POPULARITY
Luke is Chief Product Officer and co-founder at Semgrep. Semgrep performs static application security testing, a form of code analysis, and has grown to become one of the mainstay application security tools on the market over the last eight years. Luke started Semgrep after three years at Palantir as a software engineer and product manager, and this episode really helped drive home the supportive community amongst former Palantir employees. In the discussion we cover his early entrepreneurial efforts such as modifying Xboxes, the 17 different product variations they tried before the current form of Semgrep, and how he thinks about the innovator's dilemma as a growth-stage company in a vertical being disrupted by AI.Website
When it comes to securing software, most developers feel like they're playing catch-up instead of setting the rules.Tanya Janca (SheHacksPurple), author of "Alice and Bob Learn Secure Coding," brings her 28 years of IT and security expertise—spanning counter-terrorism to enterprise training—to Dev Interrupted. She unpacks the common pitfalls teams face when security is treated as an afterthought, highlighting the developer frustration of being held accountable for security without the tools or knowledge needed to succeed.Explore how transforming security from a final gate into an ongoing practice saves money, reduces conflict, and builds better software through clear requirements and true developer empowerment. Tanya provides concrete advice for developers and leaders on creating internal knowledge libraries, fostering continuous learning habits, and critically evaluating AI-generated code to ensure it meets security standards. Speaking of AI's growing role, we're curious how it's reshaping workflows across the industry. Share your own experiences with AI adoption by taking our quick survey to discover your spot on the adoption graph (and what you can do to level up).Check out:Beyond Copilot: Gaining the AI AdvantageSurvey: Discover Your AI Collaboration StyleFollow the hosts:Follow BenFollow AndrewFollow today's guest(s):Website: SheHacksPurpleLinkedIn: Tanya JancaBook: Alice and Bob Learn Secure CodingReferenced in today's show:Shopify CEO says staffers need to prove jobs can't be done by AI before asking for more headcountAnthropic flips the script on AI in education: Claude's Learning Mode makes students do the thinkingCelebrate 50 years of Microsoft with the company's original source codeSupport the show: Subscribe to our Substack Leave us a review Subscribe on YouTube Follow us on Twitter or LinkedIn Offers: Learn about Continuous Merge with gitStream Get your DORA Metrics free forever
Ken and Seth are back for another episode that starts with a summary of the Semgrep and OpenGrep break. This is followed by Google's recent article titled Secure By Design: Google's Blueprint for a High-Assurance Web Framework. Google is focused on protections within the browser, given their products and business, but the controls and overall process are relevant to most application security programs. Finally, a discussion of Orange Tsai's research on Confusion Attacks within Apache that was number one in Portswigger's Top 10 Web Hacking Techniques of 2024.
Spoiler: it's probably in your pocket or sitting on the table in front of you, right now! Modern smartphones are conveniently well-suited for identity verification. They have microphones, cameras, depth sensors, and fingerprint readers in some cases. With face scanning quickly becoming the de facto technology used for identity verification, it was a no-brainer for Nametag to build a solution around mobile devices to address employment scams. Segment Resources: Company website Aaron's book, Loyal Listeners of the show are probably aware (possibly painfully aware) that I spend a lot of time analyzing breaches to understand how failures occurred. Every breach story contains lessons organizations can learn from to avoid suffering the same fate. A few details make today's breach story particularly interesting: It was a Chinese APT Maybe the B or C team? They seemed to be having a hard time Their target was a blind spot for both the defender AND the attacker Segment Resources: https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/ https://www.theregister.com/2024/09/18/chinesespiesfoundonushqfirm_network/ This week, in the enterprise security news, Semgrep raises a lotta money CYE acquires Solvo Sophos completes the Secureworks acquisition SailPoint prepares for IPO Summarizing the 2024 cybersecurity market Lawyers that specialize in keeping breach details secret Scientists torture AI Make sure to offboard your S3 buckets extinguish fires with bass All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-393
Spoiler: it's probably in your pocket or sitting on the table in front of you, right now! Modern smartphones are conveniently well-suited for identity verification. They have microphones, cameras, depth sensors, and fingerprint readers in some cases. With face scanning quickly becoming the de facto technology used for identity verification, it was a no-brainer for Nametag to build a solution around mobile devices to address employment scams. Segment Resources: Company website Aaron's book, Loyal Listeners of the show are probably aware (possibly painfully aware) that I spend a lot of time analyzing breaches to understand how failures occurred. Every breach story contains lessons organizations can learn from to avoid suffering the same fate. A few details make today's breach story particularly interesting: It was a Chinese APT Maybe the B or C team? They seemed to be having a hard time Their target was a blind spot for both the defender AND the attacker Segment Resources: https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/ https://www.theregister.com/2024/09/18/chinesespiesfoundonushqfirm_network/ This week, in the enterprise security news, Semgrep raises a lotta money CYE acquires Solvo Sophos completes the Secureworks acquisition SailPoint prepares for IPO Summarizing the 2024 cybersecurity market Lawyers that specialize in keeping breach details secret Scientists torture AI Make sure to offboard your S3 buckets extinguish fires with bass All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-393
This week, in the enterprise security news, Semgrep raises a lotta money CYE acquires Solvo Sophos completes the Secureworks acquisition SailPoint prepares for IPO Summarizing the 2024 cybersecurity market Lawyers that specialize in keeping breach details secret Scientists torture AI Make sure to offboard your S3 buckets extinguish fires with bass All that and more, on this episode of Enterprise Security Weekly. Show Notes: https://securityweekly.com/esw-393
This week, in the enterprise security news, Semgrep raises a lotta money CYE acquires Solvo Sophos completes the Secureworks acquisition SailPoint prepares for IPO Summarizing the 2024 cybersecurity market Lawyers that specialize in keeping breach details secret Scientists torture AI Make sure to offboard your S3 buckets extinguish fires with bass All that and more, on this episode of Enterprise Security Weekly. Show Notes: https://securityweekly.com/esw-393
Cybersecurity venture funding has increased recently. Semgrep, an application security startup, secured $100 million in Series D funding, led by Menlo Ventures and including investments from multiple firms. Since 2017, Semgrep has raised a total of $204 million. The company focuses on providing an autonomous code security platform that helps developers and security engineers create safeguards for application development. In 2024, investments in cybersecurity ventures rose by 43% year-over-year, totaling nearly $11.6 billion. Despite a flat funding quarter in the last quarter of 2024, investment momentum continued into 2025, with Semgrep's funding round being the only one exceeding nine figures.Learn more on this news visit us at: https://greyjournal.net/news/ Hosted on Acast. See acast.com/privacy for more information.
Send us a textWelcome to 2025! Ken and Mike kick off the new year with their security resolutions (or lack thereof) before diving into the bittersweet farewell to ShmooCon, one of the most beloved hacker conferences. Ken shares his experiences from the final event, including insights on hardware hacking, radio security, and the unique hacker culture that made ShmooCon special.They also unpack one of the most practical talks from the conference: a deep dive into open source security tools versus enterprise solutions, highlighting ways security teams can cut costs without sacrificing effectiveness. Speaking of open source, the hosts discuss the controversy surrounding Semgrep's licensing changes and the rise of OpenGrep, the latest community-driven fork in response to closed-source shifts—drawing parallels to the Terraform/OpenTofu saga.Finally, the duo explores cyber risk from an insurance perspective, breaking down how breaches translate into real-world financial costs (hint: mailing breach notifications alone could bankrupt you). Whether you're a security pro, an open source advocate, or just here for the ShmooBall nostalgia, this episode has something for you!
Seth and Ken return for another week to review current articles and happenings in the application security world. Specifically, they spend some time reacting to the news that the Semgrep Community version has been forked as Opengrep by a number of vendors. This occurs as a result of Semgrep changing the licenses on their open source rules to prevent use in competitor products. Also a discussion spurred by Rami McCarthy's recent article on how "No" is still appropriate and security shouldn't be a rubber stamp for any organization.
Celebrating and Elevating Women in Cyber: Recently, International Women in Cyber Day (September 1) highlighted the ongoing challenges women face in the cybersecurity field, as well as the progress made in recent years. Women bring exceptional skills and knowledge to cybersecurity; however, it is estimated that they make up only 20% to 25% of the cybersecurity workforce—a percentage that has remained stagnant for years. Even more concerning, women often hit a glass ceiling just six to ten years into their cybersecurity careers. Lynn Dohm sheds light on these issues and emphasizes what the industry needs to focus on to continue celebrating and elevating women in cyber. Segment Resources: 2023 State of Inclusion Benchmark in Cybersecurity 2024 Cyber Talent Study by N2K and WiCyS WiCyS Programs This week, we've added an extra news segment just on AI. Not because we wanted to, but because the news cycle has bludgeoned us into it. My mom is asking about Chinese AI, my neighbor wants to know why his stocks tanked, my clients want to know how to prevent their employees from using DeepSeek, it's a mess. First, a DeepSeek primer, so we can make sure all Enterprise Security Weekly listeners know what they need to know. Then we get into some other AI news stories. DeepSeek Primer I think the most interesting aspect of the DeepSeek announcements is the business/market impact, which isn't really security-related, but could have some impact on security teams. By introducing models that are cheaper to train, sell access to, and less demanding to run on systems, DeepSeek has opened up more market opportunities. That means we'll see generative AI used in markets and ways that didn't make sense before, because it was too expensive. Another aspect that's really confusing is what DeepSeek is or does. For the most part, when someone says "DeepSeek", they could be referring to: the company the open source models released by the company the SaaS service (https://chat.deepseek.com) the mobile app (which is effectively just a front end for #3) the API (which is what the mobile app and SaaS service are built on top of) From a security perspective, there's little to no operational risk around downloading and using the models, though they're likely to get banned, so companies could get in trouble for using them. As for the app, API, or SaaS service, assume everything you type into them is getting collected by China (so, significantly less safe, probably no US companies should do this). But because these services are crazy cheap right now, I wouldn't be surprised if some suppliers and third parties will start using DeepSeek - if your third party service provider is using DeepSeek behind the scenes with your data, you still have problem #2, so best to ensure they're not doing this through updated contract language and call to confirm that they're not currently doing it (can take a while to get a new contract in place). This week in the enterprise security weekly news, we discuss funding and acquisitions Understanding the Semgrep license drama Ridiculous vulnerabilities everywhere: vulns to take down your entire city's cell service vulns to mess with your Subarus vulns in Microsoft 365 authentication cybersecurity regulations are worthless Facebook is banning people for mentioning Linux Vigilantes on Github Mastercard DNS error Qubes OS Turning a "No" into a conversation All that and more, on this episode of Enterprise Security Weekly! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-392
Celebrating and Elevating Women in Cyber: Recently, International Women in Cyber Day (September 1) highlighted the ongoing challenges women face in the cybersecurity field, as well as the progress made in recent years. Women bring exceptional skills and knowledge to cybersecurity; however, it is estimated that they make up only 20% to 25% of the cybersecurity workforce—a percentage that has remained stagnant for years. Even more concerning, women often hit a glass ceiling just six to ten years into their cybersecurity careers. Lynn Dohm sheds light on these issues and emphasizes what the industry needs to focus on to continue celebrating and elevating women in cyber. Segment Resources: 2023 State of Inclusion Benchmark in Cybersecurity 2024 Cyber Talent Study by N2K and WiCyS WiCyS Programs This week, we've added an extra news segment just on AI. Not because we wanted to, but because the news cycle has bludgeoned us into it. My mom is asking about Chinese AI, my neighbor wants to know why his stocks tanked, my clients want to know how to prevent their employees from using DeepSeek, it's a mess. First, a DeepSeek primer, so we can make sure all Enterprise Security Weekly listeners know what they need to know. Then we get into some other AI news stories. DeepSeek Primer I think the most interesting aspect of the DeepSeek announcements is the business/market impact, which isn't really security-related, but could have some impact on security teams. By introducing models that are cheaper to train, sell access to, and less demanding to run on systems, DeepSeek has opened up more market opportunities. That means we'll see generative AI used in markets and ways that didn't make sense before, because it was too expensive. Another aspect that's really confusing is what DeepSeek is or does. For the most part, when someone says "DeepSeek", they could be referring to: the company the open source models released by the company the SaaS service (https://chat.deepseek.com) the mobile app (which is effectively just a front end for #3) the API (which is what the mobile app and SaaS service are built on top of) From a security perspective, there's little to no operational risk around downloading and using the models, though they're likely to get banned, so companies could get in trouble for using them. As for the app, API, or SaaS service, assume everything you type into them is getting collected by China (so, significantly less safe, probably no US companies should do this). But because these services are crazy cheap right now, I wouldn't be surprised if some suppliers and third parties will start using DeepSeek - if your third party service provider is using DeepSeek behind the scenes with your data, you still have problem #2, so best to ensure they're not doing this through updated contract language and call to confirm that they're not currently doing it (can take a while to get a new contract in place). This week in the enterprise security weekly news, we discuss funding and acquisitions Understanding the Semgrep license drama Ridiculous vulnerabilities everywhere: vulns to take down your entire city's cell service vulns to mess with your Subarus vulns in Microsoft 365 authentication cybersecurity regulations are worthless Facebook is banning people for mentioning Linux Vigilantes on Github Mastercard DNS error Qubes OS Turning a "No" into a conversation All that and more, on this episode of Enterprise Security Weekly! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-392
This week in the enterprise security weekly news, we discuss funding and acquisitions Understanding the Semgrep license drama Ridiculous vulnerabilities everywhere: vulns to take down your entire city's cell service vulns to mess with your Subarus vulns in Microsoft 365 authentication cybersecurity regulations are worthless Facebook is banning people for mentioning Linux Vigilantes on Github Mastercard DNS error Qubes OS Turning a "No" into a conversation All that and more, on this episode of Enterprise Security Weekly! Show Notes: https://securityweekly.com/esw-392
This week in the enterprise security weekly news, we discuss funding and acquisitions Understanding the Semgrep license drama Ridiculous vulnerabilities everywhere: vulns to take down your entire city's cell service vulns to mess with your Subarus vulns in Microsoft 365 authentication cybersecurity regulations are worthless Facebook is banning people for mentioning Linux Vigilantes on Github Mastercard DNS error Qubes OS Turning a "No" into a conversation All that and more, on this episode of Enterprise Security Weekly! Show Notes: https://securityweekly.com/esw-392
An open source security project forks in response to license changes (and an echo of how we've been here before), car hacking via spectacularly insecure web apps, hacking a synth via spectacularly cool MIDI messages, cookie parsing problems, the RANsacked paper of 100+ LTE/5G vulns found from fuzzing, and more! Show Notes: https://securityweekly.com/asw-315
An open source security project forks in response to license changes (and an echo of how we've been here before), car hacking via spectacularly insecure web apps, hacking a synth via spectacularly cool MIDI messages, cookie parsing problems, the RANsacked paper of 100+ LTE/5G vulns found from fuzzing, and more! Show Notes: https://securityweekly.com/asw-315
Seth and Ken are happy to announce that Clint Gibler (@clintgibler), the force behind TL;DRSec (tldrsec.com) and head of Security Research at Semgrep, will be coming on as a guest again on the Absolute AppSec podcast. The conversation starts with background on his experience with TL;DRSec and writing a newsletter. Followed up by an indepth discussion on secure defaults and how Semgrep and other tools help push security in organizations.
