Security – Software Engineering Daily

OAuth is an open standard for access delegation. It lets users grant websites or applications access to their information on other websites, but without giving away passwords. OpenID Connect is an identity layer on top of OAuth. Even if you haven’t programmed using OAuth and OpenID Connect, you've certainly used them for authentication on Google, The post Authlete and Making OAuth Accessible with Justin Richer appeared first on Software Engineering Daily.

Corbado is an authentication platform that provides APIs for developers to replace passwords with passkeys such as Face ID or Touch ID. Vincent Delitz is a Co-Founder at Corbado and he joins the show to talk about the platform, the changing authentication landscape, the challenge of session management with passkeys, and more. Gregor Vand is The post Biometric Authentication with Vincent Delitz appeared first on Software Engineering Daily.

SimpleWebAuthn is an open source TypeScript-centric pair of libraries – frontend and backend – that make it easier for devs to implement WebAuthn on the web. Matthew Miller started the project in 2019 and it has grown in tandem with the popularization of WebAuthn. He joins the podcast today to talk about the history of The post SimpleWebAuthn with Matthew Miller appeared first on Software Engineering Daily.

Security issues can often be traced back to small misconfigurations in a database or cloud service, or an innocent code commit. OpsHelm is a security platform that’s oriented around identifying and fixing these issues. Kyle McCullough is the Co-Founder and CTO of OpsHelm and he has deep experience in backend and data engineering. He joins The post OpsHelm with Kyle McCullough appeared first on Software Engineering Daily.

Software supply chain security is a major challenge in the modern engineering environment. Many teams are working to establish best practices to proactively identify, fix, and prevent risks in their applications. Apiiro is a platform designed to solve this problem and gives risk visibility, prioritization, and remediation. Yonatan Eldar is the Co-Founder and CTO at The post Apiiro Security Posture Management with Yonatan Eldar appeared first on Software Engineering Daily.

Ransomware attacks involve the deployment of malware that blocks access to a user's or organization’s computer files by encrypting them. The attackers then demand a ransom payment in exchange for the decryption key that will restore access to the files. These attacks are often directed at governments and corporations, and can be costly. Veeam is The post Blocking Ransomware Attacks with Anthony Cusimano appeared first on Software Engineering Daily.

One of the most famous software exploits in recent years was the SolarWinds attack in 2020. In this attack, Russian hackers inserted malicious code into the SolarWinds Orion system, allowing them to infiltrate the systems of numerous corporations and government agencies, including the U.S. executive branch, military, and intelligence services. This was an example of The post Software Supply Chain Security with Michael Lieberman appeared first on Software Engineering Daily.

This episode of Software Engineering Daily is part of our on-site coverage of KubeCon 2023, which took place from November 6th through 9th in Chicago. In today's interview, host Jordi Mon Companys speaks with Santiago Torres-Arias who is a contributor to Sigstore, which is a system to register software supply chain actors using federated identity The post KubeCon Special: Sigstore with Santiago Torres-Arias appeared first on Software Engineering Daily.

The Hypertext Transfer Protocol, or HTTP, is used to load webpages using hypertext links, and it's the foundation of the web. Tim Berners-Lee famously created HTTP version 0.9 in 1989, and defined the essential behavior of a client and a server. Version 1.0 was eventually finalized in 1996, and its secure variant called HTTPS is The post The Future of HTTP with Nick Shadrin and Roman Arutyunyan appeared first on Software Engineering Daily.

Cloud applications continue to grow in popularity, but ensuring the security of these applications often presents a formidable engineering challenge. This challenge motivated the creation of Jit. Jit is a continuous security platform for developers, and seeks to enable every cloud app to start with minimum viable security, or MVS, without slowing development velocity. David The post Minimum Viable Security for Cloud Apps with David Melamed appeared first on Software Engineering Daily.

Available as a cloud service, Red Hat Trusted Software Supply Chain provides a DevSecOps framework to create applications more securely. Vincent Danen is the VP of Product Security at Red Hat and joins us in this episode. Red Hat has been a Secure Open Source software provider for very long. We discuss how the Red The post Trusted Software Supply Chain with Vincent Danen appeared first on Software Engineering Daily.

The software supply chain refers to the process of creating and distributing software products. This includes all of the steps involved in creating, testing, packaging, and delivering software to end-users or customers. Socket is a new security company that can protect your most critical apps from supply chain attacks. They are taking an entirely new The post Software Supply Chain with Feross Aboukhadijeh appeared first on Software Engineering Daily.

