From Kindness to Code: How a Security BSides Founder is Redefining Hacker Culture with Compassion and Hardened DevOps

Listen to this Post

Featured Image

Introduction:

In an industry often portrayed as adversarial, the fusion of human-centric values with technical rigor is emerging as a powerful force for change. The latest episode of the “Ethical Hacking, Guests and Wholesomeness” podcast, featuring Cássio Batista Pereira—secure software development specialist and founder of Security BSides Kraków—highlights this shift, demonstrating how kindness and robust security practices are not mutually exclusive but fundamentally linked. This dialogue underscores the critical journey from writing vulnerable code to building secure systems from the ground up, while fostering inclusive communities that strengthen the entire cybersecurity ecosystem.

Learning Objectives:

  • Understand the core principles of secure software development lifecycles (SSDLC) and their practical implementation.
  • Learn actionable steps to integrate security tooling into development pipelines for both legacy and greenfield projects.
  • Gain insights into the organizational and community-building strategies behind successful security conferences like BSides.

You Should Know:

  1. Shifting Left: Integrating Security at the Code Level
    The foundational lesson from Pereira’s experience is the non-negotiable need to “shift left”—embedding security early in the software development lifecycle. This prevents vulnerabilities from becoming entrenched and costly to remediate.

Step‑by‑step guide explaining what this does and how to use it.
Step 1: Adopt a Secure Coding Standard. For your project’s language (e.g., Java, Python, C++), select and enforce a standard. Use linters and static analysis in your IDE.
Python (Pylint with Bandit plugin): `pip install bandit pylint; bandit -r ./myapp/`
Java (SpotBugs with FindSecBugs): Integrate the `findsecbugs` plugin into your Maven or Gradle build.
Step 2: Pre-commit Hooks. Use Git hooks to run basic security checks before code is even committed.

Example .pre-commit-config.yaml:

repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
hooks:
- id: detect-private-key
- repo: https://github.com/PyCQA/bandit
rev: '1.7.5'
hooks:
- id: bandit
args: ['-ll', '-r', '.']

Step 3: Static Application Security Testing (SAST). Integrate a SAST tool into your CI/CD pipeline (e.g., GitLab CI, GitHub Actions, Jenkins).

Example GitHub Actions snippet for Semgrep:

- name: Semgrep SAST
uses: returntocorp/semgrep-action@v1
with:
config: p/security-audit
  1. The Dynamic Duo: SAST and DAST in Your Pipeline
    While SAST analyzes source code, Dynamic Application Security Testing (DAST) probes the running application. Pereira’s work emphasizes using both for defense-in-depth.

Step‑by‑step guide explaining what this does and how to use it.
Step 1: Choose Your DAST Tool. Options range from open-source (OWASP ZAP) to commercial (Burp Suite Pro).
Step 2: Automate DAST Scans. Run automated passive and active scans against your staging environment post-deployment.
Running OWASP ZAP in Docker as part of a pipeline:

docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py \
-t https://your-staging-app.com/ \
-g gen.conf -r testreport.html

Step 3: Triage and Integrate Findings. Parse the tool’s output (e.g., SARIF, HTML) and create tickets in your bug-tracking system (Jira, GitHub Issues) automatically. Tools like DefectDojo can centralize findings from SAST, DAST, and other sources.

3. Hardening the Supply Chain: Dependencies and Secrets

Secure development extends beyond your code to its dependencies and the secrets it uses. This is a critical attack surface highlighted in modern DevSecOps.

Step‑by‑step guide explaining what this does and how to use it.
Step 1: Software Composition Analysis (SCA). Continuously scan for known vulnerabilities in open-source libraries.

Using OWASP Dependency-Check with Maven:

mvn org.owasp:dependency-check-maven:check

Step 2: Secrets Detection. Prevent credentials from being committed to version control.