Welcome to another episode of the Supra Insider. This time, Ben and Marc are joined by Katie Kent, who shares her unique experience transitioning from a product leadership role back to an individual contributor (IC) as a staff PM at Semgrep. Katie talks about how her background in leadership has sharpened her skills as an IC, the lessons she's learned from the security industry, and why she believes in staying hands-on with product work. The conversation explores the value of remote and hybrid work, the evolving role of tools like FigJam in fostering collaboration, and what it means to bring joy and delight into B2B products. Whether you're a PM considering a career shift or looking to deepen your strategic thinking, this episode offers a wealth of insights.All episodes of the podcast are also available on Spotify, Apple and YouTube (video).New to the pod? Subscribe below to get the next episode in your inbox
Application security is crucial for protecting sensitive data and ensuring the integrity and trustworthiness of software systems against cyber threats. In this episode, Tanya Janca, head of community and education at Semgrep discusses the importance of “shifting left” in the software development lifecycle, along with the best and worst practices in DevSecOps. Tanya has been coding and working in IT for more than 25 years and is the best-selling author of the book ‘Alice and Bob Learn Application Security'. You can follow Tanya on social media under the handle @SheHacksPurple. Resources: Semgrep website: https://semgrep.dev/ 'Alice and Bob Learn Application Security': https://www.amazon.com/Alice-Bob-Learn-Application-Security/dp/B097NJSSV8 'Alice and Bob Learn Secure Coding': https://www.wiley.com/en-us/Alice+and+Bob+Learn+Secure+Coding-p-9781394171705 SheHacksPurple YouTube: https://www.youtube.com/channel/UCyxbNw11fMUgoR3XpVYVPIQ SheHacksPurple website: https://shehackspurple.ca/ OWASP Global AppSec Conference: https://sf.globalappsec.org/ CISA Secure by Design: https://www.cisa.gov/securebydesign Tanya's RSAC Talk on DevSecOps worst practices: https://www.rsaconference.com/library/Presentation/USA/2023/DevSecOps%20Worst%20Practices RSAC Presentation: 'The End of DevSecOps?' by DJ Schleen: https://www.rsaconference.com/Library/presentation/usa/2024/the%20end%20of%20devsecops Executive Order on Improving the Nation's Cybersecurity (SBOMs): https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
Scaling new product lines within a growing company can be both an opportunity and quite challenging. Semgrep's Head of Engineering Adam Berman joined us this week to share his own experience developing Semgrep's second product line.Adam was instrumental in developing Semgrep's second product line, and he shares practical strategies for moving from a single-product to a multi-product organization. He unpacks the challenges of organizational design, the importance of fast iteration and feedback loops, and how to build a cohesive company identity with so many moving parts.If you want to learn how to effectively scale products and how to drive product growth, this episode is a must-listen.Episode Highlights: 1:10 The challenges of new product lines 4:25 Scaling teams for success and strategies for growth7:30 Finding the right balance between practicality and innovation12:15 A startup within a startup mentality 18:40 Learning through experimentation23:55 Key considerations when navigating product market fit28:20 Driving growth in engineering teamsShow Notes: Adam Berman on LinkedInAdam Berman (@adamberman_13) / XSemgrepDownload your copy of the Essential Guide to Software Engineering Intelligence Platforms Support the show: Subscribe to our Substack Leave us a review Subscribe on YouTube Follow us on Twitter or LinkedIn Offers: Learn about Continuous Merge with gitStream Get your DORA Metrics free forever
Our speaker this week is Sean Ericson, where we discussed the following, the founder of Abloom GTM, a sales development advisory firm that architects SDR and RevOps motions. Before Abloom, he provided foundational consulting services for 30+ startups like Clearbit, ConductorOne, Semgrep and Dolby.io as a Partner at InsideScale, and was a founding SDR at Talkdesk. Sean holds a Master's in International Development from the London School of Economics and is currently building a SaaS product for nurses. This Week's Episode is Brought to you with Netsuite. Get a personalized demo at Netsuite.com/Scale - that is netsuite.cm slash scale. --- Support this podcast: https://podcasters.spotify.com/pod/show/uncharted1/support
Join us for a conversation with Tanya Janka, also known as SheHacksPurple, as she discusses secure guardrails, the difference between guardrails and paved roads, and how to implement both in application security. Tanya, an award-winning public speaker and head of education at SEMGREP, shares her insights on creating secure software and teaching developers. Tanya also shares with us about her hobby farm and love for gardening. Mentioned in this episode:Tanya Janca – What Secure Coding Really Means Tanya Janca – Mentoring Monday - 5 Minute AppSec Tanya Janca and Nicole Becher – Hacking APIs and Web Services with DevSlopThe Expanse Series by James S.A. CoreyAlice and Bob Learn Application Security by Tanya Janca FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In this episode, Host Ron Eddings catches up with longtime friend, Tanya Janka, Head of Education and Community at SemGrep and author of 'Alice and Bob Learn Application Security.' Tanya shares her experiences from working in the Canadian government to joining Microsoft and eventually founding WeHackPurple. Tanya talks about her new role at SemGrep, where she focuses on making application security education accessible, and the importance of building supportive communities in the tech industry. Impactful Moments: 00:00 - Welcome 01:20 - Introducing guest, Tanya Janca 03:09 - “IDK How to Make SemGrep Rules…” 0707 - Finding Shadow IT & Embezzlers 11:27 - Join Our Mastermind 12:09 - Becoming an AppSec Professional 15:22 - Elections CISO 18:00 - Speaking at Conferences 21:15 - Microsoft Calls Me One Day… 23:21 - Parting Ways; But Still Friends 24:30 - “Can You Train Our Devs?” 27:50 - Fairness Is Important 32:27 - Put Yourself Out There! Links: Connect with our guest, Tanya Janca: https://www.linkedin.com/in/tanya-janca/ Check out SemGrep Academy: https://academy.semgrep.dev/ We Hack Purple Podcast: https://wehackpurple.buzzsprout.com/ Check out our upcoming events: https://www.hackervalley.com/livestreams Join our creative mastermind and stand out as a cybersecurity professional: https://www.patreon.com/hackervalleystudio Love Hacker Valley Studio? Pick up some swag: https://store.hackervalley.com Continue the conversation by joining our Discord: https://hackervalley.com/discord Check out our upcoming events: hackervalley.com/livestreams Become a sponsor of the show to amplify your brand: https://hackervalley.com/work-with-us/
Tanya Janca (@shehackspurple on X) joins Ken Johnson (@cktricky) and Seth Law (@sethlaw) for a special episode of the Absolute AppSec podcast. Tanya is currently head of education and community at Semgrep, and is a prominent info security commenter and active contributor to improving the industry for everybody through helping spread values of diversity, inclusion and kindness. Tanya has had experience with a range of roles, startup founder, pentester, CISO, AppSec Engineer, and software developer, and she's worked at major industry landmarks such as Microsoft, Adobe, and Nokia. She is an award-winning public speaker, the founder of We Hack Purple (since acquired by Semgrep), an active blogger and streamer and has delivered hundreds of talks and trainings on 6 continents. Catch up with Tanya's multiple activities and initiatives at her website https://shehackspurple.ca
Check out the BrakeSecEd Twitch at https://twitch.tv/brakesec Join the Discord! https://discord.gg/brakesec #youtube VOD (in 1440p): https://www.youtube.com/watch?v=axQWGyd79NM Questions and topics: Bsides Vancouver discussion Semgrep Community and Academy Building communities What are ‘secure guardrails' Reducing barriers between security and developers How to sell security to devs: “hey, if you want to see us less, buy/use this?” “Security is your barrier, but we have goals that we can't reach without your help.” https://wehackpurple.com/devsecops-worst-practices-artificial-gates/ How are you seeing things like AI being used to help with DevOps or is it just making things more complicated? Not just helping write code, but infrastructure Ops, software inventories, code repo hygiene, etc? OWASP PNW https://www.appsecpnw.org/ Alice and Bob coming next year! Additional information / pertinent LInks (Would you like to know more?): shehackpurple.ca Semgrep (https://semgrep.dev/) https://aliceandboblearn.com/ https://academy.semgrep.dev/ (free training) Netflix ‘paved roads': https://netflixtechblog.com/how-we-build-code-at-netflix-c5d9bd727f15 https://en.wikipedia.org/wiki/Nudge_theory https://www.perforce.com/blog/qac/what-is-linting https://www.youtube.com/watch?v=FSPTiw8gSEU https://techhq.com/2024/02/air-canada-refund-for-customer-who-used-chatbot/ Show points of Contact: Amanda Berlin: @infosystir @hackershealth Brian Boettcher: @boettcherpwned Bryan Brake: https://linkedin.com/in/brakeb Brakesec Website: https://www.brakeingsecurity.com Youtube channel: https://youtube.com/@BrakeSecEd Twitch Channel: https://twitch.tv/brakesec
Summary The conversation discusses the extradition case of Julian Assange and the role of the US prison system in the decision. It also explores Tanya Janca's role at Semgrep and her passion for affordable cybersecurity education. Additionally, it touches on Tanya's experience in election security and the importance of transparency in the process. Tanya discusses her volunteer work with the Canadian government, where she helps educate students about cybersecurity. She talks about the importance of teaching young people about privacy, protecting digital devices, and understanding cyber threats. Tanya also mentions her involvement in the Cyber Titan competition and her efforts to promote cybersecurity as a career. She shares her experience writing the book 'Alice and Bob Learn Application Security' and her unique approach to making technical concepts accessible through stories and different learning styles. Tanya also talks about the importance of mentoring and how she has benefited from mentors throughout her career.Keywords Julian Assange, extradition, US prison system, cybersecurity education, Semgrep, election security, transparency, volunteer work, Canadian government, cybersecurity education, privacy, digital devices, cyber threats, Cyber Titan, promoting cybersecurity, career, Alice and Bob Learn Application Security, technical concepts, stories, learning styles, mentoringTakeawaysThe extradition case of Julian Assange highlights the differences in prison systems between the US and other Western democracies.Tanya Janca's role at Semgrep involves community management and education in the field of cybersecurity.Affordable cybersecurity education is crucial for organizations to effectively use security tools and integrate them into their programs.Election security requires centralization, knowledge sharing, and transparency to ensure public trust in the process. Volunteer work with the Canadian government focuses on educating students about cybersecurity, including topics like privacy and protecting digital devices.Promoting cybersecurity as a career is important, and initiatives like the Cyber Titan competition help engage high school students in learning about cybersecurity.Tanya's book 'Alice and Bob Learn Application Security' uses stories and different learning styles to make technical concepts accessible.Mentoring is valuable for personal and professional growth, and Tanya has both benefited from mentors and become a mentor herself.TitlesThe Importance of Transparency in Election SecurityCybersecurity as a Career: The Cyber Titan CompetitionThe Value of Mentoring: Tanya's Experience as a Mentor and MenteeSound Bites"I am head of community and education, which is a role they made up just for me.""They decided, I think in 2017, we need to make a task force to make sure they know cyber.""Defenders need to understand attacks or they can't be good at defending, right? Like we're teaching them ethics as we teach them how to hack.""Alice and Bob are going to learn secure coding this time."Chapters00:00 The Extradition Case of Julian Assange08:18 Affordable Cybersecurity Education at Semgrep30:40 Tanya's Volunteer Work with the Canadian Government31:35 Promoting Cybersecurity as a Career34:02 Making Technical Concepts Accessible: 'Alice and Bob Learn Application Security'39:45 The Value of Mentoring
