Sign up to save your podcasts
Or
Share Code security for software engineers
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Code security for software engineers
Brought to You By:
• Statsig — The unified platform for flags, analytics, experiments, and more. Statsig are helping make the first-ever Pragmatic Summit a reality. Join me and 400 other top engineers and leaders on 11 February, in San Francisco for a special one-day event. Reserve your spot here.
• Linear — The system for modern product development. Engineering teams today move much faster, thanks to AI. Because of this, coordination increasingly becomes a problem. This is where Linear helps fast-moving teams stay focused. Check out Linear.
—
As software engineers, what should we know about writing secure code?
Johannes Dahse is the VP of Code Security at Sonar and a security expert with 20 years of industry experience. In today’s episode of The Pragmatic Engineer, he joins me to talk about what security teams actually do, what developers should own, and where real-world risk enters modern codebases.
We cover dependency risk, software composition analysis, CVEs, dynamic testing, and how everyday development practices affect security outcomes. Johannes also explains where AI meaningfully helps, where it introduces new failure modes, and why understanding the code you write and ship remains the most reliable defense.
If you build and ship software, this episode is a practical guide to thinking about code security under real-world engineering constraints.
—
Timestamps
(00:00) Intro
(02:31) What is penetration testing?
(06:23) Who owns code security: devs or security teams?
(14:42) What is code security?
(17:10) Code security basics for devs
(21:35) Advanced security challenges
(24:36) SCA testing
(25:26) The CVE Program
(29:39) The State of Code Security report
(32:02) Code quality vs security
(35:20) Dev machines as a security vulnerability
(37:29) Common security tools
(42:50) Dynamic security tools
(45:01) AI security reviews: what are the limits?
(47:51) AI-generated code risks
(49:21) More code: more vulnerabilities
(51:44) AI’s impact on code security
(58:32) Common misconceptions of the security industry
(1:03:05) When is security “good enough?”
(1:05:40) Johannes’s favorite programming language
—
The Pragmatic Engineer deepdives relevant for this episode:
• What is Security Engineering?
• Mishandled security vulnerability in Next.js
• Okta Schooled on Its Security Practices
—
Production and marketing by https://penname.co/. For inquiries about sponsoring the podcast, email [email protected].
Get full access to The Pragmatic Engineer at newsletter.pragmaticengineer.com/subscribe
View all episodes
By Gergely Orosz
5
6868 ratings
Brought to You By:
• Statsig — The unified platform for flags, analytics, experiments, and more. Statsig are helping make the first-ever Pragmatic Summit a reality. Join me and 400 other top engineers and leaders on 11 February, in San Francisco for a special one-day event. Reserve your spot here.
• Linear — The system for modern product development. Engineering teams today move much faster, thanks to AI. Because of this, coordination increasingly becomes a problem. This is where Linear helps fast-moving teams stay focused. Check out Linear.
—
As software engineers, what should we know about writing secure code?
Johannes Dahse is the VP of Code Security at Sonar and a security expert with 20 years of industry experience. In today’s episode of The Pragmatic Engineer, he joins me to talk about what security teams actually do, what developers should own, and where real-world risk enters modern codebases.
We cover dependency risk, software composition analysis, CVEs, dynamic testing, and how everyday development practices affect security outcomes. Johannes also explains where AI meaningfully helps, where it introduces new failure modes, and why understanding the code you write and ship remains the most reliable defense.
If you build and ship software, this episode is a practical guide to thinking about code security under real-world engineering constraints.
—
Timestamps
(00:00) Intro
(02:31) What is penetration testing?
(06:23) Who owns code security: devs or security teams?
(14:42) What is code security?
(17:10) Code security basics for devs
(21:35) Advanced security challenges
(24:36) SCA testing
(25:26) The CVE Program
(29:39) The State of Code Security report
(32:02) Code quality vs security
(35:20) Dev machines as a security vulnerability
(37:29) Common security tools
(42:50) Dynamic security tools
(45:01) AI security reviews: what are the limits?
(47:51) AI-generated code risks
(49:21) More code: more vulnerabilities
(51:44) AI’s impact on code security
(58:32) Common misconceptions of the security industry
(1:03:05) When is security “good enough?”
(1:05:40) Johannes’s favorite programming language
—
The Pragmatic Engineer deepdives relevant for this episode:
• What is Security Engineering?
• Mishandled security vulnerability in Next.js
• Okta Schooled on Its Security Practices
—
Production and marketing by https://penname.co/. For inquiries about sponsoring the podcast, email [email protected].
Get full access to The Pragmatic Engineer at newsletter.pragmaticengineer.com/subscribe
More shows like The Pragmatic Engineer
View all
The Changelog: Software Development, Open Source
288 Listeners
The a16z Show
1,095 Listeners
Decoder with Nilay Patel
3,137 Listeners
Software Engineering Daily
624 Listeners
Talk Python To Me
580 Listeners
Y Combinator Startup Podcast
225 Listeners
Syntax - Tasty Web Development Treats
989 Listeners
Practical AI
198 Listeners
Google DeepMind: The Podcast
204 Listeners
Last Week in AI
311 Listeners
Machine Learning Street Talk (MLST)
95 Listeners
Dwarkesh Podcast
531 Listeners
Big Technology Podcast
505 Listeners
Latent Space: The AI Engineer Podcast
98 Listeners
AI + a16z
34 Listeners