Security
Local cert management for mere mortals
In this episode, Ben Burkert & Chris Stolt join Johhny to explore the ups & downs of trying to get secure local development environments set up, why it’s hard & what you can do about it.
Scoring your project’s security
Autumn and Justin are joined by Chris Swan to discuss tech industry trends like AI and sustainability, gamifying the software development process and motivating devs to write more secure code, OpenSSF Scorecards and how they offer a way to measure and improve the security and compliance of GitHub repos, the scoring system, and the security posture of a repository.
Go Capture the Flag! 🚩
Angelica is joined by Neil S Primmer & Benji Vesterby to share their experience organizing “Capture the Flag” at GopherCon 2023. CTF events involve teams vying for supremacy as they strive to gather digital flags (presented as strings) and successfully submit them to the competition organizers. In essence, it’s a thrilling “scavenger hunt for nerds.” Join us as we unravel the intricacies and excitement of this unique gaming experience!
Shift left, seriously.
This week we’re going deep on security and what it takes to shift left, seriously. Adam is joined by Justin Garrison (co-host of Ship It), plus two members of the BoxyHQ team — Deepak Prabhakara, Co-founder & CEO and Schalk Neethling, Community Manager and DevRel as well as fellow Changelog Slack member.
We discuss how to shift left, the role of the developer and the burden of security, the importance of tooling, the difference between authentication and authorization, and a mindset change for when security takes place — it’s a matter of “when” not “who.”
What's new in Go's cryptography libraries: Part 2
Filippo Valsorda & Roland Shoemaker from the Go Team return & bring Nicola Murino with them to continue catching us up on what’s new in Go’s crypto libraries.
This is everything we didn’t cover + deep dives from Part 1!
Backslashes are trash
Mat Ryer returns with his guitar, an unpopular opinion & his favorite internet virus.
What's new in Go's cryptography libraries: Part 1
Filippo Valsorda & Roland Shoemaker from the Go Team sit down with Natalie to catch us up on what’s new in Go’s crypto libraries. No, not that crypto… good ol’ cryptography! Don’t miss Part 2!
Protecting screen time
Jared Henderson joins us to discuss the state of the art in software parental controls and how we protect our children and lock down our home networks from the constant onslaught of malicious and unwanted content.
Zero Trust & Go
Michael Quiqley from NetFoundry joins Natalie to discuss Zero Trust concepts, why they are important for secure systems & how to implement them in Go.
Web dev security school
This week, we’re joined by Ron Perris, a Security Engineer at Reddit and software security enthusiast. Together, we dive into best practices and common pitfalls, covering topics from dangerous URLs to JSON injection attacks. Tune in for an educational conversation, and don’t forget to bring your notebooks!
Attack of the Canaries!
This week we’re joined by Haroon Meer from Thinkst — the makers of Canary and Canary Tokens. Haroon walks us through a network getting compromised, what it takes to deploy a Canary on your network, how they maintain low false-positive numbers, their thoughts and principles on building their business (major wisdom shared!), and how a Canary helps surface network attacks in real time.
The massive bug at the heart of npm
Darcy Clarke, former GitHub Staff Engineering Manager and founder of vlt, joins us to discuss a major bug in the npm ecosystem that he recently disclosed. We cover the bug’s timeline, nuances, and impact, all while setting some important context on npm packages, clients, and registries. Tune in to learn how to protect your codebase and gain a deeper understanding of this crucial part of the JavaScript ecosystem.
Passkeys for a passwordless future
This week we’re talking about Passkeys with Anna Pobletts, Head of Passwordless, at 1Password. Will Passkeys enable a passwordless future? Time will tell. Anna shares the what, the why, how, and the when on Passkeys.
Making "safe npm"
Feross and his team at Socket recently shipped a wrapper library for the ubiquitous npm package manager’s command-line interface that brings enhanced security when you need it most: before executing any code
Bradly Farias lead this effort, so Jerod & Chris invited him on the show to learn all about it.