Tanya Janca, also known as SheHacksPurple, is the head of community and education at Semgrep and the best-selling author of Alice and Bob Learn Application Security. With more than 25 years of experience in coding, application security, and IT, Tanya has dedicated herself to “securing all the things.” Tanya's career journey began in the Canadian government, […]
Colin Bell, Rob Cuddy and Kris Duer from HCL Software bring you another insightful application paranoia session.In this weeks episode our special guest is Tanya Janca who is helping the team discuss all things Security in the Devlopment space. Tanya Janca, also known as SheHacksPurple, is the author of ‘Alice and Bob Learn Application Security'. She is also the head of education and community at Semgrep! As the founder of We Hack Purple, Tanya is bringing her security training to Semgrep customers and beyond. Tanya has been coding and working in IT for over twenty years, won numerous awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats; startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an Advisor for NordSec and Katilyst and the Founder of We Hack Purple, OWASP DevSlop, WoSECShe and the very popular #CyberMentoringMonday. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks and trainings on 6 continents. She values diversity, inclusion and kindness, which shines through in her countless initiatives.
Kyle Kelly joins Seth Law and Ken Johnson as a special guest on the Absolute AppSec podcast. Kyle is an Executive Cybersecurity Consultant at Bancsec, Inc, and Security Researcher at Semgrep, and founder of the wonderful Cramhacks newsletter. As a consultant and researcher, Kyle specializes in supply chain security, a speciality that informs the thoughts he publicizes, but even more so cramhacks reflects his desire to help his readers become contributors to improving the cybersecurity landscape and analysis of software security supply chains. Subscribe to Kyle's newsletter at cramhacks.com.
Enhancing Everyone's Experience with Exceptional Supportability; with Alexis GrantUnlock the secrets to crafting a B2B SaaS experience that customers love and support teams can rally behind. That's what we're bringing to the table with Alexis Grant. Alexis is a seasoned expert in B2B SaaS support, primarily as a support engineer for developer tools and tech products such as New Relic, HashiCorp, and Zapier, and is currently at Semgrep. She lives in Portland, Oregon with her cat and claims to only truly love two pieces of software: cURL and jq.Together, we go diving headfirst into the concept of “supportability”. We chart the course for designing products that are not just powerful but also a breeze to support. Alexis imparts wisdom on how meticulously engineered reliability, predictability, scalability, and usability form the bedrock of products that practically support themselves. This episode is a treasure trove of insights for anyone keen on elevating their SaaS customer experience to new heights. Steering the conversation towards the empowerment of support teams, we dissect how vital knowledge sharing and the right tech stack can be in bolstering a team's capabilities. The introduction of a supportability checklist and the role of a 'support champion' come to light, detailing how they prepare new releases to face the frontline, fully equipped. We also stress the magic that happens when teams across the board—from support to product development—align their efforts. By embedding supportability into the DNA of every product cycle, we share how organizations can ensure operational success and deliver an unmatched customer experience. Tune in and transform your tech support experience!Support the show
In this episode of Secure Networks, Michael chats with Tanya Janka, aka SheHacksPurple, head of education and community at Semgrep and founder of We Hack Purple. Tanya discusses her transition from developer to security expert, the real issues behind the cybersecurity skills gap, and strategies for employee retention. She also dives into the implications of emerging technologies on security practices and the balance between automation and human expertise. Don't miss these valuable insights.Visit Tanya's websites: ► We Hack Purple - [https://wehackpurple.com/] ► Semgrep - [https://semgrep.dev/]
In this week's show Patrick Gray and Adam Boileau discuss the week's security news. They talk about: Thought eels were slippery? Check out AnyDesk's PR! Why Microsoft's 365 is a nightmare to secure Cloudflare's needlessly hostile blog post US Government introduces “Disneyland ban” for spyware peddlers Much, much more… This week's feature guest is Eric Goldstein, the executive assistant director for cybersecurity at CISA. He's joining the show to talk about CISA's demand that US government agencies unplug their Ivanti appliances. He also chimes in on why the US government is so rattled by Volt Typhoon and addresses a recent report from Politico that claims CISA's Joint Cyber Defense Collaborative is a bit of a shambles. This week's sponsor guest is Dan Guido from Trail of Bits. He joins us to talk about their new Testing Handbook. Trail of Bits does a bunch of audit work and they've committed to trying to make bug discovery a one time thing – if you find that bug once, you shouldn't have to manually find it on another client engagement. Semgrep for the win! Show notes AnyDesk initiates extensive credentials reset following cyberattack | Cybersecurity Dive AnyDesk says software ‘safe to use' after cyberattack Former CIA officer who gave WikiLeaks state secrets gets 40-year sentence Arrests in $400M SIM-Swap Tied to Heist at FTX? – Krebs on Security Microsoft Breach — What Happened? What Should Azure Admins Do? | by Andy Robbins | Feb, 2024 | Posts By SpecterOps Team Members Cloudflare hit by follow-on attack from previous Okta breach | Cybersecurity Dive Thanksgiving 2023 security incident US announces visa restriction policy targeting spyware abuses Announcement of a Visa Restriction Policy to Promote Accountability for the Misuse of Commercial Spyware - United States Department of State Deputy Prime Minister hosts first global conference targeting ‘hackers for hire' and malicious use of commercial cyber tools - GOV.UK New Google TAG report: How Commercial Surveillance Vendors work A Startup Allegedly ‘Hacked the World.' Then Came the Censorship—and Now the Backlash | WIRED American businessman settles hacking case in UK against law firm Crime bosses behind Myanmar cyber ‘fraud dens' handed over to Chinese government Another Chicago hospital announces cyberattack Deepfake scammer walks off with $25 million in first-of-its-kind AI heist | Ars Technica As if 2 Ivanti vulnerabilities under exploit weren't bad enough, now there are 3 | Ars Technica Two new Ivanti bugs discovered as CISA warns of hackers bypassing mitigations Agencies using vulnerable Ivanti products have until Saturday to disconnect them | Ars Technica The far right is scaring away Washington's private hacker army - POLITICO Our thoughts on AIxCC's competition format | Trail of Bits Blog How CISA can improve OSS security | Trail of Bits Blog Securing open-source infrastructure with OSTIF | Trail of Bits Blog Announcing the Trail of Bits Testing Handbook | Trail of Bits Blog 30 new Semgrep rules: Ansible, Java, Kotlin, shell scripts, and more | Trail of Bits Blog Publishing Trail of Bits' CodeQL queries | Trail of Bits Blog The Unguarded Moment (2002 Digital Remaster) - YouTube Boy Swallows Universe | Official Trailer | Netflix - YouTube
In this week's show Patrick Gray and Adam Boileau discuss the week's security news. They talk about: Thought eels were slippery? Check out AnyDesk's PR! Why Microsoft's 365 is a nightmare to secure Cloudflare's needlessly hostile blog post US Government introduces “Disneyland ban” for spyware peddlers Much, much more… This week's feature guest is Eric Goldstein, the executive assistant director for cybersecurity at CISA. He's joining the show to talk about CISA's demand that US government agencies unplug their Ivanti appliances. He also chimes in on why the US government is so rattled by Volt Typhoon and addresses a recent report from Politico that claims CISA's Joint Cyber Defense Collaborative is a bit of a shambles. This week's sponsor guest is Dan Guido from Trail of Bits. He joins us to talk about their new Testing Handbook. Trail of Bits does a bunch of audit work and they've committed to trying to make bug discovery a one time thing – if you find that bug once, you shouldn't have to manually find it on another client engagement. Semgrep for the win! Show notes AnyDesk initiates extensive credentials reset following cyberattack | Cybersecurity Dive AnyDesk says software ‘safe to use' after cyberattack Former CIA officer who gave WikiLeaks state secrets gets 40-year sentence Arrests in $400M SIM-Swap Tied to Heist at FTX? – Krebs on Security Microsoft Breach — What Happened? What Should Azure Admins Do? | by Andy Robbins | Feb, 2024 | Posts By SpecterOps Team Members Cloudflare hit by follow-on attack from previous Okta breach | Cybersecurity Dive Thanksgiving 2023 security incident US announces visa restriction policy targeting spyware abuses Announcement of a Visa Restriction Policy to Promote Accountability for the Misuse of Commercial Spyware - United States Department of State Deputy Prime Minister hosts first global conference targeting ‘hackers for hire' and malicious use of commercial cyber tools - GOV.UK New Google TAG report: How Commercial Surveillance Vendors work A Startup Allegedly ‘Hacked the World.' Then Came the Censorship—and Now the Backlash | WIRED American businessman settles hacking case in UK against law firm Crime bosses behind Myanmar cyber ‘fraud dens' handed over to Chinese government Another Chicago hospital announces cyberattack Deepfake scammer walks off with $25 million in first-of-its-kind AI heist | Ars Technica As if 2 Ivanti vulnerabilities under exploit weren't bad enough, now there are 3 | Ars Technica Two new Ivanti bugs discovered as CISA warns of hackers bypassing mitigations Agencies using vulnerable Ivanti products have until Saturday to disconnect them | Ars Technica The far right is scaring away Washington's private hacker army - POLITICO Our thoughts on AIxCC's competition format | Trail of Bits Blog How CISA can improve OSS security | Trail of Bits Blog Securing open-source infrastructure with OSTIF | Trail of Bits Blog Announcing the Trail of Bits Testing Handbook | Trail of Bits Blog 30 new Semgrep rules: Ansible, Java, Kotlin, shell scripts, and more | Trail of Bits Blog Publishing Trail of Bits' CodeQL queries | Trail of Bits Blog The Unguarded Moment (2002 Digital Remaster) - YouTube Boy Swallows Universe | Official Trailer | Netflix - YouTube
Tanya Janca, head of Community and Education at Semgrep and the founder of WeHackPurple, joins Ann on this week's episode of Afternoon Cyber Tea. Tanya brings over two decades of coding and IT experience, navigating diverse landscapes from startups to tech giants like Microsoft, Adobe, and Nokia. Tanya is not just a seasoned professional; she's also the acclaimed author of 'Alice and Bob Learn Application Security,' a groundbreaking book that goes beyond the fundamentals, delving into intricate subjects such as threat modeling and security testing. She is a dynamic force in the cybersecurity community, an award-winning public speaker, and an engaging streamer, sharing her expertise through hundreds of talks and training sessions spanning six continents. Ann and Tanya unravel the layers of Tanya's journey, shedding light on the ever-evolving landscape of application security and beyond. Resources: View Tanya Janca on LinkedIn View Ann Johnson on LinkedIn Related Microsoft Podcasts: Microsoft Threat Intelligence Podcast The BlueHat Podcast Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts Afternoon Cyber Tea with Ann Johnson is produced by Microsoft and distributed as part of The CyberWire Network.
