logo
episode-header-image
Yesterday
1h 7m

Code security for software engineers

Gergely Orosz
About this episode

Brought to You By:

•⁠ Statsig ⁠ — ⁠ The unified platform for flags, analytics, experiments, and more. Statsig are helping make the first-ever Pragmatic Summit a reality. Join me and 400 other top engineers and leaders on 11 February, in San Francisco for a special one-day event. Reserve your spot here.

•⁠ Linear ⁠ — ⁠ The system for modern product development. Engineering teams today move much faster, thanks to AI. Because of this, coordination increasingly becomes a problem. This is where Linear helps fast-moving teams stay focused. Check out Linear.

As software engineers, what should we know about writing secure code?

Johannes Dahse is the VP of Code Security at Sonar and a security expert with 20 years of industry experience. In today’s episode of The Pragmatic Engineer, he joins me to talk about what security teams actually do, what developers should own, and where real-world risk enters modern codebases.

We cover dependency risk, software composition analysis, CVEs, dynamic testing, and how everyday development practices affect security outcomes. Johannes also explains where AI meaningfully helps, where it introduces new failure modes, and why understanding the code you write and ship remains the most reliable defense.

If you build and ship software, this episode is a practical guide to thinking about code security under real-world engineering constraints.

Timestamps

(00:00) Intro

(02:31) What is penetration testing?

(06:23) Who owns code security: devs or security teams?

(14:42) What is code security? 

(17:10) Code security basics for devs

(21:35) Advanced security challenges

(24:36) SCA testing 

(25:26) The CVE Program 

(29:39) The State of Code Security report 

(32:02) Code quality vs security

(35:20) Dev machines as a security vulnerability

(37:29) Common security tools

(42:50) Dynamic security tools

(45:01) AI security reviews: what are the limits?

(47:51) AI-generated code risks

(49:21) More code: more vulnerabilities

(51:44) AI’s impact on code security

(58:32) Common misconceptions of the security industry

(1:03:05) When is security “good enough?”

(1:05:40) Johannes’s favorite programming language

The Pragmatic Engineer deepdives relevant for this episode:

What is Security Engineering?

•⁠ Mishandled security vulnerability in Next.js

•⁠ Okta Schooled on Its Security Practices

Production and marketing by ⁠⁠⁠⁠⁠⁠⁠⁠https://penname.co/⁠⁠⁠⁠⁠⁠⁠⁠. For inquiries about sponsoring the podcast, email podcast@pragmaticengineer.com.



Get full access to The Pragmatic Engineer at newsletter.pragmaticengineer.com/subscribe
Up next
Nov 19
How AI will change software engineering – with Martin Fowler
<p><strong>Brought to You By:</strong></p><p>•⁠ <a target="_blank" href="http://statsig.com/pragmatic"><strong>Statsig</strong></a> ⁠ — ⁠ The unified platform for flags, analytics, experiments, and more. AI-accelerated development isn’t just about shipping faster: it’s about meas ... Show More
1h 48m
Nov 12
Netflix’s Engineering Culture
Brought to You By:•⁠ Statsig ⁠ — ⁠ The unified platform for flags, analytics, experiments, and more. Statsig enables two cultures at once: continuous shipping and experimentation. Companies like Notion went from single-digit experiments per quarter to over 300 experiments with St ... Show More
59m 34s
Nov 5
From Swift to Mojo and high-performance AI Engineering with Chris Lattner
Brought to You By:•⁠ Statsig ⁠ — ⁠ The unified platform for flags, analytics, experiments, and more. Companies like Graphite, Notion, and Brex rely on Statsig to measure the impact of the pace they ship. Get a 30-day enterprise trial here.•⁠ Linear – The system for modern product ... Show More
1h 32m
Recommended Episodes
May 2025
Inside Devin: The world’s first autonomous AI engineer that's set to write 50% of its company’s code by end of year | Scott Wu (CEO and co-founder of Cognition)
Scott Wu is the co-founder and CEO of Cognition, the company behind Devin—the world’s first autonomous AI software engineer. Unlike other AI coding tools, Devin works like an autonomous engineer that you can interact with through Slack, Linear, and GitHub, just like with a remote ... Show More
1h 32m
Jan 2025
Anduril with Gokul Subramanian
<p>Anduril is a technology defense company with a focus on drones, computer vision, and other problems related to national security. It is a full-stack company that builds its own hardware and software, which leads to a great many interesting questions about cloud services, engin ... Show More
43m 5s
Dec 2022
How Do Agility and Software Architecture Fit Together?
<p><b>In this episode of the Scrum.org Community Podcast, Kurt Bittner guest hosts and has Professional Scrum Trainers Peter Goetz and Thomas Schissler on to talk about the relationship between software architecture and Agile Teams. They discuss common misconceptions Agile teams ... Show More
35m 23s
Oct 23
Reinventing the Developer Terminal with Warp Co-Founder and CEO Zach Lloyd
For decades, the developer terminal has remained largely unchanged. But for Warp CEO and co-founder Zach Lloyd, reinventing this core tool is the key to unlocking AI agents for coding, debugging, and automating the entire development process. Zach joins Elad Gil to discuss how se ... Show More
27m 19s
May 2024
SE Radio 615: Kent Beck on "Tidy First?"
<p><strong>Kent Beck</strong>, Chief Scientist at Mechanical Orchard, and inventor of Extreme Programming and Test-Driven Development, joins SE Radio host Giovanni Asproni for a conversation on software design based on his latest book "Tidy First?". The episode starts with explor ... Show More
1h 1m
May 2025
This AI Tool Can Build Any SaaS App in Minutes
Episode 60: Can you really build an $8 billion SaaS startup by yourself using AI agents? Nathan Lands (https://x.com/NathanLands) sits down with Matan Grinberg (https://x.com/matansf), a physicist, AI founder, and creator of Factory AI—one of Silicon Valley’s best-kept secrets. M ... Show More
39m 47s
Nov 2024
Behind the product: Replit | Amjad Masad (co-founder and CEO)
<p><strong>Amjad Masad</strong> is the co-founder and CEO of Replit, a browser-based coding environment that allows anyone to write and deploy code. Replit has 34 million users globally and is one of the fastest-growing developer communities in the world. Prior to Replit, Amjad w ... Show More
1h 4m
Listen to millions of songs and podcasts on Anghami