Guy Podjarny on making open source more secure
The O’Reilly Security podcast: DevOps, risk reduction, and vulnerabilities in open source.
In this episode, I talk with Guy Podjarny, founder of Snyk, a developer tooling company focused on securing open source alongside building a business.
We discuss the parallel paths between the transformation from Ops teams to DevOps and where security teams are right now, building security tools focused on the people who will be using them, and who owns the problem of vulnerabilities in open source.
Here are some highlights:
Parallel paths of DevOps and security
People think of DevOps positively, now. They think of all the awesome things that an ops team, a DevOps team, can do for them, and it would be amazing to try to convert that sentiment and that knowledge and that community into the world of security. We still need to find the analogies for that in security.
Building positive security tools
It’s constantly hard, reducing risk without being a fear mongerer, but it’s basically the challenge we’re on because developer tooling companies, ops tooling companies, they’re positive companies. They’re builders. They’re not just protectors; they’re builders. Building walls is a good thing as well, but you have to encourage that from a positive perspective of, ‘How do you defend? How do you help?’ Not just scare people into submission.
Fixing known vulnerabilities in open source
For known vulnerabilities today, tools have become sufficiently easy that fixing them is no longer an excuse, but it’s about ease of use. Again, security tools are notoriously hard to use. They are expensive, oftentimes. You usually need to talk to somebody before you start using them, which is sort of a big no-no in the world of DevOps. I hope that this is something that’s shifting—this is greater than security. This is the world of technology decisions being made bottom-up versus top-down, this notion that you can use the product before you decide to buy it. Not try it for fifteen days or something. Straight up use it, self serve, API-driven, easy to use, caring about how long it takes you to import. All these principles that are bread and butter in the world of dev tools need to come into the world of security tools.