Episode Summary

Is the traditional Silicon Valley startup model harming the security industry? In this episode of The Secure Developer, Danny Allan talks with Melanie Rieback, founder of Radically Open Security, about shaking up the industry with nonprofit business models. Tuning in, you’ll learn about the inner workings of Radically Open Security as a non-profit organization and the positive impact its donations have had on the open source ecosystem.

We discuss the benefits of a steward-ownership business model, why it pairs so well with open source, and its power to reform venture capital and align incentives with long-term sustainability. For those interested in diving deeper, Melanie shares resources from her startup incubator, Nonprofit Ventures, and her free online Post Growth Entrepreneurship course. Tune in to learn why reforming our business models is vital for preserving and protecting our open source ecosystem and, by extension, security!

Show Notes

In this episode, Snyk CTO Danny Allan chats with Dr. Melanie Rieback, founder of Radically Open Security, about her journey from academia and pen testing to founding a cybersecurity company with a radically different business model. Melanie shares the motivations behind creating a not-for-profit organization that donates 90% of its profits to the NLnet Foundation, supporting open source and digital rights initiatives. They discuss the discontent with traditional cybersecurity business practices, including lack of transparency and ethical concerns like selling zero-days.

Melanie explains Radically Open Security's structure, operating as a collective primarily using contractors, and how this model has allowed them to grow to 50 people while serving major clients and offering pro-bono work for nonprofits and critical open source projects like the Tor Project and Tails. The conversation then broadens to discuss alternative business models like steward ownership, where profit rights are separated from voting rights, aiming to lock value within the company and prevent mission drift often caused by traditional VC funding.

They explore the concept of "Post Growth Entrepreneurship," which Melanie teaches, focusing on non-extractive business models and reforming finance itself. The discussion touches upon whether the tech industry, particularly open source, is moving towards more sustainable and ethical models, citing examples like Signal, Proton, Mastodon, and Mozilla. Melanie emphasizes that the culture of open source developers is often inherently altruistic, not greedy, but can be compromised by traditional funding systems. Finally, Melanie offers resources for listeners interested in learning more about these alternative models.

Links

• Radically Open Security
• Radically Open Security on LinkedIn
• NLnet Foundation
• Nonprofit Ventures
• Post Growth Entrepreneurship Course
• Snyk - The Developer Security Company

Follow Us

• Our Website
• Our LinkedIn

Episode Summary

In this episode of The Secure Developer, Danny Allan sits down with Akira Brand, AVP of Application Security at PRA Group, to explore the evolving landscape of application security and AI. Akira shares her unconventional journey from opera to cybersecurity, discusses why AppSec is fundamentally a customer service role and breaks down how AI is reshaping security workflows. Tune in to hear insights on integrating security seamlessly into development, AI’s role in secure coding, and the future of AppSec in a rapidly shifting tech landscape.

Show Notes

In this engaging episode, The Secure Developer welcomes Akira Brand, AVP of Application Security at PRA Group, for an in-depth discussion on the intersection of AI and application security. Akira’s unique background in opera and stage direction offers a fresh perspective on fostering collaboration in security teams and influencing organizational culture.

Key Topics Covered:

• From Opera to AppSec: Akira shares her journey from classical music to cybersecurity and how her experience in stage direction translates into leading security teams.
• AppSec as a Customer Service Role: The importance of serving software engineers by providing security solutions that fit seamlessly into their workflows.
• The ‘Give Them the Pickle’ Approach: How meeting developers where they are and educating them can lead to better security adoption.
• AI’s Role in Secure Development: How AI-driven tools are transforming the way security is integrated into the software development lifecycle.
• Challenges in Security Culture: Why security is still an afterthought in many development processes and how to change that mindset.
• Future of AI in Security: The promise and risks of AI-assisted security tools and the need for standards to keep pace with rapid technological advancements.

Links

• PRA Group
• Turing School
• Brian Holt
• Frontend Masters
• Resilia
• Snyk - The Developer Security Company

Follow Us

• Our Website
• Our LinkedIn

Episode Summary

In this episode of The Secure Developer, host Danny Allan sits down with Alex Salazar, founder and CEO of Arcade, to discuss the evolving landscape of authentication and authorization in an AI-driven world. Alex shares insights on the shift from traditional front-door security to back-end agent interactions, the challenges of securing AI-driven agents, and the role of identity in modern security frameworks. The conversation delves into the future of AI, agentic workflows, and how organizations can navigate authentication, authorization, and security in this new era.

