The Future of Developer Security with Travis McPeak

https://is1-ssl.mzstatic.com/image/thumb/Podcasts211/v4/f6/d5/ed/f6d5ed39-c78c-bbc3-9e16-8da9c7df7142/mza_16272558080117222112.jpg/600x600bb.jpg

The Boring AppSec Podcast

31 episodes

1 week ago

In this podcast, we will talk about our experiences having worked at different companies - from startups to big enterprises, from tech companies to security companies, and from building side projects to building startups. We will talk about the good, the bad, and everything in between. So join us for some fun, some real, and some super hot takes about all things Security in the Boring AppSec Podcast.

Technology

RSS

All content for The Boring AppSec Podcast is the property of The Boring AppSec Podcast and is served directly from their servers with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.

Technology

https://d3t3ozftmdmh3i.cloudfront.net/staging/podcast_uploaded_nologo/40655927/40655927-1736141685828-0e4ce07b90353.jpg

The Future of Developer Security with Travis McPeak

The Boring AppSec Podcast

51 minutes 51 seconds

4 weeks ago

The Future of Developer Security with Travis McPeak

In this episode, we sit down with Travis McPeak, one of the most prominent thinkers in the space of developer security. Travis, who built his career at the intersection of security automation and developer productivity, shares his philosophy on achieving security at scale in the AI era. His career spans security leadership roles at major tech companies, including Symantec, IBM, Netflix, and Databricks. Most recently, he founded and served as CEO of Resourcely, a startup built on the idea of making cloud infrastructure secure by default, before being "acqui-hired" by Cursor, the rapidly growing AI-powered code editor, to lead security and enterprise readiness.

Key Takeaways

AI for Secure by Default: AI tools provide the best injection point to shift security "all the way left" and move past the reactive "whack-a-mole" approach, because developers are already motivated to use these highly effective tools.

Changing AppSec Strategy: AI dramatically changes the nature of AppSec by making previously unscalable strategies, such as threat modeling, applicable. AI can generate architecture diagrams on demand by tracing through code.

The Compliance Bottleneck: The dramatic consolidation of cloud security vendors reflects how compliance-minded the security industry remains. Critical infrastructure misconfigurations (like public databases being left open) often go unaddressed because they are not measured by compliance standards.

Platform vs. Point Solutions: Travis argues against platforms that are often amalgamations of poorly integrated acquired tools. He suggests buying the single best point solution for a high-leverage problem and using AI capabilities to operationalize and wire it into internal systems, thereby simplifying integrations that platforms traditionally provide.

The Skeptical Coder: A fundamental limitation of Large Language Models (LLMs) is their desire to "make you happy," causing them to provide answers even if they are incorrect. Therefore, engineers must use AI output only as a starting point and only consider the code finished when they understand it fully end to end.

Prompt Injection Defined: Prompt injection is confirmed as a legitimate vulnerability, essentially a rehash of old issues like cross-site scripting and SQL injection, arising from the improper separation between the LLM instruction and the user instruction.

Tune in for a deep dive!

Contacting Travis

* LinkedIn: https://www.linkedin.com/in/travismcpeak/

* Company Website: https://www.cursor.com

Contacting Anshuman

* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anshumanbhartiya/

* X: ⁠⁠⁠⁠https://x.com/anshuman_bh

* Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/

* ⁠⁠⁠⁠Instagram: ⁠⁠⁠https://www.instagram.com/anshuman.bhartiya

Contacting Sandesh

* LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/anandsandesh/

* X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans

* Website: ⁠⁠⁠⁠https://boringappsec.substack.com/