Code security for software engineers - The Pragmatic Engineer Recap

Podcast: The Pragmatic Engineer

Published: 2025-11-26

Duration: 1 hr 8 min

Summary

In this episode, Johannes Das, a seasoned security expert, discusses essential code security practices that every software engineer should understand and emphasizes the shared responsibility of security among developers and security teams.

What Happened

The episode kicks off with the host introducing the topic of code security and welcoming guest Johannes Das, who has over 20 years of experience in the field. He shares his personal journey into cybersecurity, sparked by an early hacking incident that piqued his interest. His experience in capture the flag competitions further honed his skills, leading him to a career in professional penetration testing, where he learned to identify vulnerabilities in software applications. Das highlights the importance of understanding what your code is doing, as many security issues arise from overlooked functionalities in the software being developed.

As the conversation shifts towards the role of AI in code security, Das emphasizes that it is crucial for software engineers to write secure code. He discusses various tools that can assist in this process, such as static application security testing and more advanced software solutions. The discussion also touches upon the responsibilities of developers versus security teams, with Das advocating that developers should take ownership of code security issues while security teams focus on broader application security strategies. He believes this division allows both parties to utilize their expertise effectively, ensuring more secure software development practices.

Key Insights

Key Questions Answered

What are the basics of code security every developer should know?

Das emphasizes that the fundamental aspect of code security is truly understanding what your code is doing. He explains that security experts often find vulnerabilities by examining how code operates, revealing hidden functionalities that could pose security risks. By being aware of these intricacies, developers can better safeguard their applications.

How is AI impacting code security practices?

The episode explores the influence of AI on code security, indicating that as software engineers, understanding AI's role in writing secure code is becoming increasingly important. AI tools are evolving to help identify vulnerabilities and improve coding practices, supporting developers in creating safer applications.

What is the role of penetration testing in software security?

Das describes penetration testing as simulating an attack to find vulnerabilities within a given timeframe and scope. He notes that this process allows companies to hire penetration testers who act as hackers to identify potential security flaws before they can be exploited by actual attackers.

Who should be responsible for code security within a company?

According to Das, code security should primarily be the responsibility of developers. He argues that while security teams play a critical role in overseeing broader application security, developers are in the best position to address specific vulnerabilities during the coding process, ensuring that security is integrated from the ground up.

When should a company consider establishing a security team?

Das suggests that as companies grow larger, establishing a security team becomes essential. Security teams can handle compliance requirements and manage broader security initiatives, allowing developers to focus on writing secure code without getting bogged down by every single security issue that arises during development.