Programming Throwdown talks cybersecurity with Dotan Nahum, CEO and Co-founder of Spectral. Dotan provides us with a high-level overview of the role of cybersecurity, its definition, evolution, and current challenges. He also shares tips for small- and medium-sized ventures on how to develop best practices.
The episode touches on the following key topics and ideas:
00:01:12 Evolution of modern cybersecurity
00:06:06 When to integrate security in a design
00:11:54 Shadow IT
00:13:50 Hacker motives and motivations; SQL Injection explained
00:16:48 Firewalls and WAFs
00:20:29 Cybersecurity for small- and medium-sized companies
00:23:52 “The last mile of developers”
00:26:47 dotfiles
00:32:23 Simple tools and good practices
00:40:42 Attack vectors, attack factors
00:44:16 Ransomware and phishing
00:48:19 Unsafe languages
00:50:02 Fuzzing
00:54:11 Rust programming language
00:55:54 Example security scenario with IntelliJ
00:59:42 More about Spectral, Dotan’s company
01:03:40 Staying virtual using Discord
Transcript:
Episode 110 Computer Security with Dotan Nahum
Jason Gauci: Programming Throwdown Episode 110, Security with Dotan Nahum. Take away, Patrick.
[00:00:21] Patrick Wheeler: Hey everybody. We're here with a hundred and tenth episode, which is pretty exciting. And we have our guest to-- oh, yeah, go ahead. You want to...
[00:00:30] Jason Gauci: I'm just saying, yeah! (laugh)
[00:00:32] Patrick Wheeler: So we're here with our guest today, Dotan, and you are CEO of Spectral. Why don't you go ahead and introduce yourself briefly, and then we'll get started.
[00:00:42] Dotan Nahum: Yep. So hi, guys. So I am Dotan, and by the way, 110 is binary, right?
[00:00:48] Patrick Wheeler: Oh, there we go. That's right. (laugh)
[00:00:52] Dotan Nahum: So yeah, so I'm Dotan, CEO of Spectral. It's a cybersecurity company, geared towards developers. I mean, we like to say that we create tools for developers with security as a side effect. So yeah, so that's, that's, you know, that's what our focus is.
[00:01:12] Patrick Wheeler: Awesome. Well, I mean, I guess that's a lot to unpack, so I think everybody would agree, security is very important, but maybe everyone doesn't understand what security is. So we were talking about this a little when we were doing, doing warmups. So if we talk about security, does that mean that you are developing antivirus for computers, for developers, or does it mean something more?
[00:01:35] Dotan Nahum: Yeah, I mean, I mean, it's kind of all goes back to, I guess, evolution of our, I guess it is our domain, our, our world, which is kind of a high-tech or softer, softer world? Time really gets compact with all these revolutions. We have a, we have evolution revolution.
[00:01:57] So, I mean, if you go back to 2007, that was just before Facebook and just before iPhone, I guess. And if you go back to 2005, that that was before the rise of Microsoft, I guess the major rise of Microsoft as a .net shop, which really made, you know, made all the enterprise software come along and then kind of '98, 2000, the first bubble.
[00:02:27] So all these stages, they had, it's kind of a sprint to create technology. And, the focus is on creating technology that is supposed to give developers productivity, and supposed to make, you know, make companies very productive and create a very nice portfolio of products.
[00:02:48] And almost always, I mean, maybe not intentionally, but almost always the security side of things, was kind of left behind. You know, I'm sure no one intended for it to be, but, there's a lot of more velocity under creating a great product at the time. Every, each and every step of this, like in the first bubble, and then in 2005, and then into 2007 and so on, rather than, okay, so let's create the technology and the product, and let's also make it, you know, kind of, dependent on making great security, be there for us.
[00:03:35] So almost every time, security came after the revolution, after the evolution. So we had from, simple firewalls, to intrusion detection, which is, you know, the large kind of, systems that try, try their best to find anomalies in the, in the area of 2000, to the smarter firewalls. And even today, those like, this, mini kind of firewalls, of WAFs that you integrate as an SDK into your app. So yeah, so it's kind of come, it comes in waves, technology, and then, security comes in waves as well.
[00:04:17] And yeah. So the latest, the latest we're seeing right now in terms of the evolution of software is that yeah, we know that software eats the world, but we are kind of feeling that it already ate the world? So, you know, you can do so much today that you couldn't have done, I mean, as little as three or four years ago, actually. You know, it can take a Lambda and you can pick up a bunch of SAS services and you're done. I mean, you build a product that used to be maybe three, four, five years ago, you know, used to take much more energy to build.
[00:04:58] So in that sense, as a developer, you have so much more power and so many more paths to get to the same end goal that... I'm not sure, I mean, I feel it for myself. I'm not sure the security world can even begin to realize, because they need, I mean, if we, if we think about them as they, then they need to understand how to develop as well as developers in order to give, to create great solutions for that developer, that glue stuff together, and, you know, invent stuff from existing, existing parts.
[00:05:37] Jason Gauci: Yeah, that that makes a bunch of sense.
[00:05:39] Patrick Wheeler: I say, yeah, that covered, I mean, you, you went to the whole history of modern or last couple of decades of, computer software there, but I was going to say, so one of the interesting things I think before we get into the kind of specifics about, what needs to be secured, this, this kind of, thing you mentioned where people build a product first and then try to figure out security later.
[00:06:02] I guess that's an interesting balance where, if you're building something until it's built, maybe it doesn't really need security. Right? If this was a thought in my head, I don't need security. If people are going to start using it though, immediately, you need to start having some amounts of security. Do you have opinion on like, what is the balance there?
[00:06:19] So if you don't know yet what you're doing and what may be your risks, when is the right time to start considering security and what are some of the good, you know, first things to start considering?
[00:06:30] Dotan Nahum: Yeah, so that, that's a great, great question. I mean, I think the balance is shifting towards really taking the time, in development time, in design time, and think about security on the security model.
[00:06:46] So, you know, this was kind of theoretical, yeah, everyone should do threat modeling and everyone should do secure by design and so on. And, and frankly, you know, you'll, you'll find these people who are extremely into security that are actually doing these th...