Ian Coldwater is a DevSecOps engineer turned red teamer who specializes in breaking and hardening Kubernetes, containers, and cloud native infrastructure. In their spare time, they like to go on cross-country road trips, capture flags, and eat a lot of pie. Ian lives in Minneapolis and tweets as @IanColdwater. This Interview was recorded at KubeCon Europe and The post Kubernetes Security with Ian Coldwater appeared first on Software Engineering Daily.

A SIEM platform provides organizations with a powerful tool for improving their security posture, by providing insights into potential security threats and enabling proactive security measures. Panther is a Cloud based security monitoring platform that helps teams detect and respond to security breaches quickly and intelligently. Jack Naglieri is the Founder and CEO of Panther The post Seamless SecOps with Jack Naglieri appeared first on Software Engineering Daily.

Cloud computing provides tools, storage, servers, and software products through the internet. Securing these resources is a constant process for companies deploying new code to their cloud environments. It's easy to overlook security flaws because company applications are very complex and many people work together to develop them. Wyze Labs, for example, had millions of The post Bridgecrew: Cloud Security with Guy Eisenkot appeared first on Software Engineering Daily.

Originally published on August 23, 2021. Application security is usually done with a set of tools and services known as SIEM – Security Information and Event Management. SIEM tools usually try to provide visibility into an organization's security systems, as well as event log management and security event notifications.  The company Panther takes traditional SIEM The post Panther: Security as Code with Jack Naglieri appeared first on Software Engineering Daily.

Enterprise-grade authentication is often an essential ingredient to virtually all applications in today’s world. However, companies often have a hard time understanding the value of that authentication especially during the early stages of product development. And hardening of an application is often left as an afterthought. Add enterprise-level requirements such as single sign-on and two-factor The post WorkOS with Michael Grinich appeared first on Software Engineering Daily.

The Kubernetes ecosystem has drastically changed how development teams ship software. While Kubernetes has provided many advancements in cloud infrastructure, it has also left organizations with massive security blindspots. KSOC was created to give developers and security teams a single control plane to harden multi-cluster Kubernetes environments through event-driven analysis, least privilege enforcement, and remediation-as-code. The post Kubernetes Security Compliance with Jimmy Mesta appeared first on Software Engineering Daily.

The JavaScript supply chain includes numerous vulnerabilities due to its expansive nature and the long dependency chains. Socket is a new security company that can protect your most critical apps from supply chain attacks. They are taking an entirely new approach to one of the hardest problems in security in a stagnant part of the The post JavaScript Supply Chain with Feross Aboukhadijeh appeared first on Software Engineering Daily.

The software supply chain consists of packages, imports, dependencies, containers, and APIs. These different components each have unique security risks. To ensure the security of their software supply chain, many developers use tools to analyze and scan their infrastructure for vulnerabilities. Barak Schoster works at Bridgecrew, a DevSecOps cloud security platform. He joins the show The post Software Supply Chain with Barak Schoster appeared first on Software Engineering Daily.

Snyk is a platform for security that started with open source scanning and has expanded into container security, infrastructure as code, and other products. Snyk is a simple product to use, but has hidden complexities that build large data structures to manage and scan code dynamically. In a previous episode we discussed the core Snyk The post Snyk Engineering with Guy Podjarny appeared first on Software Engineering Daily.

Everyone is becoming increasingly aware of supply chains for physical goods.  Software has its own supply chain.  A supply of open source solutions exists as does a demand for these solutions by industry.  Both have surely grown, but it would be nice to have a way of measuring by how much. The State of Software The post The State of Software Supply Chain 2021 with Ilkka Turunen appeared first on Software Engineering Daily.

Microservice architecture has become a ubiquitous design choice.  Application developers typically have neither the training nor the interest in implementing low-level security features into their software.  For this and many other reasons, the notion of a service mesh has been introduced to provide a framework for service-to-service communication. Today's guest is Zack Butcher.  While working The post Tetrate Service Bridge with Zack Butcher appeared first on Software Engineering Daily.

Neural networks, in particular, deep neural networks have revolutionized machine learning.  Researchers and companies have pushed on the efficiency of every aspect of the machine learning lifecycle.  The impact of the trained models is particularly significant for computer vision and in turn for autonomous driving and security systems. In this episode, I interview Forrest Iandola, The post Deploying Computer Vision to the Edge at Anduril Industries with Forrest Iandola appeared first on Software Engineering Daily.

The notebook paradigm of coding is relatively new in comparison to REPLs and IDEs.  Notebooks run in your browser and give you discrete cells for running segments of code.  All the code in a single cell runs at once, but cells run independently.  Cells can be re-run, which is a blessing and a curse.  The The post NBSafety for Jupyter Notebooks with Stephen Macke appeared first on Software Engineering Daily.

