Infusing security into the application development process

Episode 3: The one where we considered security
In this episode Melissa and Damian dig into various aspects of how, when and why to infuse security into your software development, as well as how they will do so within their project.

0:00 Intro
1:13 Recap of what was covered in previous episodes
2:15 Introducing the Spring framework
2:46 Using open source in your application
7:35 Introducing the Software Bill of Materials (SBOM)
10:56 Generating an SBOM in Artifactory/ Xray
12:45 Exporting an SBOM Artifactory/Xray
14:00 Who should be paying attention to security
14:55 Everything as code
17:04 How times have changed
18:29 Awareness is key
18:55 The Leftpad incident
19:45 Engineering in software engineering
20:10 Choosing components
20:35 Involving management in security
21:08 Considering security from the beginning
22:45 Available resources for vulnerability intel
24:49 All vulnerabilities vs applicable vulnerabilities
25:25 Importance of context in vulnerability scanning
26:39 What is a Certified Naming Authority (CNA) ?
28:00 Different flavors of vulnerability research
29:09 SLSA - Supply Chain Levels for Software Artifacts
31:14 A shared vocabulary
31:58 Automating SBOMs
31:41 From the developers side
34:25 FrogBot: scan pull requests for vulnerabilities after check-in
35:17 Securing your container images
36:54 Problems with always using the latest version
41:40 Security-minded development

Melissa McKay, Developer Advocate, JFrog

Damian Curry, Technical Director Community and Alliances, NGINX

We encourage you to share any lessons you may have learned in your application development journey in the comments!

#Modernapplicationdevelopment
#Applicationdevelopmentreference
#Modernsoftwaredevelopment
#swampUP
#MARA