Hacking with Go: Part 4
Our “Hacking with Go” series continues! This time Natalie & Johnny are joined by Ivan Kwiatkowski & Juan Andrés Guerrero-Saade and the conversation is we’re focused around generics and AI.
Hacking with Go: Part 3
Ivan Kwiatkowski joins Natalie once again for a follow-up episode to Hacking with Go: Part 2. This time we’ll get Ivan’s perspective on the way Go’s security features are designed and used, from the user/hacker perspective. And of course we will also talk about how AI fits into all this…
Protecting us with the Database of Evil
Online platforms and their users are susceptible to a barrage of threats – from disinformation to extremism to terror. Daniel and Chris chat with Matar Haller, VP of Data at ActiveFence, a leader in identifying online harm – is using a combination of AI technology and leading subject matter experts to provide Trust & Safety teams with precise, real-time data, in-depth intelligence, and automated tools to protect users and ensure safe online experiences.
Container base images with glibc & musl
In today’s episode, we talk about distroless, ko
, apko
, melange
, musl and glibc. The context is Wolfi OS, a community Linux OS designed for the container and cloud-native era. If you are looking for the lightest possible container base image with 0 CVEs and both glibc and musl support, Wolfi OS & the related chainguard-images are worth checking out.
Ariadne Conill is an Alpine Linux TSC member & Software Engineer at Chainguard.
Hacking with Go: Part 2
We’re once again exploring hacking in Go from the eyes of security researchers. This time, Natalie & Ian are joined by Ivan Kwiatkowski (a.k.a. Justice Rage)!
Smile! HTML can access your camera
Austin Gil joins the show and KBall continues an old email correspondence about the JS community and growth. Then, the gang plays a round of TIL where Austin shares his learnings about the HTML capture
attribute. Finally, Austin shares what it’s like to have a blog post blow up.
Lessons from 5 years of startup code audits
Adam and Jerod are joined by Ken Kantzer, co-founder of PKC Security. Ken and his team performed upwards of 20 code audits on well-funded startups. Now that it’s 7 or 8 years later, he wrote up 16 surprising observations and things he learned looking back at the experience. We gotta discuss ’em all!
How to keep a secret
Rob Barnes (a.k.a. Devops Rob) and Rosemary Wang (author of Infrastructure as Code - Patterns & Practices) are joining us today to talk about infrastructure secrets.
What do Rosemary and Rob think about committing encrypted secrets into a repository? How do they suggest that we improve on storing secrets in LastPass? And if we were to choose HashiCorp Vault, what do we need to know?
Thank you Thomas Eckert for the intro. Thank you Nabeel Sulieman (ep. 46) & Kelsey Hightower (ep. 44) for your gentle nudges towards improving our infra secrets management.
Knative, Sigstore & swag (KubeCon EU 2022)
This is the post-KubeCon CloudNativeCon EU 2022 week. Gerhard is talking to Matt Moore, founder & CTO of Chainguard about all things Knative and Sigstore.
The most important topic is swag, because none has better stickers than Chainguard.
The other topic is the equivalent of Let’s Encrypt for securing software.
Schneier on security for tomorrow’s software
This week we’re talking with Bruce Schneier — cryptographer, computer security professional, privacy specialist, and writer (of many books). He calls himself a “public-interest technologist”, a term he coined himself, and works at the intersection of security, technology, and people.
Bruce has been writing about security issues on his blog since 2004, his monthly newsletter has been going since 1998, he’s a fellow and lecturer at Harvard’s Kennedy School, a board member of the EFF, and the Chief of Security Architecture at Inrupt. Long story short, Bruce has credentials to back up his opinions and on today’s show we dig into the state of cyber-security, security and privacy best practices, his thoughts on Bitcoin (and other crypto-currencies), Tim Berners-Lee’s Solid project, and of course we asked Bruce to share his advice for today’s developers building the software systems of tomorrow.