In this episode, noteworthy guest Tanya Janca returns to discuss her recent ventures and her vision for the future of Application Security. She reflects on the significant changes she has observed since her career at Microsoft, before discussing her new role at Semgrep that recently acquired WeHackPurple. Tanya sheds light on her decision to partner […] The post Application Security Trends & Challenges with Tanya Janca appeared first on Shared Security Podcast.
In this special episode of the Future of Application Security, recorded at the Developers & Security are Friends Day, Eric speaks with Colleen Dai, Senior Security Researcher at Semgrep, an open source static analysis tool. They discuss strategies security teams can take to reduce false positives, use secure defaults to eliminate bug classes, and reduce complexity in security decision-making. They also talk about ways to build the relationships between security, developers, and engineers, which includes aligning on goals, communication, and recognition. Topics discussed: Colleen's background and what her security research role at Semgrep entails. How to use secure defaults to eliminate bug classes and reduce the complexity in security decisions. How to reduce false positives by writing rules and checks, especially ones that are customized to your organization. How to better align the goals of security and developers by focusing on creating good software — and good software is secure software. How to build relationships with engineers through communication and recognition, not just talking through Jira tickets. Why security and developers still struggle with cross-site scripting and how it can be fixed.
Ken Johnson (cktricky) and Seth Law (@sethlaw) welcome Leif Dreizler back on the show! Leif recently became a Senior Manager of Software Engineering at Semgrep (semgrep.dev) , spent the better part of a decade working in product security and security software engineering at Twilio and Segment (segment.io). He also is a podcast co-host for the 404 Security Not Found podcast.
Victoria and Will interview Rishi Malik, the Founder of Backstop.it and VP of Engineering at Varo Bank. They talk about Rishi's recent adventure at DEF CON, the renowned annual security conference that he's attended for six years, and describes how it has transformed from a mere learning experience into a thrilling competition for him and his team. The conference = their playground for tackling an array of security challenges and brain-teasing puzzles, with a primary focus on cloud security competitions. They talk about the significance of community in such events and how problem-solving through interaction adds value. Rishi shares his background, tracing his path from firmware development through various tech companies to his current roles in security and engineering management. The vital topic of security in the fintech and banking sector highlights the initial concerns people had when online banking emerged. Rishi navigates through the technical intricacies of security measures, liability protection, and the regulatory framework that safeguards online banking for consumers. He also highlights the evolving landscape, where technological advancements and convenience have bolstered consumer confidence in online banking. Rishi shares his unique approach to leadership and decision-making, and pearls of wisdom for budding engineers starting their careers. His advice revolves around nurturing curiosity and relentlessly seeking to understand the "why" behind systems and processes. __ Backstop.it (https://backstop.it/) Follow Backstop.it on X (https://twitter.com/wearebackstop). Varo Bank (https://www.varomoney.com/) Follow Varo Bank on Instagram (https://www.instagram.com/varobank/), Facebook (https://www.facebook.com/varomoney/), X (https://twitter.com/varobank), YouTube (https://www.youtube.com/varomoney), or LinkedIn (https://www.linkedin.com/company/varobank/). Follow Rishi Malik on LinkedIn (https://www.linkedin.com/in/rishilmalik/). Follow thoughtbot on X (https://twitter.com/thoughtbot) or LinkedIn (https://www.linkedin.com/company/150727/). Become a Sponsor (https://thoughtbot.com/sponsorship) of Giant Robots! Transcript: VICTORIA: This is the Giant Robots Smashing Into Other Giant Robots podcast, where we explore the design, development, and business of great products. I'm your host, Victoria Guido. WILL: And I'm your other host, Will Larry. And with us today is Rishi Malik, Founder of Backstop.it and VP of Engineering at Varo Bank. Rishi, thank you for joining us. RISHI: Thanks for having me. I'm excited to be here. VICTORIA: Yes, Rishi. I'm so excited to talk with you today about your security background and get into your role at Varo and Backstop IT. But first, I wanted to hear a little bit more about your recent experience attending DEF CON. How was that? RISHI: It was awesome. I do have quite the background in security at this point. And one of the things I started doing early on, as I was getting up to speed and learning more about the security-specific side of things, was beginning to attend DEF CON itself. So, I've now gone six years straight. And it started out as just kind of experiencing the conference and security and meeting folks. But it's progressed to where I now bring a team of people where we go and we compete. We have a good time. But we do get to kind of bring the security side of things into the software engineering and engineering leadership stuff that we all do on a day-to-day basis. VICTORIA: Yeah. And what kind of puzzles do you solve with your team when you attend DEF CON? RISHI: There's definitely a lot of variety there, which I think is part of the fun. So, DEF CON frequently has electronic badges, you know, with random puzzles on there that you have to solve. Some of it are cryptographic. Some of them are kind of random cultural things. Sometimes there's music challenges based around it. Sometimes, it's social and interactive. And you have to go find the right type of badge or the right person behind it to unlock something. So, all of those, you know, typically exist and are a ton of fun. Primarily, in the last few years, we've been focusing more on the cloud CTF. So, in this case, it's our team competing against other teams and really focused on cloud security. So, it's, you know, figuring out vulnerabilities in, you know, specially designed puzzles around AWS and GCP, the application side of things as well, and competing to see how well you can do. Three years ago, the last couple of years, we've not won it, but we've been pretty competitive. And the great thing is the field is expanding as more and more people get into CTF themselves but, more importantly, into cloud infrastructure and cloud knowledge there. So, it's just great to see that expansion and see what people are into, what people are learning, and how challenging some of these things can be. VICTORIA: I love the idea of having a puzzle at a conference where you have to find a specific person to solve it. And yeah, I'm always interested in ways where we can have these events where you're getting together and building community and growing expertise in a field but in a way that makes it fun [laughs] and isn't just life-draining long, like, talks about random stuff. RISHI: [laughs] I think what you're touching on there is crucial. And you said the word community, and, to me, that is, you know, a big part of what DEF CON and, you know, hacking and security culture is. But it is, I think, one of the things that kind of outside of this, we tend to miss it more, you know, specifically, like, focused conferences. It is more about kind of the content, you know, the hallway track is always a thing. But it's less intentional than I personally, at this stage, really prefer, you know. So, I do like those things where it is encouraging interaction. For me, I'd rather go to happy hour with some people who are really well versed in the subject that they're in rather than even necessarily listening to a talk from them on what they're doing. Simply because I think the community aspect, the social aspect, actually gets you more of the information that is more relevant to what you're doing on a day-to-day basis than just consuming it passively. VICTORIA: I agree because consuming it passively or even intentionally remotely, there are things that you didn't even think to think about [laughs] that aren't going to come up just on your own. You have to have another person there who's...Actually, I have a good friend who's co-working with me this week who's at Ticketmaster. And so, just hearing about some of the problems they have and issues there has been entertaining for me. So yeah, I love that about DEF CON, and I love hearing about community stories and fun ways that companies can get a benefit out of coming together and just putting good content out there. RISHI: Absolutely. I think problem-solving is where you get the most value out of it as a company and as a business. VICTORIA: Yeah, maybe that's a good segue to tell me a little bit more about your background and how you came to be where you are today. RISHI: Yeah. For me growing up, I was always that problem-solver type of person. So, I think that's what kind of naturally gravitated me towards tech and, you know, hardware and software engineering. You know, so, for me, I go back quite a while. I'd been doing a lot of development, you know, in the early days of my career. I started out doing firmware development back in the days of large tape libraries, right? So, if you think about, like, big businesses back before cloud was a big thing and even back before SSDs were a thing, you know, it was all spinning disks. It was all tape. And that's kind of the area that I started in. So, I was working on robots that actually move tapes around these giant tape libraries that are, you know, taller than I am that you can walk inside of because they're so big, for big corporations to be able to backup their data on an overnight basis. You have to do that kind of stuff. Then I started going into smaller and smaller companies, into web tech, into startups, then into venture-backed startups. And then, eventually, I started my own company and did that for a while. All of this is really just kind of, you know, software engineering in a nutshell, lots of different languages, lots of different technologies. But really, from the standpoint of, here's a whole bunch of hard problems that need to be solved. Let's figure out how we can do that and how we can make some money by solving some of these problems. That eventually kind of led me down the security path as well and the engineering management side of things, which is what I do now, both at Backstop...is a security consulting business and being VP of Engineering at Varo Bank. WILL: How was your journey? Because you started as an intern in 2003. RISHI: [laughs] WILL: And then, you know, 20 years later. So, how was your journey through all of that? [laughs] RISHI: [laughs] You know, I hadn't actually put it together that it has been 20 years this year until you said that. So, that's awesome. It's been a blast, you know. I can honestly say it's been wildly different than what I imagined 20 years ago and interesting in different ways. I think I'm very fortunate to be able to say that. When I started out as an intern in 2003, technologies were very different. I was doing some intern shifts with the federal government, you know, so the pace was wildly different. And when I think of where technology has come now, and where the industry has gone, and what I get to do on a day-to-day basis, I'm kind of just almost speechless at just how far we've come in 20 years, how easy some things are, how remarkably hard some other things are that should honestly be easy at this point, but just the things that we can do. I'm old enough that I remember cell phones being a thing and then smartphones coming out and playing with them and being like, yeah, this is kind of mediocre. I don't really know why people would want this. And the iPhone coming out and just changing the game and being like, okay, now I get it. You know, to the experience of the internet and, you know, mobile data and everywhere. It's just phenomenal the advances that we've had in the last 20 years. And it makes me excited for the next 20 years to see what we can do as we go forward. VICTORIA: I'm going to take personal offense to someone knowing that technology being too old [laughs], but, yeah, because it really wasn't that long ago. And I think one thing I always think about having a background in civic tech and in financial tech as well is that the future is here; it's just not evenly distributed. So, now, if you're building a new company, of course, the default is to go straight to the cloud. But many companies and organizations that have been around for 60-80 years and using the internet right when it first came out are still in really old technologies that just simply work. And maybe they're not totally sure why, and change is difficult and slow. So, I wonder if you have any experience that you can take from the banking or fintech industry on how to make the most out of modern security and compliance platforms. RISHI: Yeah, you know, I think most people in tech especially...and the gray hairs on me are saying the younger folks in tech especially don't realize just how much older technologies still exist and will exist for quite some time. When you think of banking itself, you know, most of the major companies that you can think of, you know, in the U.S. especially but kind of across the world that are the top tier names of banks, and networks, and stuff like that, still run mainframes. When you swipe your credit card, there's a very good chance that is processed on a mainframe. And that's not a bad thing. But it's just, you know when you talk to younger engineers, it's not something that kind of crosses their mind. They feel like it is old-tech. The bulk of businesses don't actually run on the cloud. Having been through it, I've racked and stacked servers and had to figure out how to physically take hardware across, you know, country borders and things like those lines. And now, when I do want to spin up a server somewhere else, it's just a different AWS region. So, it's remarkably easy, at this point, to solve a lot of those problems. But once you're up and live and you have customers, you know, where downtime is impactful or, you know, the cost of moving to the cloud or modernizing your technology is substantial, things tend to move a lot slower. And I think you see that, especially when it comes to security, because we have more modern movements like DevOps bringing security into it. And with a lot of the, you know, the modern security and compliance platforms that exist, they work very, very well for what they do, especially when you're a startup or your whole tech stack is modernized. The biggest challenges, I think, seem to come in when you have that hybrid aspect of it. You do have some cloud infrastructure you have to secure. You do have some physical data centers you have to secure. You have something that is, you know, on-premise in your office. You have something that is co [inaudible 10:01] somewhere else. Or you also have to deal with stuff like, you know, much less modern tech, you know, when it comes to mainframes and security and kind of being responsible for all of that. And I think that is a big challenge because security is one of those things where it's, you know, if you think of your house, you can have the strongest locks on your door and everything else like that. But if you have one weak point, you have a window that's left open, that's all it takes. And so, it has to be all-inclusive and holistic. And I think that is remarkably hard to do well, even despite where technology has come to these days. WILL: Speaking of securities, I remember when the Internet banking started a couple of years ago. And some of the biggest, I guess, fears were, like, the security around it, the safety. Because, you know, your money, you're putting your money in it, and you can't go to a physical location to talk to anyone or anything. And