SE Radio 584: Charles Weir on Ruthless Security for Busy Developers

Charles Weir—developer, security researcher, and Research Fellow at Security Lancaster—joins host Giovanni Asproni to discuss an approach that development teams can use to create secure systems without wasting effort on unnecessary security work. The episode starts with a broad description of the approach, which is based on Weir's research and on a free Developer Security Essentials workshop he created. Charles presents some examples from real-world projects, his view on AI's impact on security, and information about the workshop and where to find the materials. During the conversation, they consider several related topics including the concept of "good enough" security; security as a product decision; risk assessment, classification, and prioritization; and how to approach security in startups, greenfield, and legacy systems.

Charles Weir—developer, security researcher, and Research Fellow at Security Lancaster—joins host Giovanni Asproni to discuss an approach that development teams can use to create secure systems without wasting effort on unnecessary security work. The episode starts with a broad description of the approach, which is based on Weir’s research and on a free Developer Security Essentials workshop he created. Charles presents some examples from real-world projects, his view on AI’s impact on security, and information about the workshop and where to find the materials. During the conversation, they consider several related topics including the concept of “good enough” security; security as a product decision; risk assessment, classification, and prioritization; and how to approach security in startups, greenfield, and legacy systems.

Show Notes

Related Episodes

• Episode 568: Simon Bennetts on OWASP Dynamic Application Security Testing Tool ZAP

• Episode 541: Jordan Harband and Donald Fischer on Securing the Supply Chain

• Episode 514: Vandana Verma on the Owasp Top 10

• Episode 467: Kim Carter on Dynamic Application Security Testing

• Episode 453: Aaron Rinehart on Security Chaos Engineering

• Episode 427: Sven Schleier and Jeroen Willemsen on Mobile Application Security

• Episode 416: Adam Shostack on Threat Modeling

• Episode 404: Bert Hubert on DNS Security

• Episode 395: Katharine Jarmul on Security and Privacy in Machine Learning

• Episode 390: Sam Procter on Security in Software Design

• Episode 383: Neil Madden On Securing Your API

• Episode 378: Joshua Davies on Attacking and Securing PKI

• Episode 376: Justin Richer On API Security with OAuth 2

• Episode 314: Scott Piper on Cloud Security

• Episode 309: Zane Lackey on Application Security

• Episode 302: Haroon Meer on Network Security

• Episode 290: Diogo Mónica on Docker Security

• Episode 288: Francois Raynaud on DevSecOps

• Episode 128: Web App Security with Bruce Sams

• Episode 66: Gary McGraw on Security

Links

• Secure Development website, and Developer Security Essentials workshop information and materials

• Security Lancaster

• OWASP website

• OWASP Top Ten website

• Book: “Blitzscaling Security: Diary of a Security Engineer”

Transcript

Transcript brought to you by IEEE Software magazine and IEEE Computer Society.

This transcript was automatically generated. To suggest improvements in the text, please contact [email protected] and include the episode number and URL.

Giovanni Asproni 00:00:19 Welcome to Software Engineering Radio. I’m your host Giovanni Asproni. And today we’ll be discussing ruthless security for busy developers with Charles Weir. Charles is a developer security researcher with over 30 years of experience in the software industry. He’s currently a research fellow at Security Lancaster, where he leads the research on how to improve the security of software delivered by development teams. He was a technical lead for the world’s first smartphone, the Ericson R380, and was up security lead for the world’s first Android payment app EE Cash on Tap. And he’s the author of the Developer Security Essentials package, a set of workshops that help developers to understand and apply security principles in their work. Charles, welcome to Software Engineering Radio. Is there anything I missed that you’d like to add?

Charles Weir 00:01:08 No, except I’m a fan of Software Engineering Radio, and I was on a very, very early podcast.

Giovanni Asproni 00:01:15 Yeah. Was that one was about Small Memory Software, perhaps?

Charles Weir 00:01:20 That was it.

Giovanni Asproni 00:01:21 Okay. But let’s talk about ruthless security today, yeah? So can you give us a brief overview of what security for busy developers is about and why we should care?

Charles Weir 00:01:32 Well, security’s hard work, it’s expensive. It require a lot of effort. In fact, you could allow it to take all of your time developing and then some. So that’s clearly not going to be practical. So we all have to make choices about what security we implement and what ruthless security is promoting is making those choices hard, using hard data to ruthlessly avoid the things that simply you feel might be good, but doing the right things.

Giovanni Asproni 00:02:13 Okay. So is a way of prioritizing risks.

Charles Weir 00:02:16 Indeed. That’s how we do it.

Giovanni Asproni 00:02:18 And deciding which risks you want to take and which ones we can forget about. Am I correct?

Charles Weir 00:02:23 That’s correct.

Giovanni Asproni 00:02:24 Okay. I would like also to ask, when talking about security, we also often end up talking about privacy and sometimes conflating the two. Now this is perhaps not entirely related to ruthless security, but I think it’s a distinction that I’d like to ask you about. So can you tell us the difference between them and how they relate to each other?

[...]

Original source