Winning Friends & Influencing Developers with Sandesh Anand

https://is1-ssl.mzstatic.com/image/thumb/Podcasts116/v4/f7/56/97/f75697d3-df67-37d6-0326-38a33b971470/mza_12056266361536565593.jpg/600x600bb.jpg

The Modern Security Podcast

Clint Gibler

10 episodes

2 weeks ago

In the Modern Security Podcast, Clint Gibler (Founder of tl;dr sec and Head of Security Research) joins other CISOs and security leaders to talk about upcoming trends for security, career advice for those just getting started, and much more. Follow us at https://semgrep.dev/ and follow clint at https://tldrsec.com/

Technology

RSS

All content for The Modern Security Podcast is the property of Clint Gibler and is served directly from their servers with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.

Technology

https://d3t3ozftmdmh3i.cloudfront.net/staging/podcast_uploaded_nologo/38867527/38867527-1693618289150-7da5377e8f601.jpg

Winning Friends & Influencing Developers with Sandesh Anand

The Modern Security Podcast

46 minutes 53 seconds

1 year ago

Winning Friends & Influencing Developers with Sandesh Anand

Sandesh Anand, former Engineering Manager of InfoSec at Razorpay, shares his insights on scaling security programs and leveraging AI in application security. He discusses his experience at Razorpay, where he built the security program from scratch, and highlights the importance of understanding and addressing the pain points of engineering stakeholders. Sandesh emphasizes the value of secure defaults and secure guardrails in eliminating classes of issues by construction. He also explores the effectiveness of leveraging non-security teams for security initiatives and the importance of aligning security work with business objectives. Additionally, he provides strategies for prioritizing security and emphasizes the need for a long-term view of security. In this conversation, Sandesh shares insights on leveraging security incidents as opportunities for improvement, the importance of aligning security initiatives with developer pain points, and the role of technology in scaling application security. Sandesh also discusses his work at Seezo.ai, an AI-first application security company, and their focus on automating security design reviews. Key takeaways include the value of integrating security tools with existing developer workflows, the benefits of moving to golden images for container security, and the need to leverage technology to scale security initiatives.

Takeaways

- Understand and address the pain points of engineering stakeholders when building a security program.

- Implement secure defaults and secure guardrails to eliminate classes of issues by construction.

- Leverage non-security teams and processes to multiply the impact of security initiatives.

- Align security work with business objectives and product roadmaps.

- Use burn down charts and clear risk ranking to prioritize security work.

- Take a long-term view in security and focus on continuous improvement Security incidents can be opportunities for improvement and can lead to better security practices and appreciation for security teams.

- Aligning security initiatives with developer pain points, such as on-call responsibilities or compliance requirements, can increase buy-in and adoption.

- Technology plays a crucial role in scaling application security, and solutions that automate manual security processes can improve efficiency and effectiveness.

- Moving to golden images for container security can simplify vulnerability management and reduce the risk of security incidents.

- Integrating security tools with existing developer workflows, such as Jira or business intelligence platforms, can increase visibility and engagement with security initiatives.

00:00 Introducing Sandesh Anand

03:10 Challenges of Scaling Security Programs

12:39 Leveraging Non-Security Teams

16:29 Security Teams as Force Multipliers

18:50 Prioritizing Security Work

21:36 Incorporating Security into the Product Roadmap

23:33 Security as a Journey

24:30 Turning Incidents into Opportunities

30:25 Gaining Stakeholder Buy-In

37:07 Lessons Learned

41:23 Automating Security Design Reviews