the more and more you learn about it...at first, I was terrified of it because you couldn't go talk to someone. But the more and more I learned about it, I was like, oh, there's so much security around it. In your role, what does that look like for you? Because you have such a huge impact with people's money. So, how do you overcome that fear that people have? RISHI: There's, I think, a number of steps that kind of go into it. And, you know, in 2023, it's certainly a little bit easier than it used to be. But, you know, very similar, I've had the same questions, you know, and concerns that you're describing. And I remember using one of the first banks that was essentially all digital and kind of wondering, you know, where is my money going? What happens if something goes wrong? And all of those types of things. And so, I think there is kind of a number of different aspects that go into it. One is, you know, obviously, the technical aspects of security, you know, when you put your credit card number in on the internet, you know, is it encrypted? You know, is it over, you know, TLS? What's happening there? You know, how safe and secure is all that kind of thing? You know, at this point, pretty much everyone, at least in the U.S., has been affected by credit card breaches, huge companies like Home Depot and Target that got cards accessed or, you know, just even the smaller companies when you're buying something random from maybe something...a smaller website on the internet. You know, that's all a little bit better now. So, I think what you have there was just kind of a little bit of becoming comfortable with what exists now. The other aspect, though, I think, then comes into, well, what happens when something goes wrong? And I think there's a number of aspects that are super helpful for that. I think the liability aspect of credit card, you know, companies saying, you know, and the banks "You're not liable for a fraudulent transaction," I think that was a very big and important step that really helps with that. And on top of that, then I think when you have stuff like the FDIC, you know, and insurance in the U.S., you know, that is government-backed that says, you know what? Even if this is an online-only digital bank, you're safe. You're protected. The government's got your back in that regard. And we're going to make sure that's covered. At Varo, that's one of the key things that we think about a lot because we are a bank. Now, most FinTechs, actually, aren't banks, right? They partner with other third-party banks to provide their financial services. Whereas at Varo, we are federally regulated. And so, we have the full FDIC protection. We get the benefits of that. But it also means that we deal with the regulation aspects and being able to prove that we are safe and secure and show the regulators that we're doing the right things for our customers. And I think that's huge and important because, obviously, it's safety for customers. But then it changes how you begin to think about how you're designing products, and how you're [inaudible 13:34] them, and, you know, how you're marketing them. Are we making a mobile app that shows that we're safe, and secure, and stable? Or are we doing this [inaudible 13:42] thing of moving too fast and breaking things? When it's people's money, you have to be very, very dialed into that. You still have to be able to move fast, but you have to show the protection and the safety that people have because it is impactful to their lives. And so, I think from the FinTech perspective, that's a shift that's been happening over the last couple of years to continue that. The last thing I'll say, too, is that part of it has just come from technology itself and the comfort there. It used to be that people who were buying, you know, items on the internet were more the exception rather than the rule. And now with Amazon, with Shopify, with all the other stuff that's out there, like, it's much more than a norm. And so, all of that just adds that level of comfort that says, I know I'm doing the right things as a consumer, that I'm protected. If I, you know, do have problems, my bank's got my back. The government is watching out for what's happening and trying to do what they can do to regulate all of that. So, I think all of that has combined to get to that point where we can do much more of our banking online and safely. And I think that's a pretty fantastic thing when it comes to what customers get from that. I am old enough that I remember having to figure out times to get to the bank because they're open nine to five, and, you know, I have to deposit my paycheck. And, you know, I work nine to five, and maybe more hours pass, and I had no idea when I can go get that submitted. And now, when I have to deposit something, I can just take a picture with my phone, and it safely makes it to my account. So, I think the convenience that we have now is really amazing, but it has certainly taken some time. And I think a number of different industry and commercial players kind of come together and make that happen. MID-ROLL AD: Now that you have funding, it's time to design, build, and ship the most impactful MVP that wows customers now and can scale in the future. thoughtbot Liftoff brings you the most reliable cross-functional team of product experts to mitigate risk and set you up for long-term success. As your trusted, experienced technical partner, we'll help launch your new product and guide you into a future-forward business that takes advantage of today's new technologies and agile best practices. Make the right decisions for tomorrow today. Get in touch at thoughtbot.com/liftoff. VICTORIA: I appreciate that perspective on approaching security from the user experience of wanting safety. And I'm curious if we can talk in contrast from that experience to the developer experience with security. And how do you, as a new leader in this financial product company, prioritize security and introduce it from a, like, building a safety culture perspective? RISHI: I think you just said that very eloquently. It is a safety culture. And cultural changes are hard. And I think for quite some time in the developer industry, security was either an afterthought or somebody else's problem. You know, it's the security team that has to think about it. It's, you know, and even these days, it's the red team that's going to go, you know, find these answers or whatever I'm shipping as a developer. My only thing to focus on is how fast I can ship, or, you know, what I'm shipping, rather than how secure is what I'm shipping. And so, I think to really be effective at that, it is a cultural shift. You have to think and talk about security from the outset. And you have to bake those processes into how you build product. Those security conversations really do need to start at the design phase. And, you know, thinking about a mobile app for a bank as an example, you know, it starts when you're just thinking about the different screens on a mobile app that people are going to go through. How are people interpreting this? You know, what is the [inaudible 17:23], and the feeling, and the emotions, that we're building towards? You know, is that safe and secure or, you know, is it not? But then it starts getting to the architecture and the design of the systems themselves to say, well, here's how they're going to enter information, here's how we're passing this back and forth. And especially in a world where a lot of software isn't just 100% in-house, but we're calling other partners for that, you know, be it, you know, infrastructure or risk, you know, or compliance, or whatever else it may be, how are we protecting people's data? How are we making sure our third parties are protecting people's data? You know, how are we encrypting it? How are we thinking about their safety all the way through? Again, even all the way down to the individual developer that's writing code, how are we verifying they're writing good, high-quality, secure code? Part of it is training, part of it is culture, part of it is using good tooling around that to be able to make sure and say, when humans make mistakes because we are all human and we all will make mistakes, how are we catching that? What are the layers do we have to make sure that if a mistake does happen, we either catch it before it happens or, you know, we have defense in depth such that that mistake in and of itself isn't enough to cause a, you know, compromise or a problem for our customers? So, I think it starts right from the start. And then, every kind of step along the way for delivering value for customers, also let's add that security and privacy and compliance perspective in there as well. VICTORIA: Yes, I agree. And I don't want to work for a company where if I make a small human mistake, I'm going to potentially cost someone tens or however many thousands of dollars. [laughs] WILL: I have a question around that. How, as a leader, how does that affect you day to day? Because I feel like there's some companies, maybe thoughtbot, maybe other companies, that a decision is not as critical as working as a bank. So, you, as a leader, how do you handle that? RISHI: There's a couple of things I try and consider in any given big or important decision I have to make, the aspects around, like, you know, the context, what the decision is, and that type of stuff. But from a higher level, there's kind of two things I try and keep in mind. And when I say keep in mind, like, when it's a big, impactful decision, I will actually go through the steps of, you know, writing it down or talking this out loud, sometimes by myself, sometimes with others, just, again, to make sure we are actually getting to the meat of it. But the first thing I'm trying to think of is kind of the Amazon idea of one-way versus two-way doors. If we make this decision and this is the wrong decision, what are the ramifications of that? You know, is it super easy to undo and there's very little risk with it? Or is it once we've made this decision or the negative outcome of this decision has happened, is it unfixable to a certain degree? You know, and that is a good reminder in my head to make sure that, you know, A, I am considering it deeply. And that, B, if it is something where the ramifications, you know, are super huge, that you do take the time, and you do the legwork necessary to make sure you're making a good, valid decision, you know, based on the data, based on the risks involved and that there's a deep understanding of the problem there. The second thing I try to think of is our customers. So, at Varo, our customers aren't who most banks target. A lot of banks want you to take all your money, put it in there, and they're going to loan that money out to make their money. And Varo is not that type of bank, and we focus on a pretty different segment of the market. What that means is our customers need their money. They need it safely and reliably, and it needs to be accurate when they have it. And what I mean by that is, you know, frequently, our customers may not have, you know, hundreds or a thousand dollars worth of float in their bank accounts. So, if they're going and they're buying groceries and they can't because there's an error on our side because we're down, and because the transactions haven't settled, then that is very, very impactful to them, you know, as an individual. And I think about that with most of these decisions because being in software and being in engineering I am fortunate enough that I'm not necessarily experiencing the same economic struggles that our customers may have. And so, that reminder helps me to think about it from their perspective. In addition, I also like to try and think of it from the perspective...from my mom, actually, who, you know, she is retired age. She's a teacher. She's non-technical. And so, I think about her because I'd say, okay, when we're making a product or a design decision, how easy is it for her to understand? And my biases when I think about that, really kind of come into focus when I think about how she would interpret things. Because, you know, again, for me, I'm in tech. I think about things, you know, very analytically. And I just have a ton of experience across the industry, which she doesn't have. So, even something as simple as a little bit of copy for a page that makes a ton of sense to me, when I think about how she would interpret it, it's frequently wildly different. And so, all of those things, I think, kind of come together to help make a very strong and informed decision in these types of situations where the negative outcomes really do matter. But you are, you know, as Varo is, you're a startup. And you do need to be able to build more products quickly because our customers have needs that aren't being met by the existing banking industry. And so, we need to provide value to them so that their lives are a bit better. VICTORIA: I love that focus on a specific market segment and their needs and solving for that problem. And we know that if you're at a certain income level, it's more expensive [laughs] because of the overdraft fees and other things that can cause you problems. So, I really appreciate that that's the mission at Varo, and that's who you're focusing on to create a better banking product that makes more sense. I'm curious if there were any surprises and challenges that you could share from that discovery process and finding out, you know, exactly what were those things where your mom was, like, uh, actually, I need something completely different. [laughs] RISHI: Yeah, so, [chuckles] I'm chuckling because, you know, it's not, like, a single kind of time or event. It's, you know, definitely an ongoing process. But, you know, as actually, we were talking, you know, about earlier in terms of being kind of comfortable with doing things digital and online, that in and of itself is something that even in 2023, my mom isn't as comfortable or as confident as, you know, say, maybe the three of us are. As an example, when sending money, you know, kind of like a peer-to-peer basis, like, if I'm sending my mom a little bit of money, or she's sending me something, you're kind of within the family. Things that I would think would be kind of very easy and straightforward actually do cause her a little bit more concern. Okay, I'm entering my debit card number into this so that it can get, you know, the cash transferred into my bank account. You know, again, for me, it didn't even cross my mind, actually, that that would be something uncomfortable. But for my mom, that was something where she actually had some concerns about it and was messaging me. Her kind of personal point of view on that was, I would rather use a credit card for this and get the money on a credit card instead of a debit card because the debit card is linked to a bank account, and the security around that needs to be, you know, much tighter. And so, it made her more uncomfortable entering that on her phone. Whereas even a credit card it would have given her a little bit more peace of mind simply because it wasn't directly tied to her bank account. So, that's just, you know, the most recent example. I mean, honestly, that was earlier today, but it's something I hadn't thought of. And, again, for most of our customers, maybe that's not the case and how they think. But for folks that are at that retirement age, you know, in a world where there are constant barrages of scam, you know, emails, and phone calls, and text messages going around, the concern was definitely there. VICTORIA: That happened to me. Last week, I was on vacation with my family, and we needed to pay my mom for the house we'd rented. And I had to teach her how to use Zelle and set up Zelle. [laughter] It was a week-long process. But we got there, and it works [laughs] now. But yeah, it's interesting what concerns they have. And the funny part about it was that my sister-in-law happens to be, like, a lawyer who prevents class action lawsuits at a major bank. And she reassured us that it was, in fact, secure. [laughs] I think it's interesting thinking about that user experience for