Software Engineering Radio - the podcast for professional software developers

Dwayne McDaniel, developer advocate at GitGuardian.com, joins host Priyanka Raghavan to talk about the engineering challenges of secrets management. They explore what "secrets" really are in modern systems—far beyond passwords—including API keys, tokens, certificates, and machine identities, and how "secret sprawl" emerges across the SDLC.
Drawing on reports from GitGuardian and Verizon, they discuss the growing scale of secret leaks and why credential abuse and phishing remain dominant attack vectors.
They examine common leak points—from code repos and logs to CI/CD pipelines, containers, and SaaS integrations—and how cloud, DevOps, and AI tooling are amplifying risks. Priyanka quizzes Dwayne about recent supply chain attacks from pyPi and trivy ecosystems, highlighting recurring root causes like poor access control, long-lived credentials, and weak security hygiene.
Finally, they consider detection, response, and modern solutions—short-lived credentials, secret scanning, and identity-based approaches like OWASP NHIR and SPIFFE/SPIRE—ending with practical advice for engineers to reduce blast radius and design for secure secret lifecycle management.

In this episode, Rob Moffat, author of Risk-First Software Development and chief technical architect at the FinTech Open Source Software Foundation (FINOS), speaks with host Brijesh Ammanath about how all of software development is actually risk management. Rob introduces the concept of 'risk-first software development,' which sits in the context of existing methodologies like scrum and kanban. Showcasing multiple real-world project patterns to illustrate how things can go wrong when risk is ignored, he makes the case for why risk should be the primary lens behind every development decision, from architecture to prioritization. Through various examples, he shows how every developer action can be viewed as a risk trade-off and why making that explicit can lead to better outcomes. The conversation takes a deep dive into the risk-first framework and how teams can apply it in their existing processes.

Martin Dilger, founder and CEO of Nebuilt GmbH, speaks with host Giovanni Asproni about event sourcing -- a software architecture pattern in which, rather than storing just the current state of your data, you store a sequence of events that represents every change that has ever happened in the system. This episode starts by introducing the vocabulary around event sourcing, highlighting its relationship with event modeling, event streaming, and event storming. Martin describes some of the pros and cons of the approach, including which systems it is most suitable for. The conversation ends with guidance how to get started with event sourcing, for both greenfield and legacy systems.

Birol Yildiz, CEO and co-founder of iLert, joins host Kanchan Shringi to explore how iLert built an AI SRE — an autonomous agent for handling production incidents — and what the experience revealed about building AI agents in the real world. Birol explains why incident response is a fundamentally agentic problem, where the unpredictability of novel incidents makes rule-based runbooks insufficient and reasoning models essential. He describes how the AI SRE evolved from an early browser-based approach to its current architecture, built around two key ingredients: reasoning models and the Model Context Protocol.
The conversation examines the four layers of the AI SRE in depth: an orchestration layer that routes requests and abstracts model providers; a knowledge layer built on plain text memory and agentic search rather than vector databases; an evaluation framework based on recorded live investigations replayed against new model versions; and a human-in-the-loop constraint layer. The episode concludes with practical advice for teams building agents: own your context completely, avoid off-the-shelf frameworks that obscure what enters the model, and get out of the way of the reasoning model rather than over-prescribing its steps.

Will Sentance, educator and co-founder of Codesmith, joins SE Radio's Adi Narayan to discuss the evolution of JavaScript and modern best practices. They begin with JavaScript's origins as a simple scripting language and its growth into the backbone of modern web development, highlighting the core theme of the "don't break the web" constraint. The requirement that JavaScript must remain backward-compatible has shaped everything from naming decisions (e.g., flat instead of flatten) to the introduction of Symbols as a collision-safe way to extend objects.
Will explains how the TC39 group uses the open-source community as a filtration system, absorbing user land patterns (like those from Lodash or Moment) into the standard library only once demand is proven. The upcoming Temporal API is highlighted as a major win for native date/time handling. On the engine side, Will discusses the shift toward monomorphic object shapes in the V8 JavaScript engine for better just-in-time (JIT) compiler performance, and how developers can now write more engine-aware code. The conversation also touches on LLMs in coding: Will's view is that AI tools are useful but risk atrophying developers' under-the-hood understanding, which remains essential for debugging complex, production-scale systems.