Show Notes

Danny Allan welcomes Alex Salazar, an experienced security leader and CEO of Arcade, to explore the transformation of authentication and authorization in AI-powered environments. Drawing from his experience at Okta, Stormpath, and venture capital, Alex provides a unique perspective on securing interactions between AI agents and authenticated services.

Key topics discussed include:

• The Evolution of Authentication & Authorization: Traditional models focused on front-door access (user logins, SSO), whereas AI-driven agents require secure back-end interactions.
• Agentic AI and Security Risks: How AI agents interact with services on behalf of users, and why identity becomes the new perimeter in security.
• OAuth and Identity Challenges: Adapting OAuth for AI agents, ensuring least-privilege access, and maintaining security compliance.
• AI Hallucinations & Risk Management: Strategies for mitigating LLM hallucinations, ensuring accuracy, and maintaining human oversight.
• The Future of AI & Agentic Workflows: Predictions on how AI will continue to evolve, the rise of specialized AI models, and the intersection of AI and physical automation.

Alex and Danny also discuss the broader impact of AI on developer productivity, with insights into how companies can leverage AI responsibly to boost efficiency without compromising security.

Links

• Arcade.dev - Make AI Actually Do Things
• Okta - Identity
• OAuth - Authorization Protocol
• LangChain - Applications that Can Reason
• Hugging Face - The AI Community Building the Future
• Snyk - The Developer Security Company

Follow Us

• Our Website
• Our LinkedIn

Episode Summary

In this episode of The Secure Developer, Danny Allan sits down with Mrinal Wadhwa, CTO at Ockam, to explore the evolving landscape of secure communication in distributed systems. They discuss the challenges of securing microservices, IoT networks, and Kubernetes environments and how traditional TLS-based security models may no longer be sufficient. Mrinal shares insights into Ockam’s approach to end-to-end encrypted, mutually authenticated channels and the impact of WebAssembly, passkeys, and modern cryptographic identity management on security. Tune in for a deep dive into how organizations can rethink security at runtime to minimize risks in today’s complex digital ecosystems.

Show Notes

Security in modern applications is more challenging than ever, with microservices architectures, IoT deployments, and distributed computing environments introducing new risks. In this episode, Danny Allan welcomes Mrinal Wadhwa, CTO at Ockam, to discuss how secure communication models need to evolve beyond traditional TLS and perimeter-based defenses.

Topics covered include:

• The challenges of securing microservices and Kubernetes clusters
• How end-to-end encryption and mutual authentication can minimize risk
• The importance of cryptographic identities and key rotation at scale
• How Ockam enables secure channels across multiple transport layers (TCP, Bluetooth, Kafka, etc.)
• The role of WebAssembly and passkeys in rethinking security models
• Shifting from perimeter-based security to secure-by-design communication

Mrinal shares key insights on how organizations can rethink risk at runtime, considering the number of people and systems involved in data flow rather than just static build-time dependencies. Whether you're a security leader, developer, or architect, this episode provides actionable insights on building trust in your infrastructure without compromising performance or agility.

Links

• Ockam
• Passkeys Overview
• Private Compute Cloud by Apple
• Snyk - The Developer Security Company

Follow Us

• Our Website
• Our LinkedIn

Episode Summary

In this episode of The Secure Developer, Danny Allan, CTO of Snyk, sits down with Wayne Chang, Founder and CEO of SpruceID, to explore the evolving landscape of digital identity and security. From self-sovereign identity to the role of AI in authentication, they discuss the future of identity management, the risks of centralized systems, and the benefits of decentralized approaches. They also dive into how policy, compliance, and emerging technologies like passkeys and zero-knowledge proofs are shaping the security ecosystem.

Show Notes

The world of digital identity is changing fast, and in this episode of The Secure Developer, we explore how security professionals and developers can navigate this evolving space. Host Danny Allan is joined by Wayne Chang, Founder and CEO of SpruceID, to discuss key trends and challenges in identity management.

Topics Discussed:

• Wayne's Background: From health tech to digital identity, how Wayne’s early struggles with integrating health records led to his passion for self-sovereign identity.
• The Evolution of Digital Identity: Why usernames and passwords are no longer the gold standard, and how newer methods like passkeys and cryptographic credentials improve security.
• Decentralization vs. Centralization: The trade-offs between federated identity systems (like OAuth and SSO) and self-hosted identity wallets.
• The Role of AI in Identity Security: How AI is both a tool for improving security and a threat vector for identity fraud.
• Privacy and Compliance: How regulations like GDPR, CCPA, and emerging state-level laws influence digital identity strategies.
• The Future of Authentication: The move from multi-factor authentication to "myriad factor authentication," leveraging multiple signals for seamless and secure access.