security. And I'm curious, again, like, compare again with the developer experience and using security toolings. And I wonder if you had any top recommendations on tools that make the developer experience a little more comfortable and feeling like you're deploying with security in mind. RISHI: That, in particular, is a bit of a hard question to answer. I try and stay away from specific vendors when it comes to that because I think a lot of it is contextual. But I could definitely talk through, like, some of the tools that I use and the way I like to think about it, especially from the developer perspective. I think, first off, consider what aspect of the software development, you know, lifecycle you're in. If you are an engineer writing, you know, mostly application code and dealing with building product and features and stuff like that, start from that angle. I could even take a step back and say security as an industry is very, very wide at this point. There is somebody trying to sell you a tool for basically every step in the SDLC process, and honestly, before and after to [inaudible 26:23]. I would even almost say it's, to some extent, kind of information and vendor overload in a lot of ways. So, I think what's important is to think about what your particular aspect of that is. Again, as an application engineer, or if you're building cloud infrastructure, or if you're an SRE, you know, or a platform team, kind of depending on what you are, your tooling will be different. The concepts are all kind of similar ideas, but how you go about what you build will be different. In general, I like to say, from the app side of things, A, start with considering the code you're writing. And that's a little bit cultural, but it's also kind of more training. Are you writing code with a security mindset? are you designing systems with a security mindset? These aren't things that are typically taught, you know, in school if you go get a CS degree, or even in a lot of companies in terms of the things that you should be thinking about. So, A, start from there. And if you don't feel like you think about, you know, is this design secure? Have we done, you know, threat modeling on it? Are we considering all of the error paths or the negative ways people can break the system? Then, start from that and start going through some of the security training that exists out there. And there's a lot of different aspects or avenues by which you can get that to be able to say, like, okay, I know I'm at least thinking about the code I write with a security mindset, even if you haven't actually changed anything about the code you're writing yet. What I actually think is really helpful for a lot of engineers is to have them try and break things. It's why I like to compete in CTFs, but it's also why I like to have my engineers do the same types of things. Trying to break software is both really insightful from the aspect that you don't get when you're just writing code and shipping it because it's not something you have time to do, but it's also a great way to build up some of the skills that you need to then protect against. And there's a lot of good, you know, cyber ranges out there. There's lots of good, just intentionally vulnerable applications that you can find on GitHub but that you can just run, you know, locally even on your machine and say, okay, now I have a little web app stood up. I know this is vulnerable. What do I do? How do I go and break it? Because then all of a sudden, the code that you're writing you start to think about a little bit differently. It's not just about how am I solving this product problem or this development problem? But it's, how am I doing this in a way that is safe and secure? Again, as an application side of things, you know, just make sure you know the OWASP Top 10 inside and out. Those are the most basic things a lot of engineers miss. And it only takes, again, one miss for it to be critical. So, start reviewing it. And then, you start to think about the tooling aspect of it. People are human. We're going to make mistakes. So, how do we use the power of technology to be able to stop this? You know, and there is static scanning tools. Like, there's a whole bunch of different ones out there. You know, Semgrep is a great one that's open source just to get started with that can help you find the vulnerable code that may exist there. Consider the SQL queries that you're writing, and most importantly, how you're writing them. You know, are you taking user input and just chucking it in there, or are you sanitizing it? When I ask these questions, for a lot of engineers, it's not usually yes or no. It's much more of an, well, I don't know. Because in software, we do a really good job of writing abstraction layers. But that also means, you know, to some extent, there may be a little bit of magic in there, or a lack thereof of magic that you don't necessarily know about. And so, you have to be able to dive into the libraries. You have to know what you're doing to even be able to say something like, oh no, this SQL query is safe from this user input because we have sanitized it. We have, you know, done a prepared statement, whatever it may be. Or, no, actually, we are just doing something here that's been vulnerable, and we didn't realize we were, and so now that's something we have to address. So, I think, like, that aspect in and of itself, which isn't, you know, a crazy ton of things. It's not spending a ton of money on different tools. But it's just internalizing the fact that you start to think a little bit differently. It provides a ton of value. The last thing on that, too, is to be able to say, especially if you're coming from a development side, or even just from a founder or a startup side of things, what are my big risks? What do I need to take care of first? What are the giant holes or flaws? You know, and what is my threat model around that? Obviously, as a bank, you have to care very deeply right from the start. You know, if you're not a bank, if you're not dealing with financial transactions, or PII, or anything like that, there are some things that you can deal with a little bit later. So, you have to know your industry, and you have to know what people are trying to do and the threat models and the threat vectors that can exist based on where you are. WILL: That's amazing. You know, earlier, we talked about you being an engineer for 20 years, different areas, and stuff like that. Do you have any advice for engineers that are starting out right now? And, you know, from probably year one to year, you know, anything under ten years of experience, do you have any advice that you usually give engineers when you're chatting with them? RISHI: The advice I tend to give people who are just starting out is be the type of person that asks, "How does this work?" Or "Why does this work?" And then do the work to figure out the answer. Maybe it is talking to someone; maybe it's diving into the details; maybe it's reading a book in some aspect that you haven't had much exposure to. When I look at my career and when I look at the careers of folks around me and the people that I've seen be most successful, both in engineering but also on the business side, that desire to know why something is the case is I think, one of the biggest things that determines success. And then the ability to answer that question by putting in the right types of work, the right types of scientific method and processes and such, are the other factor. So, to me, that's what I try and get across to people. I say that mostly to junior folks because I think when you're getting started, it's really difficult. There's a ton out there. And we've, again, as software engineers, and hardware engineers, and cloud, and all this kind of stuff, done a pretty good job of building a ton of abstraction layers. All of our abstraction layers [inaudible 32:28] to some degree. You know, so as you start, you know, writing a bunch of code, you start finding a bunch of bugs that you don't necessarily know how to solve and that don't make any sense in the avenue that you've been exposed to. But as soon as you get into the next layer, you understand how that works begin to make a lot more sense. So, I think being comfortable with saying, "I have no idea why this is the case, but I'm going to go find out," makes the biggest difference for people just starting out their career. WILL: I love that advice. Not too long ago, my manager encouraged me to write a blog post on something that I thought that I really knew. And when I started writing that blog post, I was like, oh boy, I have no idea. I know how to do it, but I don't know the why behind it. And so, I was very thankful that he encouraged me to write a blog post on it. Because once you start explaining it to other people, I feel you really have to know the whys. And so, I love that advice. That's really good advice. VICTORIA: Me too. And it makes sense with what we see statistically as well in the DORA research. The DevOps Research Association publishes a survey every year, the State of DevOps Report. And one of the biggest findings I remember from last year's was that the most secure and reliable systems have the most open communication and high trust among the teams. And so, being able to have that curiosity as a junior developer, you need to be in an environment where you can feel comfortable asking questions [laughs], and you can approach different people, and you're encouraged to make those connections and write blog posts like Will was saying. RISHI: Absolutely, absolutely. I think you touched on something very important there as well. The psychological safety really makes a big difference. And I think that's critical for, again, like, folks especially earlier in their career or have recently transitioned to tech, or whatever the case may be. Because asking "Why?" should be something that excites people, and there are companies where that's not necessarily the case, right? Where you asking why, it seems to be viewed as a sign that you don't know something, and therefore, you're not as good as what you should be, you know, the level you should be at or for whatever they expect. But I do think that's the wrong attitude. I think the more people ask why, the more people are able and comfortable to be able to say, "I don't know, but I'm going to go find out," and then being able to be successful with that makes way better systems. It makes way safer and more secure systems. And, honestly, I think it makes humans, in general, better humans because we can do that. VICTORIA: I think that's a great note to start to wrap up on. Is there any questions that you have for me or Will? RISHI: Yeah. I would love to hear from both of you as to what you see; with the experiences that you have and what you do, the biggest impediments or speed bumps are when it comes to developers being able to write and ship secure code. VICTORIA: When we're talking with new clients, it depends on where they are in really the adoption of their product and the maturity of their organization. Some early founders really have no technology experience. They have never managed an IT organization. You know, setting up basic employee account access and IDs is some of the initial steps you have to take to really get to where you can do identity management, and permissions management, and all the things that are really table stakes for security. And then others have some progress, and they have a fair amount of data. And maybe it's in that situation, like you said before, where it's really a trade-off between the cost and benefit of making those changes to a more secure, more best practice in the cloud or in their CI/CD pipeline or wherever it may be. And then, when you're a larger organization, and you have to make the trade-offs between all of that, and how it's impacting your developer experience, and how long are those deployed times now. And you might get fewer rates of errors and fewer rates of security vulnerabilities. But if it's taking three hours for your deployments to go out [laughs] because there's so many people, and there's so many checks to go through, then you have to consider where you can make some cuts and where there might be more efficiencies to be gained. So, it's really interesting. Everyone's on a different point in their journey. And starting with the basics, like you said, I love that you brought up the OWASP Top 10. We've been adopting the CIS Controls and just doing a basic internal security audit ourselves to get more ready and to be in a position where... What I'm familiar with as well from working in federal agencies, consulting, maintaining some of the older security frameworks can be a really high cost, not only in terms of auditing fees but what it impacts to your organization to, like, maintain those things [laughs] and the documentation required. And how do you do that in an agile way, in a way that really focuses on addressing the actual purpose of the requirements over needing to check a box? And how do we replicate that for our clients as well? RISHI: That is super helpful. And I think the checkbox aspect that you just discussed I think is key. It's a difficult position to be in when there are boxes that you have to check and don't necessarily actually add value when it comes to security or compliance or, you know, a decrease in risk for the company. And I think that one of the challenges industry-wide has always been that security and compliance in and of itself tends to move a little bit slower from a blue team or a protection perspective than the rest of the industry. And so, I mean, I can think of, you know, audits that I've been in where, you know, just even the fact that things were cloud-hosted just didn't make sense to the auditors. And it was a struggle to get them to understand that, you know, there is shared responsibility, and this kind of stuff exists, and AWS is taking care of some things, and we're taking care of some other things when they've just been developed with this on-premise kind of mentality. That is one of the big challenges that still exists kind of across the board is making sure that the security work that you're doing adds security value, adds business value. It isn't just checking the box for the sake of checking the box, even when that's sometimes necessary. VICTORIA: I am a pro box checker. RISHI: [laughs] VICTORIA: Like, I'll get the box checked. I'll use Trello and Confluence and any other tool besides Excel to do it, too. We'll make it happen with less pain, but I'd rather not do it [laughs] if we don't have to. RISHI: [laughs] VICTORIA: Let's make it easy. No, I love it. Is there anything else that you want to promote? RISHI: No, I don't think there's anything else I want to promote other than I'm going to go back to what I said just earlier, like, that culture. And if, you know, folks are out there and you have junior engineers, you have engineers that are asking "Why?", you have people that just want to do the right thing and get better, lean into that. Double down on those types of folks. Those are the ones that are going to make big differences in what you do as a business, and do what you can to help them out. I think that is something we don't see enough of in the industry still. And I would love for that to change. VICTORIA: I love that. Thank you so much, Rishi, for joining us. RISHI: Thanks for having me. This was a great conversation. I appreciate the time. VICTORIA: You can subscribe to the show and find notes along with a complete transcript for this episode at giantrobots.fm. If you have questions or comments, email us at hosts@giantrobots.fm. And you can find me on Twitter @victori_ousg. WILL: And you could find me on Twitter @will23larry. This podcast is brought to you by thoughtbot and produced and edited by Mandy Moore. Thanks for listening. See you next time. ANNOUNCER: This podcast is brought to you by thoughtbot, your expert strategy, design, development, and product management partner. We bring digital products from idea to success and teach you how because we care. Learn more at thoughtbot.com. Special Guest: Rishi Malik.
