The Secure Developer

Today’s guest is Andy Steingruebl, Chief Security Officer at Pinterest, here to talk about DevSecOps, collaboration, and measuring security performance at his place of work! We open with a few details from Andy’s background and how he got into security by working on UNIX systems. After talking about how he splits up his teams, Andy touches on the fact that many issues spill over from one area to another, meaning the lines that divide them are not set in stone and issues get tackled on a case-by-case basis. We shift from security to engineering next, talking about the interaction between application security teams and agile development teams building software. As is often the case, Andy has found that the more communication between the two the better, and he describes how the company culture at Pinterest helps to bolster this practice even further. Secure by default is always a big goal, and Andy talks about the line between using preexisting web frameworks with security baked in and allowing developers to be creative. We dive with Andy into the difficult question of how to measure security performance next, hearing his approach that highlights measuring the applicability of a security control. Wrapping up for the day, we close with some golden advice from Andy regarding security being about people and collaboration, something we would all do well to remember. Be sure to tune in today!