Using TruffleHog in CI:

docker run -v "$PWD:/pwd" trufflesecurity/trufflehog:latest git file:///pwd --only-verified

Step 3: Use a Secrets Manager. Never hardcode secrets. Use services like AWS Secrets Manager, HashiCorp Vault, or Azure Key Vault.

Example fetching a secret in Python (AWS):

import boto3
from botocore.exceptions import ClientError

def get_secret():
client = boto3.client('secretsmanager')
try:
response = client.get_secret_value(SecretId='MyApp/Database/Creds')
except ClientError as e:
raise e
return response['SecretString']
  1. Building a Security-First Culture: From Code to Conference
    Pereira’s founding of BSides Kraków exemplifies how building community is a security multiplier. Conferences foster knowledge sharing, mentorship, and a collective defense mindset.

Step‑by‑step guide explaining what this does and how to use it.
Step 1: Identify the Need. Gauge local community interest in an informal, accessible security event. Use surveys or informal meetups.
Step 2: Leverage the BSides Model. The BSides framework (bsides.org) provides a proven, community-driven model. Reach out to the global BSides community for guidance.
Step 3: Assemble a Diverse Team. Build a committee with skills in content, operations, sponsorship, and communication. Diversity of thought is key.
Step 4: Curate a Balanced CFP. Encourage talks that blend deep technical content (e.g., “Exploiting API Misconfigurations”) with human-centric topics (e.g., “Psychology of Social Engineering”).
Step 5: Prioritize Inclusivity. Implement a clear Code of Conduct, offer diversity scholarships, and ensure physical/virtual accessibility.

5. Continuous Learning: The Hacker’s Mindset for Developers

The podcast underscores that security is a continuous journey, not a destination. Cultivating a curious, adversarial mindset is essential.

Step‑by‑step guide explaining what this does and how to use it.
Step 1: Dedicated Learning Time. Allocate weekly time for team members to study security. Use platforms like TryHackMe, PentesterLab, or SANS Cyber Aces.
Step 2: Internal Capture The Flag (CTF). Run regular, small-scale CTFs focused on application security (e.g., exploiting a purposely vulnerable API).
Example: Set up a vulnerable target using OWASP Juice Shop or DVWA (Damn Vulnerable Web App) and have teams compete to find flaws.
Step 3: Threat Modeling Sessions. Regularly conduct “whiteboard” threat modeling (e.g., using STRIDE) on new features before they are built.

What Undercode Say:

  • The Human Firewall is the Foundation. Technical controls are futile without a culture that values security, curiosity, and shared responsibility. Pereira’s journey from developer to community builder proves that kindness and collaboration are potent security tools.
  • Automation is Non-Optional. The scale of modern development demands that security checks be automated, seamless, and fast. The integration of SAST, DAST, and SCA into CI/CD is now a baseline for any serious development practice.

Analysis: This podcast episode effectively bridges a critical gap in cybersecurity discourse. While technical deep dives are abundant, the narrative often lacks the human element necessary for sustained implementation. Pereira’s perspective validates that the most secure organizations are those where developers are empowered, not blamed, and where community knowledge dissipates silos. The practical advice on secure coding is complemented by the meta-lesson on building ecosystems (like BSides) that perpetuate this knowledge. This holistic view—code, pipeline, culture, community—is the blueprint for the next generation of cybersecurity resilience. It moves beyond fear-based compliance to a model of engaged, collective ownership.

Prediction:

The intersection of empathetic leadership and automated, shift-left security will define the next era of software development. We will see a rise in “DevSecOps Culture” roles focused specifically on mentoring and tooling adoption. Security conferences will increasingly prioritize workshops on secure coding and threat modeling alongside traditional offensive security topics, creating more well-rounded professionals. Furthermore, AI-powered coding assistants will be judged not only on their code generation speed but on their ability to suggest secure patterns and flag potential vulnerabilities in real-time, essentially acting as an always-present pair programmer trained in security best practices. The “wholesomeness” factor—psychological safety, clear communication, and kindness—will be quantitatively linked to lower incident response times and more effective security programs.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Dorota Kozlowska – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky