SE Radio 658: Tanya Janca on Secure Coding

This Software Engineering Radio podcast interviews Tanya Janka about integrating secure coding practices into the software development lifecycle (SDLC). The discussion covers fundamental security concepts (least privilege, usable security, and avoiding implied trust), the CIA triad, and how to incorporate security into each SDLC phase (requirements, design, coding, testing, and post-go-live). Janka emphasizes the importance of threat modeling, secure coding guidelines (input validation, output encoding, parameterized queries, and security headers), and various security testing methods (SAST, DAST, IAST, and supply chain security). Listeners gain practical advice on building secure systems, including using checklists, code review tools, and establishing clear security requirements and metrics. A key takeaway is the importance of not assuming trust in systems and data, validating all inputs, and using parameterized queries to prevent vulnerabilities like SQL injection.

Outlines

Part 1: Introduction to Secure Coding

Part 2: Secure SDLC Implementation

Part 3: Measuring Success and Getting Started

Sign in to continue reading, translating and more.

Open full episode in Podwise

Software Engineering Radio - the podcast for professional software developers

Part 1: Introduction to Secure Coding

Introduction of Tanya Janka and Overview of Secure Coding

The Criticality of Avoiding Implied Trust in Systems and Data

Real-World Examples of Trust-Based Failures and Introduction to the CIA Triad

Part 2: Secure SDLC Implementation

Secure Software Development Lifecycle (SDLC) and its Differences from Traditional SDLC

Defining Security Requirements within the SDLC

Threat Modeling in the Design Phase

Secure Coding Guidelines and Best Practices

Secure Code Review Practices and the Role of Static Analysis Tools

Security Testing in the SDLC: Types and Best Practices

Addressing Performance Impacts of Production Security Testing and Post-Go-Live Considerations

Part 3: Measuring Success and Getting Started

Metrics and KPIs for Measuring Secure SDLC Success

Advice for Developers Getting Started with Secure SDLC

SE Radio 658: Tanya Janca on Secure Coding

Software Engineering Radio - the podcast for professional software developers

Part 1: Introduction to Secure Coding

00:50Introduction of Tanya Janka and Overview of Secure Coding

Introduction of Tanya Janka and Overview of Secure Coding

03:40The Criticality of Avoiding Implied Trust in Systems and Data

The Criticality of Avoiding Implied Trust in Systems and Data

05:40Real-World Examples of Trust-Based Failures and Introduction to the CIA Triad

Real-World Examples of Trust-Based Failures and Introduction to the CIA Triad

Part 2: Secure SDLC Implementation

10:08Secure Software Development Lifecycle (SDLC) and its Differences from Traditional SDLC

Secure Software Development Lifecycle (SDLC) and its Differences from Traditional SDLC

17:03Defining Security Requirements within the SDLC

Defining Security Requirements within the SDLC

20:45Threat Modeling in the Design Phase

Threat Modeling in the Design Phase

26:54Secure Coding Guidelines and Best Practices

Secure Coding Guidelines and Best Practices

32:37Secure Code Review Practices and the Role of Static Analysis Tools

Secure Code Review Practices and the Role of Static Analysis Tools

41:27Security Testing in the SDLC: Types and Best Practices

Security Testing in the SDLC: Types and Best Practices

50:19Addressing Performance Impacts of Production Security Testing and Post-Go-Live Considerations

Addressing Performance Impacts of Production Security Testing and Post-Go-Live Considerations

Part 3: Measuring Success and Getting Started

1:00:21Metrics and KPIs for Measuring Secure SDLC Success

Metrics and KPIs for Measuring Secure SDLC Success

1:06:51Advice for Developers Getting Started with Secure SDLC

Advice for Developers Getting Started with Secure SDLC