Engineering a Safer Future at LaunchDarkly

https://is1-ssl.mzstatic.com/image/thumb/Podcasts116/v4/f7/56/97/f75697d3-df67-37d6-0326-38a33b971470/mza_12056266361536565593.jpg/600x600bb.jpg

The Modern Security Podcast

Clint Gibler

10 episodes

2 weeks ago

In the Modern Security Podcast, Clint Gibler (Founder of tl;dr sec and Head of Security Research) joins other CISOs and security leaders to talk about upcoming trends for security, career advice for those just getting started, and much more. Follow us at https://semgrep.dev/ and follow clint at https://tldrsec.com/

Technology

RSS

All content for The Modern Security Podcast is the property of Clint Gibler and is served directly from their servers with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.

Technology

https://d3t3ozftmdmh3i.cloudfront.net/staging/podcast_uploaded_nologo/38867527/38867527-1693618289150-7da5377e8f601.jpg

Engineering a Safer Future at LaunchDarkly

The Modern Security Podcast

1 hour 18 minutes 11 seconds

1 year ago

Engineering a Safer Future at LaunchDarkly

In this episode of the Modern Security Podcast, we're joined by Alex Smolen, the Director of Security at LaunchDarkly, to discuss the challenges and strategies in building effective security programs. Clint and Alex explore the burdens of security questionnaires, the importance of empowering security teams, and the need for a shift in how risk is managed. Alex shares insights on the ineffectiveness of traditional security practices, the value of documentation, and the concept of a security data lake. The discussion also touches on the build vs. buy dilemma in security tools and the importance of continuous learning in the field. Takeaways -Security questionnaires are often seen as a chore and rarely lead to meaningful change. -Empowering security teams to fix vulnerabilities is crucial for effective risk management. -Risk management should focus on enabling businesses to operate at an acceptable level of risk. -Compliance efforts, like SOC 2 and ISO certifications, are important but do not directly reduce risk. -Security questionnaires often fail to provide valuable insights into vendor security practices. -Approval workflows can slow down processes; alternative methods like audit logs may be more effective. -Establishing security invariants can help maintain a consistent security posture across the organization. -A security data lake can provide a comprehensive view of security assets and vulnerabilities. -Documentation of data flows and vendor usage is more valuable than traditional security questionnaires. -Continuous learning and adaptation are essential for security professionals. Chapters 00:00 The Burden of Security Questionnaires 02:12 Building a High-Performing Security Program 04:30 Empowering Security Teams 07:00 Prioritizing Security Fixes 10:25 Principles of Defining Security 15:14 Defining Security Metrics & Goals 19:30 The Ineffectiveness of Security Questionnaires 30:50 Security "Marketing" 35:48 The Build vs. Buy Dilemma 37:52 Rethinking Approval Workflows 45:39 Asset Security Data Lake 1:01:11 The 'Nouns' at LaunchDarkly 1:09:27 Build vs Buy 1:16:21 Final Thoughts and Advice