities. The conversation emphasizes the need for developers to be aware of security issues and to collaborate with security experts to ensure the security of their applications. In this conversation, Bartek and Borja discuss incident response and management in the context of web application security. They cover topics such as integrating security tools into development pipelines, evaluating the risk and impact of security issues, incident response planning, and the importance of post-mortem analysis. They also touch on the role of web application firewalls (WAFs) and the rising threats in the cybersecurity landscape.
Chapters
00:00 Introduction and Background
13:23 The Importance of Security Awareness and Training
31:34 Architectural Reviews and Threat Modeling
39:02 Evaluating Risk and Impact in Incident Response
48:14 Post-Mortem Analysis and Lessons Learned
01:05:49 Rising Threats in the Cybersecurity Landscape
#DevSecOps #SecureCoding #AppSecTips #CodeSecurity #TechTrends #DevelopersLife #CodingBestPractices
April 28, 20241 min
96 seconds TRAILER 🎧 Maximum Security in SDLC 🔐
In this conversation, Borja Berastegi discusses various aspects of security in web application development. He highlights common security mistakes, such as unmaintained code and applications, and emphasizes the importance of simplifying and reducing the attack surface. Borja also emphasizes the need for security awareness and training among developers. He suggests involving security-minded individuals in architectural reviews and conducting threat modeling exercises to identify potential vulnerabilities. The conversation also touches on the risk of enumeration and the need to avoid exposing information that can aid malicious actors. In this conversation, Borja Berastegui shares insights on various aspects of cybersecurity, including the importance of security awareness and training, conducting pen tests to discover vulnerabilities, developing an incident response plan, and analyzing incidents to learn from them. He also discusses the limitations of web application firewalls (WAFs) and highlights the rising threats in the future.
April 18, 2024Episode 51 hr 12 min
The Battle of Access Control Models 🤺 𝐑𝐁𝐀𝐂 𝐯𝐬. 𝐎𝐭𝐡𝐞𝐫𝐬 | Or Weis
Web Security Dev Academy WAITING LIST: http://links.dev-academy.com/u65
Secure your spot and receive exclusive bonuses 🎉
The principle of least privilege is a key component of the zero trust architecture and mentality in software development. It is important to minimize access to the bare minimum that is needed to reduce the attack surface. Role-based access control (RBAC) is a commonly used approach where permissions are assigned to users based on their roles. Hierarchical RBAC adds a hierarchy to roles, allowing for more granularity. Attribute-based access control (ABAC) focuses on conditions and attributes to determine access. ABAC is useful for dynamic scenarios and can be combined with RBAC for more complex policies. Access control models, such as RBAC and ABAC, will continue to evolve as applications and technology change. The future of access control will involve more non-deterministic AI agents acting as users and integrations. Policy models will merge together and be simplified, focusing on groups, patterns of usage, and levels of usage. It is important for developers to stay up to date with security standards and best practices. Utilizing open source tools and connecting with their communities is a great way to stay informed. Additionally, engaging in discussions with other developers and seeking guidance can help navigate the complexities of access control.
Takeaways
The principle of least privilege is important in minimizing access and reducing the attack surface in software development.
Role-based access control (RBAC) is a commonly used approach where permissions are assigned based on roles.
Hierarchical RBAC adds a hierarchy to roles, allowing for more granularity in access control.
Attribute-based access control (ABAC) focuses on conditions and attributes to determine access and is useful for dynamic scenarios.