Wayne and Danny also discuss real-world use cases, including the development of mobile driver's licenses, emerging digital identity wallets, and the challenges of ensuring privacy and security while maintaining usability. The conversation highlights how organizations can stay ahead with better authentication practices and privacy-preserving architectures as fraud becomes more sophisticated.

Links

• SpruceID - Identity infrastructure for the digital world
• NIST - The National Institute of Standards and Technology
• NIST SP 800-63 - Digital Identity Guidelines
• ACLU Digital ID State Legislative Recommendations
• Snyk - The Developer Security Company

Follow Us

• Our Website
• Our LinkedIn

Episode Summary

Security is more than just a checklist—it’s a cultural movement. In this episode, Dustin Lehr, Co-founder of Katilyst, joins Danny Allan to explore the intersection of security, engineering, and culture. They discuss how to foster security champions, scale security programs, and build a culture where developers naturally integrate security into their workflows. Dustin shares insights from his extensive career, offering practical strategies for creating lasting change in security practices.

Show Notes

Security isn’t just about tools—it’s about people. In this episode of The Secure Developer, Dustin Lehr, Co-founder of Katilyst, joins Danny Allan to discuss the importance of building a strong security culture within engineering teams.

Dustin shares his journey from software engineering to security leadership, emphasizing how security should be an extension of software quality. He highlights how security champions programs can empower developers to take ownership of security without disrupting their workflow.

Key topics include:

• The evolution of software development and how security fits in
• Best practices for launching and sustaining a security champions program
• The psychology of change and how to influence developer behavior
• The role of AI in security culture—what works and what doesn’t
• Metrics and strategies for measuring the success of security initiatives

With real-world insights and actionable advice, this episode is a must-listen for security and engineering leaders looking to scale security through culture, not just technology.

Links

• Katilyst – Dustin Lehr’s company focused on security culture
• Security Champion Program Success Guide – A free resource for building effective security champion programs
• Snyk - The Developer Security Company

Follow Us

• Our Website
• Our LinkedIn

Episode Summary

Join Jeremiah Grossman, application security pioneer and former CEO of WhiteHat Security, as he reflects on decades of innovation in the industry, from the early days of OWASP to today’s AI-driven development landscape. Explore critical discussions about the escalating costs of security, aligning developer incentives, and the future challenges posed by AI-generated vulnerabilities. Packed with insights, this episode dives deep into the strategies and frameworks shaping the way we build and secure modern software.

Show Notes

In this episode of The Secure Developer, we sit down with Jeremiah Grossman, a pioneer in application security and former CEO of WhiteHat Security. Jeremiah shares fascinating insights from his decades of experience shaping the security landscape, including the origins of the OWASP project and his role in raising awareness about critical vulnerabilities like SQL injection and cross-site scripting.

The conversation delves into how the industry has evolved over the past two decades, from the early days when nearly every application was riddled with vulnerabilities to today’s more robust frameworks and heightened security awareness. Despite these advancements, Jeremiah and Danny discuss why security spending remains high while organizations continue to struggle with improving their overall security posture.

Key topics include:

• The misalignment of incentives in software development that prioritizes speed over security.
• The emerging role of cyber insurance in shaping organizational security practices.
• The challenges of unknown assets and their contribution to breaches, highlighting the importance of asset inventory and attack surface management.
• The impact of AI on software development, particularly the risks and opportunities presented by AI-generated code and new attack surfaces.

Jeremiah also shares his thoughts on aligning incentives for secure development, including innovative approaches like developer performance metrics and reward structures for secure coding. The episode concludes with a look at Jeremiah’s current focus on venture capital and fostering innovation in security, as well as his personal passion for Brazilian jiu-jitsu and its parallels with the security industry.

This episode is a deep dive into the critical challenges and opportunities facing modern security professionals, offering actionable insights and thought-provoking discussions for developers, CISOs, and security practitioners alike.

Links

• OWASP (Open Web Application Security Project)
• Black Hat
• Node.js
• Brave Browser
• Chromium
• Cornell Study on AI Code Vulnerabilities
• Snyk - The Developer Security Company

Follow Us

• Our Website
• Our LinkedIn