Building Security Culture with Dustin Lehr: New Episode of Snyk Podcast

In this episode of The Secure Developer, Danny Allan, CTO of Snyk Software, interviews Dustin Lehr, a security expert with extensive experience in software engineering, architecture, application security, and building security programs. The discussion explores the evolution of software development, the importance of quality and security, and best practices for integrating security into the Software Development Life Cycle (SDLC). Dustin Lehr shares his journey, starting as a software engineer and evolving into technical leadership and security roles. He emphasizes the importance of quality in software development, including aspects like performance and maintainability. For him, security is a natural extension of these quality practices. He explains how security can even be used to promote quality initiatives, for example, by implementing a secure SDLC, which first requires a consistent SDLC. The discussion covers the evolution of software development over the past decade, including the integration of infrastructure into the development process through the rise of the cloud. Dustin Lehr stresses the importance of following best practices, even if the development cycle is faster. He warns against shortcuts and the excessive use of AI to write code, highlighting that fundamentals must always be respected. Dustin Lehr and Danny Allan also discuss the impact of AI and LLM on security champion programs. Dustin Lehr believes that technology can help automate and motivate individuals, but he insists that human relationships remain essential for building a security culture. He shares his experience with Katilyst, a company he created to automate and motivate security actions. A key point of the discussion is the importance of security champion programs. Dustin Lehr explains how to identify potential champions by letting developers volunteer. He emphasizes that champions do not necessarily have to be the best developers, but rather those who are passionate about security. He shares advice on how to nurture and measure the effectiveness of these programs, focusing on specific actions and key results. Dustin Lehr tells an anecdote about a manager who was initially reluctant but eventually joined the security champion program after seeing its benefits. He advises focusing on initial allies and leaving skeptics aside for the moment, allowing them to see the positive results of the program. Finally, Dustin Lehr shares his vision for the future of security, emphasizing the importance of culture and human relationships. He believes that technology cannot solve everything and that the key lies in cultural change and using technology to strengthen human relationships. To learn more about Dustin Lehr's ideas and solutions, you can consult The Security Champion Program Success Guide at SecurityChampionSuccessGuide.org and visit his company's website Katilyst at Katilyst.com.