Defense in Depth

Who is Responsible for the Conflict Between Security and Developers?

Mar 19, 2026
Guest
Matt Brown
Matt Brown, solutions architect at Endor Labs who specializes in software composition analysis and supply chain security. He explores why developers prioritize functionality over security. The conversation covers leadership and incentive problems, pragmatic prioritization of vulnerabilities, AI and open source risks, and making security faster and easier for developers.
Ask episode
AI Snips
Chapters
Transcript
Episode notes
INSIGHT

Developers Are Builders Not Security Experts

  • Developers are builders focused on functionality, not security expertise.
  • Andrew Wilder argues security should make unsafe actions hard and provide better tools rather than force developers to 'think like hackers.'
ADVICE

Include Developers In Tooling Decisions

  • Involve developers early when selecting tooling, processes, and policies to avoid slowing innovation.
  • Matt Brown recommends including devs in proofs of concept so chosen AppSec tools fit workflows and actually get fixed.
INSIGHT

Prioritize Fixes Into A Small Actionable Set

  • Flooding developers with every CVE creates noise; prioritize a small actionable set.
  • Matt says turn thousands of alerts into the handful of critical, reachable issues framed as bugs developers want to fix.
Get the Snipd Podcast app to discover more snips from this episode
Get the app