Applications often use a combination of RBAC and ABAC to implement access control policies. Access control models will continue to evolve as applications and technology change
The future of access control will involve more non-deterministic AI agents acting as users and integrations
Policy models will merge together and be simplified, focusing on groups, patterns of usage, and levels of usage
Developers should stay up to date with security standards and best practices
Utilizing open source tools and connecting with their communities can help developers stay informed
Engaging in discussions with other developers and seeking guidance can help navigate the complexities of access control
#DevSecOps #SecureCoding #AppSecTips #CodeSecurity #TechTrends #DevelopersLife #CodingBestPractices
April 11, 2024Episode 41 hr 10 min
The Art Shaping Application Security at Scale with Seth J. Kirschner
Web Security Dev Academy WAITING LIST: http://links.dev-academy.com/f7y
Secure your spot and receive exclusive bonuses 🎉
The conversation explores the topic of application security maturity within organizations and its relationship with developers, teams, management, and products. The guest, Seth, shares his insights and experiences in building application security programs. He emphasizes the importance of communication channels and learning and development opportunities for developers. Seth also discusses the role of security champions and the implementation of guardrails as preventative controls. The conversation highlights the challenges of onboarding new developers and suggests strategies such as automated messaging, open communication channels, and recognition programs. In this conversation, Seth Kirschner discusses various aspects of application security, including the challenges faced by developers, the importance of collaboration between security and development teams, and strategies for incentivizing developers to prioritize security. He also shares insights on implementing security programs, dealing with vulnerabilities, and the future of application security. The conversation highlights the significance of software supply chain security as a major threat in the coming years.
Takeaways
Building an application security program starts with knowing the company, people, and applications.
Open communication channels and establish training and resources for developers to understand security best practices.
Security champions are individuals who have an interest in security and can lead efforts within their teams.
Guardrails are preventative controls that guide developers to make better decisions and prevent misconfigurations.
Onboarding new developers should involve gradual exposure to security guidelines and resources.
Recognition programs, such as leaderboards, can motivate developers to engage in security practices. Collaboration between security and development teams is crucial for effective application security.
Incentivizing developers through monetary and non-monetary rewards can encourage them to prioritize security.
Choosing the right vulnerability scanning tools and evaluating their fit for the organization is important.
Regularly reviewing and updating security practices and tools is necessary for program maturity.
In small organizations, outsourcing or seeking guidance from trusted advisors can help establish basic security measures.
Software supply chain security, particularly open source models and code bases, poses a significant threat in the future.
#DevSecOps #SecureCoding #AppSecTips #CodeSecurity #TechTrends #DevelopersLife #CodingBestPractices
April 5, 2024Episode 31 hr 19 min
Threat Modeling and (Extreme) Shift Left with Anderson Dadario
Web Security Dev Academy WAITING LIST: http://links.dev-academy.com/b8F
Secure your spot and receive exclusive bonuses 🎉
In this conversation, Anderson Dadario, the founder of DevOps.security, discusses the importance of integrating security into the software development process. He explains the differences between traditional DevOps and DevSecOps, emphasizing the need for security by design and shifting security left in the development cycle. Anderson also provides insights into conducting a threat modeling exercise for a web application, identifying potential risks, and implementing mitigation techniques. He highlights the importance of understanding the business requirements and balancing security measures with the risk appetite of the company. Additionally, he suggests quick wins for developers to integrate security into their DevOps workflow. The conversation covers different approaches to threat modeling, common security vulnerabilities for developers, spectacular exploitation situations, and final thoughts and resources.
Takeaways
Integrating security into the software development process is crucial for building secure applications.
DevSecOps focuses on security by design and shifting security left in the development cycle.
Threat modeling exercises help identify potential risks and implement mitigation techniques.
Understanding the business requirements and balancing security measures with the risk appetite of the company is essential.
Quick wins for integrating security include using tools like dependency scanners, conducting threat modeling sessions, and standardizing security processes across teams. Threat modeling can be approached in different ways, including manual, automated, and scaled approaches.
Outdated frameworks and lack of data validation and authorization checks are common security vulnerabilities that developers need to be aware of.
Spectacular exploitation situations can occur when critical vulnerabilities are discovered in production applications.
Remaining curious and continuously learning is essential for navigating the complex field of security.
Connect with Us:
Bartosz:
- https://github.com/bartosz-io
- https://twitter.com/bartosz_io
- https://www.linkedin.com/in/bpietrucha
Anderson:
- https://www.linkedin.com/in/andersondadario/
- https://devops.security/
Thank you for tuning in to the Dev Academy Podcast. Enhance your web security insight with us as we explore the fascinating world of technology with industry experts.
#DevSecOps #WebSecurity #SoftwareDevelopment #ThreatModeling #CyberSecurity #SecurityByDesign #DevOpsSecurity #SecureCoding
Is this your show?
Claim this listing to keep it up to date, reach guests who want to pitch you, and manage bookings with Guestify.