In episode 81 of the We Hack Purple Podcast host Tanya Janca spoke to Diana Kelley, Chief Information Security Officer (CISO) at Protect AI. Diana and Tanya worked together at Microsoft, and to say that Diana is a pillar of the information security industry is somewhat of an understatement. Together they discussed problems with Large Language Models (LLMs) ingesting crappy code, and bad licenses, the OSSF (and it's goodness), and that sometimes people don't even realize they are breaking software licences when they use what an LLM has produced.We discussed the fact that if a CVE comes out for a library an LLM gave you, but it didn't identify it with the correct name of the library, you wouldn't receive notifications about it. She clarified how ML pipelines are set up, how data scientists work, with insecure juniper laptops all over the place (perhaps a generalization on my part). We discussed how data science seems to be a topic a lot of CISOs are pretending aren't in their domain to protect, but both of us agreed that is not so. They have some of the most valuable data your organization can possess.We also covered best practices for securing MLSec, the OWASP Top Ten for LLMs, and the new free community her company has started MLSECOPS. She also released an update version of her book, Practical Cyber Security Architecture!.Diana Links:Diana on LinkedInhttps://www.wicys.org/. (of course!)https://mlsecops.com/OSS Jupyter Notebook scanner here: https://nbdefense.ai/https://protectai.com/ Her book https://www.packtpub.com/product/practical-cybersecurity-architecture-second-edition/9781837637164.Bio: Diana Kelley is the Chief Information Security Officer (CISO) for Protect AI. She also serves on the boards of Cyber Future Foundation, WiCyS, and The Executive Women's Forum (EWF). Diana was Cybersecurity Field CTO for Microsoft, Global Executive Security Advisor at IBM Security, GM at Symantec, VP at Burton Group (now Gartner), a Manager at KPMG, CTO and co-founder of SecurityCurve, and Chief vCISO at SaltCybersecurity..Very special thanks to our sponsor!Semgrep Supply Chain's reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable.Get Your Free Trial Here! Semgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers additional community created ruleset! Check out Semgrep Code HERE
In episode 80 of the We Hack Purple Podcast host Tanya Janca brings on her long-time friend Ray Leblanc of 'Hella Secure' blog. You may remember him from several Alice and Bob Learn streams, or from his cutting sarcasm on social media.Ray and Tanya discussed what they always discuss: AppSec. They compared AppSec responsibility versus business responsibility, how to "put it down" at the end of the day in order to avoid burn out, and that 'perhaps Tanya should learn to stay in her lane?' We covered when bug fixes don't get merged and released, the first year of the brand new conference which focuses only on Threat Modelling (ThreatModCon) and that Tanya will be Adam Shostack's teaching assistant for his course that is part of OWASP Global AppSec the first week of November (get tickets here). Although Ray professes to be bad at threat modelling on the podcast, if you follow any of his work you know that's absolutely untrue, and Tanya teases him accordingly about it.Ray's Links:https://www.hella-secure.com/https://twitter.com/Raybeornhttps://www.linkedin.com/in/raymondlleblanc/Very special thanks to our sponsor, Semgrep!Semgrep Supply Chain's reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable.Get Your Free Trial Here! Semgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers additional community created ruleset! Join We Hack Purple! Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!
In episode 79 of the We Hack Purple Podcast host Tanya Janca spoke to Isabelle Mauny , Field CTO and founder of 42Crunch! Isabelle and Tanya met way back in 2018, at an API Security workshop in Britain, having no idea they would be friends for years to come! Isabelle is extremely passionate about securing APIs, and has volunteered for several different groups and projects in order to try to steer our industry in a more secure direction, including being president of the OpenAPI group and lending her skills to the OWASP DevSlop project to fix up our Pixi app.Together they discussed several of the challenges when creating secure APIs, including: BOLA (Broken Object Level Authorization), bots, all sorts of other broken authentication (not just object-level), verbose error messages, the fact that APIs are *not* invisible to hackers, and so much more. Isabelle covered how to have a positive security culture, and build out a DevSecOps program that includes API security, what the OpenAPI protocol is, and several inspiring customer success stories. We also talked about her free IDE Plugin that gives you a score out of 100 for security, and how Tanya's first try at it she only got a score somewhere in the 20's to start! Of course, we also talked about the OWASP API Security Top Ten, and how that helped bring the important of securing APIs into the mainstream, rather than an obscure thing only AppSec people like Isabelle and Tanya obsess over.Isabelle also spoke about a webinar she will be on July 13, Mastering Secure API Development with GitHub and 42Crunch, you can sign up here: https://42crunch.com/mastering-secure-api-development-with-github-and-42crunch/Get to know Isabelle:Isabelle Mauny, co-founder and Field CTO of 42Crunch, is a technologist at heart. She worked at IBM, WSO2 and Vordel across a variety of roles, helping large enterprises design and implement integration solutions. At 42Crunch, Isabelle manages customer POCs , partners integrations and product training. She is a frequent speaker at conferences and a published author. Isabelle is passionate about APIs and enjoys sharing her experience in podcasts such as this one :)Isabelle Links!https://tools.openapis.orghttps://42crunch.com/mastering-secure-api-development-with-github-and-42crunch/https://apisecurity.iohttps://github.com/isamauny/codemotion2023/blob/main/RuggedAPIs-Codemotion-2023.pdfhttps://42crunch.com/blog/Very special thanks to our sponsor, Semgrep!Semgrep Supply Chain's reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable.Get Your Free Trial Here! Semgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers additional community created ruleset!
Episode #415 consacré à Semgrep, un outil d'analyse statique. avec Claudio Merloni The post Semgrep appeared first on NoLimitSecu.
In episode 76 of the We Hack Purple Podcast host Tanya Janca brings Anshu Bansal, the CEO of CloudDefense.ai, back onto the show for a second time to discuss “solving problems in application security”. Tanya and Anshu have worked together quite a while, as Tanya has been an advisor at Cloud Defense since it was a drawing on the back of a napkin!We choose this topic because Anshu recently spoke at the OWASP Bay Area meetup chapter, and he told Tanya his talk was about "solving the AppSec problems”. Obviously, she had to hear more about this. They dove into Anshu's definition of false positives (the traditional meaning, plus legit vulnerabilities that aren't reachable or otherwise do not cause business risk), as well as how to prioritize issues in way that makes more sense for the business. He simplified a lot of ideas that sometimes technical folks struggle with, such as how to get your message across to the business so that they agree to fix what matters most.More Anshu!Anshu generously offered to connect with any of our listeners on LinkedIn: https://www.linkedin.com/in/anshubansal/He's part of the Cloud Defense blog https://www.clouddefense.ai/blogThey also have a Newsletter https://www.clouddefense.ai/contactVery special thanks to our sponsor: Semgrep!Semgrep Supply Chain's reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable. Get Your Free Trial Here! Semgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers a community-created rule set! Check out Semgrep Code HERE Join We Hack Purple!Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!
In episode 75 of the We Hack Purple Podcast, host Tanya Janca interviews Enno, a security researcher from Semgrep. They discussed all things static analysis, including; how do we come up with SAST rules, what's important to search for, important considerations when writing rules, testing rules before wider roll out, and writing rules specifically for Semgrep.We briefly got into The Official Docs, and content creation for both internal and external use, plus its importance when trying to scale your security efforts.Want more Enno?They can be found here!https://www.linkedin.com/in/enno-liu/https://www.youtube.com/@enncodedhttps://youtu.be/g_Yrp9_ZK2chttps://twitter.com/enncodedThe video by Enno that we discussed can be watched here!https://twitter.com/enncoded/status/1648908623152844801Very special thanks to our sponsor: Day of Shecurity! This annual event advocates for inclusion & diversification of gender in cybersecurity, AND it's very soon. Day one is May 18th (virtual) and day two is May 19th, in person in Redwood City, California, United States. Tickets are FREEEEEEEEE!View the agenda here: https://guides.dayofshecurity.com/view/314270378/If you're not sure, you can see videos from previous events here: https://www.youtube.com/c/DayofShecurity.Join We Hack Purple!Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!
In this special edition of the Future of Application Security podcast, Harshil speaks with Matt Johansen, Principal Security Architect at Reddit, a community and content-sharing site, and Clint Gibler, Head of Security Research at Semgrep, an open source static analysis tool. Together they discuss how the world of AppSec has changed, including the more widespread adoption of a shift-left mentality, and how more best-in-breed tools are being created for developers today. They also discuss the ways in which you can adopt frameworks and tooling into current workflows, how to meet developers where they are, and how to incentivize practicing good security habits. Topics discussed: How the world of AppSec has changed, going from a niche part of a security program to something everyone started focusing on, and how the industry has adopted a shift-left mindset while making more tools available for developers. How the evolution of frameworks are helping to prevent vulnerabilities and reduce risk, sometimes more so than security tools. How best-in-breed tooling is moving from generating tickets to be thrown over the fence, to speaking to developers in the language they know. The current state of in-house security expertise, and why security teams still need to lead with prioritization and the value-add of security, yet are beginning to hire team members who can write code. How to move security frameworks into the systems developers use everyday — and how do you incentivize developers to adopt those frameworks in the first place. The ways in which gamification and public dashboards have helped increase security adoption and reward good behavior. Why it's better to focus on and invest in solving the top vulnerabilities and issues than be sidetracked by the "long tail" of thousands of vulnerabilities that will never get touched.
