As software engineers, what should we know about writing secure code? Johannes Dahse is the VP of Code Security at Sonar and a security expert with 20 years of industry experience. In today’s episode of The Pragmatic Engineer, he joins me to talk about what security teams actually do, what developers should own, and where real-world risk enters modern codebases. We cover dependency risk, software composition analysis, CVEs, dynamic testing, and how everyday development practices affect security outcomes. Johannes also explains where AI meaningfully helps, where it introduces new failure modes, and why understanding the code you write and ship remains the most reliable defense. If you build and ship software, this episode is a practical guide to thinking about code security under real-world engineering constraints. — *Brought to you by:* •⁠ Statsig ⁠ — ⁠ The unified platform for flags, analytics, experiments, and more •⁠ Linear ⁠ — ⁠ The system for modern product development — *The Pragmatic Engineer deepdives relevant for this episode:* • What is Security Engineering? •⁠ Mishandled security vulnerability in •⁠ Okta Schooled on Its Security Practices — *Where to find Johannes Dahse:* • LinkedIn: — *In this episode, we cover:* (00:00) Intro (02:31) What is penetration testing? (06:23) Who owns code security: devs or security teams? (14:42) What is code security? (17:10) Code security basics for devs (21:35) Advanced security challenges (24:36) SCA testing (25:26) The CVE Program (29:39) The State of Code Security report (32:02) Code quality vs security (35:20) Dev machines as a security vulnerability (37:29) Common security tools (42:50) Dynamic security tools (45:01) AI security reviews: what are the limits? (47:51) AI-generated code risks (49:21) More code: more vulnerabilities (51:44) AI’s impact on code security (58:32) Common misconceptions of the security industry (1:03:05) When is security “good enough?” (1:05:40) Johannes’s favorite programming language — See the transcript and other references from the episode at — Production and marketing by