Phishing attacks, malware, and ransomware are just some of the major threats everyone connected to the internet faces.  For companies, the stakes are especially high.  Setting up a secure infrastructure is difficult.  Your adversary only needs to find one flaw to get in. Vancord is a private cybersecurity company, based in Connecticut, that was founded The post Cybersecurity Threats with Jason Pufahl and Russell Jancewicz appeared first on Software Engineering Daily.

Money laundering is not a new crime.  However, the growth of digital communications has greatly expanded the opportunity for money launderers to find innovative new ways to hide their true intent.  Some estimates suggest it could be as high as 2-5% of the world's GDP. Unit21 is a customizable no-code platform for risk and compliance The post Detecting Money Laundering with Clarence Chio appeared first on Software Engineering Daily.

Web applications often have some sort of login system, and once a user creates an account, they have access to features anonymous users can't see.  In time, application designers will often add an admin level of access for special users.  This is often a slow trickle of technical debt.  Proper execution of a programmatic authorization The post Authorization with Sam Scott appeared first on Software Engineering Daily.

Application security is usually done with a set of tools and services known as SIEM – Security Information and Event Management. SIEM tools usually try to provide visibility into an organization's security systems, as well as event log management and security event notifications.  The company Panther takes traditional SIEM security a step further. Panther processes The post Panther: Security as Code with Jack Naglieri appeared first on Software Engineering Daily.

According to Fugue's new State of Cloud Security 2020 report, cloud misconfiguration remains the top cause of data breaches in the cloud, and millions of database servers are currently exposed across cloud providers. Some of the leading reasons are a lack of adequate oversight and too many APIs and interfaces to govern. (securityaffairs.co).  Argos Security The post Argos Security: Cloud Configuration Security with David O'Brien appeared first on Software Engineering Daily.

Ryan Noon is the CEO of Material Security.   This interview was also recorded as a video podcast. Check out the video on the Software Daily YouTube channel.   Sponsorship inquiries: sponsor@softwareengineeringdaily.com The post Material Security with Ryan Noon appeared first on Software Engineering Daily.

SOC 2 is a security audit to prove that SaaS companies have secured their company and customer data. It's often considered the minimum audit necessary to sell software. HIPAA is a federal law regulating how sensitive medical information about patients must be handled. ISO 27001 is the global benchmark for demonstrating your information security management The post Vanta: Maintaining Security Standards with Christina Cacioppo appeared first on Software Engineering Daily.

In this episode we discuss plug and play auth, password management, and crypto with Sean Li, co-founder and CEO of Magic. This interview was also recorded as a video podcast. Check out the video on the Software Daily YouTube channel. Sponsorship inquiries: sponsor@softwareengineeringdaily.com The post Magic with Sean Li appeared first on Software Engineering Daily.

Encryption algorithms provide the means to secure and transfer sensitive information by taking input and transforming it into an unreadable output. Usually a special key, or multiple keys, are needed to unscramble the information back to the original input. These algorithms power the security of everything from our cell phone lock screens to Fortune 500 The post Skiff: Secure Document Collaboration with Andrew Milich appeared first on Software Engineering Daily.

Static analysis is a type of debugging that identifies defects without running the code. Static analysis tools can be especially useful for enforcing security policies by analyzing code for security vulnerabilities early in the development process, allowing teams to rapidly address potential issues and conform to best practices. R2C has developed a fast, open-source static The post Semgrep: Modern Static Analysis with Isaac Evans appeared first on Software Engineering Daily.

Security is more important than ever, especially in regulated fields such as healthcare and financial services. Developers working in highly regulated industries often spend considerable time building tooling to help improve compliance and pass security audits. While the core of many security workflows is similar, each industry and each organization may have its own idiosyncratic The post Sym: Security Workflows with Yasyf Mohamedali appeared first on Software Engineering Daily.

Network discovery allows enterprises to identify what devices are on their network. These devices can include smartphones, servers, desktop computers, and tablets. Being able to index the devices on a network is crucial to figuring out the security profile of that network. HD Moore is a founder of Rumble Networks, a company focused on network The post Network Discovery with HD Moore appeared first on Software Engineering Daily.

Osquery is a tool for providing visibility into operating system endpoints. It is a flexible tool developed originally at Facebook. Ganesh Pai is the founder of Uptycs, a company that uses Osquery to find threats and malicious activity occurring across nodes. Ganesh joins the show to talk about Osquery usage and his work on Uptycs. The post Osquery with Ganesh Pai appeared first on Software Engineering Daily.