Fortra's Core Security has conducted it's fourth annual survey of cybersecurity professionals on the usage and perception of pen testing. The data collected provides visibility into the full spectrum of pen testing's role, helping to determine how these services, tools, and skills must evolve. Segment Resources: https://www.fortra.com/resources/guides/2023-pen-testing-report This segment is sponsored by Fortra's Core Security. Visit https://securityweekly.com/fortracoresecurity to learn more about them! Compliance with cyber security frameworks such as NIST, PCI, HIPAA, etc. have largely been driven by paper-based processes in Word and Excel. With the rise of cloud computing, containers, and ephemeral systems, paper-based processes can no longer keep up with the speed of business and compliance has become the new bottleneck to progress for highly regulated industries such as government, finance, and energy sector. This session will cover how RegScale is leading a RegOps movement to bring the principles of DevOps to compliance with the world's first real-time GRC system that enables compliance as code via NIST OSCAL. RegOps seeks to shift compliance left to make it real-time, continuous, and complete so that paperwork is always up to date, self-updating, and takes less manual resources to manage. Segment Resources: Website – https://www.regscale.com Documentation/Learn More – https://regscale.readme.io In this news segment, we discuss the art of branding/naming security companies, some new cars just out of stealth, 5 startups just out of Y Combinator, and Cybereason's $100M round from Softbank. We also talk new features (Semgrep's new GPT-4 use case), new newsletters, and new reports. We break down Nexx's broken vulnerability disclosure program and its broken products. We also discuss the FDA's new ability to block device certification for security reasons. Android announces rules to make it easier for consumers to delete accounts and remove data when they uninstall apps. IT and Security professionals everywhere are asked not to report breaches, but in some countries more than others. CISOs are more prone to drinking problems, and finally, for our squirrel stories, we discuss a crazy app called Newnew and new ideas in prosthetics. Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw313
Fortra's Core Security has conducted it's fourth annual survey of cybersecurity professionals on the usage and perception of pen testing. The data collected provides visibility into the full spectrum of pen testing's role, helping to determine how these services, tools, and skills must evolve. Segment Resources: https://www.fortra.com/resources/guides/2023-pen-testing-report This segment is sponsored by Fortra's Core Security. Visit https://securityweekly.com/fortracoresecurity to learn more about them! Compliance with cyber security frameworks such as NIST, PCI, HIPAA, etc. have largely been driven by paper-based processes in Word and Excel. With the rise of cloud computing, containers, and ephemeral systems, paper-based processes can no longer keep up with the speed of business and compliance has become the new bottleneck to progress for highly regulated industries such as government, finance, and energy sector. This session will cover how RegScale is leading a RegOps movement to bring the principles of DevOps to compliance with the world's first real-time GRC system that enables compliance as code via NIST OSCAL. RegOps seeks to shift compliance left to make it real-time, continuous, and complete so that paperwork is always up to date, self-updating, and takes less manual resources to manage. Segment Resources: Website – https://www.regscale.com Documentation/Learn More – https://regscale.readme.io In this news segment, we discuss the art of branding/naming security companies, some new cars just out of stealth, 5 startups just out of Y Combinator, and Cybereason's $100M round from Softbank. We also talk new features (Semgrep's new GPT-4 use case), new newsletters, and new reports. We break down Nexx's broken vulnerability disclosure program and its broken products. We also discuss the FDA's new ability to block device certification for security reasons. Android announces rules to make it easier for consumers to delete accounts and remove data when they uninstall apps. IT and Security professionals everywhere are asked not to report breaches, but in some countries more than others. CISOs are more prone to drinking problems, and finally, for our squirrel stories, we discuss a crazy app called Newnew and new ideas in prosthetics. Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/esw313
In this news segment, we discuss the art of branding/naming security companies, some new cars just out of stealth, 5 startups just out of Y Combinator, and Cybereason's $100M round from Softbank. We also talk new features (Semgrep's new GPT-4 use case), new newsletters, and new reports. We break down Nexx's broken vulnerability disclosure program and its broken products. We also discuss the FDA's new ability to block device certification for security reasons. Android announces rules to make it easier for consumers to delete accounts and remove data when they uninstall apps. IT and Security professionals everywhere are asked not to report breaches, but in some countries more than others. CISOs are more prone to drinking problems, and finally, for our squirrel stories, we discuss a crazy app called Newnew and new ideas in prosthetics. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw313
In this news segment, we discuss the art of branding/naming security companies, some new cars just out of stealth, 5 startups just out of Y Combinator, and Cybereason's $100M round from Softbank. We also talk new features (Semgrep's new GPT-4 use case), new newsletters, and new reports. We break down Nexx's broken vulnerability disclosure program and its broken products. We also discuss the FDA's new ability to block device certification for security reasons. Android announces rules to make it easier for consumers to delete accounts and remove data when they uninstall apps. IT and Security professionals everywhere are asked not to report breaches, but in some countries more than others. CISOs are more prone to drinking problems, and finally, for our squirrel stories, we discuss a crazy app called Newnew and new ideas in prosthetics. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw313
Guess what's coming right up!? Another edition of Absolute AppSec with your summer-school hosts, @sethlaw and @cktricky. What are the secrets out there available if one scans the internet? Well, security researchers at @RedHuntLabs have reported on a large-scale study. Giving back by publishing relevant Semgrep Rules and a lack of access control in multiple IoT devices and services.
In this episode we discuss code quality with Christian Clausen, author of the book "5 lines of code".We discuss common code smells and bad practices as well as his opinion on one-liners and code-comments. Listen to the episode to know what an expert considers to be the measure of the quality of a code base.Links of interest:SonarQube: https://www.sonarqube.org/CodeScene: https://codescene.com/SemGrep: https://semgrep.dev/Get in touch with the Christian:Twitter: https://twitter.com/thedrlambdaMedium: https://thedrlambda.medium.com/Get his book:Check out "5 lines of code" and use this code to get a 35% discount during checkout: pod20minjs22 Review Us!Don't forget to leave a review of the episode or the entire podcast on Podchasers!Meet our host, OpenReplay:OpenReplay is an open-source session replay suite, built for developers and self-hosted for full control over your customer data. If you're looking for a way to understand how your users interact with your application, check out OpenReplay.
Clint Gibler is the Head of Security Research for r2c, the company behind SEMGREP, a popular open-source static analysis security scanning tool used by teams all over the world. He joined r2c to help build and shape the future of AppSec; one that includes secure defaults along with lightweight enforcement of those defaults. In today's episode, Clint talks about SEMGREP, operationalization of tools for security teams, intersection between AppSec and D&R as well as tips to succeed in AppSec at scale. More topics discussed in this episode: SEMGREP's origin story and benefits. The security startup creation pattern of recent years. Trend shift to developers operating security problems at scale. r2c's mission and products in addition to open source. How application logs are useful in detection and response. Type of vulnerabilities Clint is seeing more often. Application security developments he is most excited about. Other resources: tl;dr Sec Newsletter: tldrsec.com
Imagine if you could perform static analysis, find bugs, and enforce code standards in more than seventeen languages with a single tool. Imagine if you could scan your code with more than 1,000 community pre-written rules and if you could easily add your own rules to match your code perfectly. Imagine if you could then flag the issues and get results in pull requests, Slack, or anywhere else without as much as a click of a mouse. Well, it appears that you can do all of this and more. Today we talk with Isaac Evans, an MIT alumnus, a former computer scientist at the US Department of Defence, and a founder and CEO of r2c. His company, r2c, stands behind Semgrep, a lightweight, offline, open-source, static analysis tool that profoundly improves software security and reliability to safeguard human progress. When you finish listening to the episode, see how Sengrep can improve your code at https://semgrep.dev, or visit https://r2c.dev if you need enterprise solutions for large businesses. Mentioned in this episode: Isaac Evans on LinkedIn at https://www.linkedin.com/in/isaacevans/ Semgrep at https://semgrep.dev r2c at https://r2c.dev Brian Foote, Joseph Yoder, The Selfish Class at http://www.laputan.org/selfish/selfish.html Richard Dawkins, The Selfish Gene at https://www.amazon.com/Selfish-Gene-Anniversary-Landmark-Science-dp-0198788606/dp/0198788606/ref=dp_ob_title_bk
This morning r2c, a startup building a SaaS service around the Semgrep open-source project, announced that it has closed a $27 million Series B. Felicis led the round, which the company said was a pre-emptive deal.
This morning r2c, a startup building a SaaS service around the Semgrep open-source project, announced that it has closed a $27 million Series B. Felicis led the round, which the company said was a pre-emptive deal.
Outbrain, a recommendation platform connecting advertisers with open web consumers, has announced its raise of $200 million in a private equity round from The Baupost Group at an undisclosed valuation. The fundraising comes a week after it filed a proposal for the IPO of its common stock with the US Securities and Exchange Commission.Lidya, a digital financial services platform, has raised $8.3 million in a pre-Series B funding round led by Alitheia Capital with participation from Bamboo Capital Partners, Accion Venture Lab and Flourish Ventures, reports state.Localyze, a Y-Combinator-backed startup aiding cross-border employee relocation, has raised €10M ($12M) from Blossom Capital in Series A. Its previous round (Seed) was closed in 2020, and with this funding, Localyze plans to accelerate expanding into other markets besides its base, Germany.Juni, an e-commerce platform, has announced the raise of $21.5M in a Series A funding round, co-led by DST Global and Felix Capital. The company had only launched in 2020 and raised its seed round funding around November last year. The proceeds from this funding would be used in product development and hiring across teams.San Francisco's mmhmm has announced the raise of $100 million in its Series B funding led by SoftBank Vision Fund 2, exactly a year after its private beta launch. Since its launch in 2020, mmhmm has raised about $136 million in four funding rounds in less than a year, with the most recent Series A and debt financing round in October 2020, where it raised $35 million collectively, as per Crunchbase. Sequoia Capital, Mubadala Capital, Human Capital, World Innovation Lab (WiL), and many earlier investors participated in the round.Dataminr has bought WatchKeeper, a situational awareness platform, for an unknown sum. With the purchase of WatchKeeper and its integration with Dataminr Pulse, Dataminr will grow its global corporate customer base. As part of an early access program, business customers will be able to utilize the integrated version of Dataminr Pulse later this year. The broader release is slated for early 2022.ZeroFox, external threat intelligence and security firm, has bought Vigilante, a dark web threat intelligence firm. Vigilante will be incorporated into ZeroFox right away, giving customers a one-of-a-kind Dark Ops solution. Vigilante will provide clients with information and security resources, allowing them to make better decisions.Hopin, a platform for event management, has announced the purchase of Attendify to strengthen and expand its event marketing capabilities. Hopin will soon provide Campaign Manager with Attendify, allowing event marketers to leverage a strong email engine. Attendify's products, such as Audience CRM, a complete attendance data platform, will enhance Hopin's portfolio in various ways.Unit21, a no-code risk, fraud, and compliance software, received a $34 million Series B investment round led by Tiger Global Management. The money will be utilized to expand the engineering, R&D, and go-to-market teams within the firm. Unit21 was formed because the current method of fraud prevention and detection, which relied on “black box” machine learning, was flawed.Opaque, a company that helps businesses analyze encrypted cloud data, has received $9.5 million in a seed round sponsored by Intel Capital. With Opaque, clients can work with secure data on the cloud while guaranteeing that the data isn't exposed. Secure hardware enclaves and cryptographic fortification are part of Opaque, which is a mix of two essential technologies built on top of state-of-the-art cloud security. Repeat has secured $6 million in a Series A round of funding led by Battery Capital. The funds will be used to grow the company's operations. Client purchasing patterns are tracked by the platform, which alerts them when it's time to repurchase. It then builds a personalized shopping basket for each, which makes replenishing a breeze.Cloverly has raised $2.1 million from TechSquare Ventures in a seed round. Customers may purchase carbon offsets from public markets to offset their carbon footprints while also utilizing technology to develop solutions. Cloverly monitors the offset market to ensure that the providers are trustworthy and continuously looking for new ones.Fountain9, an AI-driven company that focuses on predictive inventory planning, has raised $1.9 million in a seed round. The money will be used to improve the intelligence of the startup's demand sensing engine, increase its product offerings, and expand into new areas.San Francisco's r2C, a software security startup, has announced the raise of $27 million in a Series B funding led by Felicis Ventures with participation from existing investors Redpoint Ventures and Sequoia Capital. Alongside the funding, it announced on its official blog that its open-source product, Semgrep, would now integrate with GitLab.Seattle's WellSaid Labs has announced the raise of $10 million Series A funding led by FUSE, with participation from Voyager, Qualcomm Ventures LLC and GoodFriends. The company would use the fresh capital to enhance its AI-generated synthetic voice business.San Francisco's Renegade Partners has announced the close of its first fund, $100 million, to partner with companies going through a critical inflection point, which it cites as a supercritical stage, in their venture and help them become outliers. The VC firm made its announcement in a series of tweets.
This week in the AppSec News: Visual Studio Code's Workplace Trust, Injured Android an insecure mobile app, Microsoft accidentally signed driver with rootkits, The NSA funds a new sister Matrix to ATT&CK: D3FEND, & "Ransomware: maybe it's you, not them?", and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw156
This week in the AppSec News: Visual Studio Code's Workplace Trust, Injured Android an insecure mobile app, Microsoft accidentally signed driver with rootkits, The NSA funds a new sister Matrix to ATT&CK: D3FEND, & "Ransomware: maybe it's you, not them?", and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw156
Static analysis is a type of debugging that identifies defects without running the code. Static analysis tools can be especially useful for enforcing security policies by analyzing code for security vulnerabilities early in the development process, allowing teams to rapidly address potential issues and conform to best practices.R2C has developed a fast, open-source static analysis tool called Semgrep. Semgrep provides syntax-aware code scanning and a database of thousands of community-defined rules to compare your code against. Semgrep also makes it easy for security engineers and developers to define custom rules to enforce their organization's policies. R2C's platform has been adopted by industry leaders such as Dropbox and Snowflake, and recently received the “Disruptive Innovator” distinction at Forbes' 2020 Cybersecurity Awards.Isaac Evans is the Founder and CEO of R2C. Before founding R2C he was an Entrepreneur in Residence at Redpoint Ventures and a computer scientist at the US Department of Defense. Isaac joins the show today to talk about how R2C is helping teams improve their cloud security, why static analysis is a natural fit for CI/CD workflows, and what to expect from R2C and the Semgrep project in the future.