Anduril is a technology defense company with a focus on drones, computer vision, and other problems related to national security. It is a full-stack company that builds its own hardware and software, which leads to a great many interesting questions about cloud services, engineering workflows, and management. Gokul Subramanian is an engineer at Anduril, and The post Anduril Engineering with Gokul Subramanian appeared first on Software Engineering Daily.

Logs are the source of truth. If a company is sufficiently instrumented, the logging data that streams off of the internal infrastructure can be refined to tell a comprehensive story for what is changing across that infrastructure in real time. This includes logins, permissions changes, other events that could signal a potential security compromise. Datadog The post Security Monitoring with Marc Tremsal appeared first on Software Engineering Daily.

A large software company such as Dropbox is at a constant risk of security breaches. These security breaches can take the form of social engineering attacks, network breaches, and other malicious adversarial behavior. This behavior can be surfaced by analyzing collections of log data. Log-based threat response is not a new technique. But how should The post Grapl: Graph-Based Detection and Response with Colin O’Brien appeared first on Software Engineering Daily.

Infrastructure-as-code tools are used to define the architecture of software systems. Common infrastructure-as-code tools include Terraform and AWS CloudFormation.  When infrastructure is defined as code, we can use static analysis tools to analyze that code for configuration mistakes, just as we could analyze a programming language with traditional static analysis tools. When a developer writes The post Static Analysis for Infrastructure with Guy Eisenkot appeared first on Software Engineering Daily.

Zoom video chat has become an indispensable part of our lives. In a crowded market of video conferencing apps, Zoom managed to build a product that performs better than the competition, scaling with high quality to hundreds of meeting participants, and millions of concurrent users. Zoom’s rapid growth in user adoption came from its focus The post Zoom Vulnerabilities with Patrick Wardle appeared first on Software Engineering Daily.

Large software companies have lots of users, and the activity from those users results in high volumes of traffic. These companies also have a large surface area across the enterprise.  There are hundreds of services and databases that are fulfilling user requests. As these requests enter the infrastructure of the enterprise, the requests travel through The post Cloud Log Analysis with Jack Naglieri appeared first on Software Engineering Daily.

The software supply chain includes cloud infrastructure, on-prem proprietary solutions, APIs, programming languages, networking products, and open source software.  Each of these software categories has its own security vulnerabilities, and each category has tools that can help protect a company from attackers that are trying to exploit known vulnerabilities. As open source software has grown The post Snyk: Open Source Security with Guy Podjarny appeared first on Software Engineering Daily.

The modern software supply chain contains many different points of distribution: JavaScript frameworks, npm modules, Docker containers, open source repositories, cloud providers, on-prem firmware, IoT, networking proxies, and so much more. With so much attack surface, securing a large enterprise is an uphill battle. Jeff Williams is the CTO at Contrast Security, a company that The post Security Monitoring with Jeff Williams appeared first on Software Engineering Daily.

A Kubernetes instance occupies a wide footprint of multiple servers, creating an appealing target to an attacker, due to its access to a large pool of compute resources. A common attack against an exposed Kubernetes cluster is to take it over for the purposes of mining cryptocurrency. Thus it is important to keep a cluster The post Container Platform Security with Maya Kaczorowski appeared first on Software Engineering Daily.

Upcoming events: A Conversation with Haseeb Qureshi at Cloudflare on April 3, 2019 FindCollabs Hackathon at App Academy on April 6, 2019 Steve Herrod was the CTO at VMware and now works as a managing director at General Catalyst, where he focuses on investments relating to security. Large enterprises are difficult to secure. An enterprise The post Security Businesses with Steve Herrod appeared first on Software Engineering Daily.

Computational integrity is a property that is required for financial transactions on the Internet. Computational integrity means that the output of a certain computation is correct. If I deposit money into my bank, my bank sends me a number that represents the new balance in my account. I assume that the number they have sent The post StarkWare: Transparent Computational Integrity with Eli Ben Sasson appeared first on Software Engineering Daily.

The nature of software projects is changing. Projects are using a wider variety of cloud providers and SaaS tools. Projects are being broken up into more git repositories, and the code in those repositories are being deployed into small microservices. With the increased number of tools, repositories, and deployment targets, it can become difficult to The post Policy Enforcement with Shimon Tolts appeared first on Software Engineering Daily.

When Aran Khanna was a college student, he accepted an internship to work at Facebook. Even before his internship started, he started playing around with Facebook’s APIs and applications. Aran built a Chrome extension called Marauder’s Map, which used Facebook Messenger’s web APIs to track where people lived, what their schedule was, and other highly The post Digital Privacy with Aran Khanna appeared first on Software Engineering Daily.