PLAY PODCASTS
Security Weekly Podcast Network (Video)

Security Weekly Podcast Network (Video)

4,876 episodes — Page 10 of 98

The dark side of security leadership, will agentic be a thing, OWASP AI resources - ESW #394

In this week's enterprise security news, we've got 5 acquisitions Tines gets funding new tools and DFIR reports to check out A legal precedent that could hurt AI companies AI garbage is in your code repos the dark side of security leadership HIPAA fines are broken Salt Typhoon is having a great time Don't use ChatGPT for legal advice!!!!! All that and more, on this episode of Enterprise Security Weekly. Show Notes: https://securityweekly.com/esw-394

Feb 17, 202551 min

A SecOps Medley: we talk automation, AI, data management, and EDR evaluations - Allie Mellen - ESW #394

We couldn't decide what to talk to Allie about, so we're going with a bit of everything. Don't worry - it's all related and ties together nicely. First, we'll discuss AI and automation in the SOC - Allie is covering this trend closely, and we want to know if she's seeing any results yet here. Next, we'll discover SecOps data management - the blood that delivers oxygen to the SOC muscles. Finally, we'll discuss MITRE's recent EDR evaluations - there was some contention around some vendors claiming to ace the test and we're going to get the tea on what's really going on here! For each of these three topics, these are the blog posts they correspond with if you want to learn more: Generative AI Will Not Fulfill Your Autonomous SOC Hopes (Or Even Your Demo Dreams) If You're Not Using Data Pipeline Management For Security And IT, You Need To Go Beyond The MITRE ATT&CK Evaluation To The True Cost Of Alert Volumes Show Notes: https://securityweekly.com/esw-394

Feb 17, 202532 min

Evolving the SOC: Automating Manual Work while Maintaining Quality at Scale - Tim MalcomVetter - ESW #394

We've got a few compelling topics to discuss within SecOps today. First, Tim insists it's possible to automate a large amount of SecOps work, without the use of generative AI. Not only that, but he intends to back it up by tracking the quality of this automated work with an ISO standard unknown to cybersecurity. I've often found useful lessons and wisdom outside security, so I get excited when someone borrows from another, more mature industry to help solve problems in cyber. In this case, we'll be talking about Acceptable Quality Limits (AQL), an ISO standard quality assurance framework that's never been used in cyber. Segment Resources: Introducing AQL for cyber. AQL - How we do it An AQL 'calculator' you can play around with Show Notes: https://securityweekly.com/esw-394

Feb 16, 202531 min

Bad Romance, Kimsuky, Red Mike, Ivanti, Nvidia, C code, Postgre, Aaran Leyland... - SWN #451

Tunnel of Love, Kimsuky, Red Mike, Ivanti, Nvidia, C code, Postgre, Aaran Leyland, and More, on this edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-451

Feb 14, 202533 min

Prompt Injection, CISA, Patch Tuesday - PSW #861

You can install Linux in your PDF, just upload everything to AI, hackers behind the forum, TP-Link's taking security seriously, patche Tuesday for everyone including Intel, AMD, Microsoft, Fortinet, and Ivanti, hacking your space heater for fun and fire, Cybertrucks on fire (or not), if you could just go ahead and get rid of the buffer overflows, steam deck hacking and not what you think, Prompt Injection and Delayed Tool Invocation, new to me Ludus, Contec patient monitors are just insecure, Badbox carries on, the compiler saved me, and Telnet command injection! Show Notes: https://securityweekly.com/psw-861

Feb 13, 20252h 5m

Speak the Same Language, as Cybersecurity is Everyone's Responsibility - BSW #382

This week, we tackle a ton of leadership and communications articles: Why CISOs and Boards Must Speak the Same Language on Cybersecurity, The Hidden Costs of Not Having a Strong Cybersecurity Leader, Why Cybersecurity Is Everyone's Responsibility, Leadership is an Action, not a Position, and more! Show Notes: https://securityweekly.com/bsw-382

Feb 12, 202554 min

PlayStation, KerioControl, SEC SimSWAP, 8base, Copilot, AI, Bird, Josh Marpet... - SWN #450

PlayStation, KerioControl, SEC SimSWAP, 8base, Copilot, AI, Robert Bird, Josh Marpet, and more on the Security Weekly News. Show Notes: https://securityweekly.com/swn-450

Feb 11, 202530 min

Unforgivable Vulns, DeepSeek iOS App Security Flaws, Memory Safety Standards - ASW #317

Identifying and eradicating unforgivable vulns, an unforgivable flaw (and a few others) in DeepSeek's iOS app, academics and industry looking to standardize principles and practices for memory safety, and more! Show Notes: https://securityweekly.com/asw-317

Feb 11, 202535 min

Code Scanning That Works With Your Code - Scott Norberg - ASW #317

Code scanning is one of the oldest appsec practices. In many cases, simple grep patterns and some fancy regular expressions are enough to find many of the obvious software mistakes. Scott Norberg shares his experience with encountering code scanners that didn't find the .NET vuln classes he needed to find and why that led him to creating a scanner from scratch. We talk about some challenges in testing tools, making smart investments in engineering time, and why working with .NET's compiler made his decisions easier. Segment Resources: -https://github.com/ScottNorberg-NCG/CodeSheriff.NET Show Notes: https://securityweekly.com/asw-317

Feb 11, 202537 min

Breach details need to be transparent and kids need cybersecurity education - ESW #393

This week, in the enterprise security news, Semgrep raises a lotta money CYE acquires Solvo Sophos completes the Secureworks acquisition SailPoint prepares for IPO Summarizing the 2024 cybersecurity market Lawyers that specialize in keeping breach details secret Scientists torture AI Make sure to offboard your S3 buckets extinguish fires with bass All that and more, on this episode of Enterprise Security Weekly. Show Notes: https://securityweekly.com/esw-393

Feb 10, 202548 min

Inside look and lessons from a Recent APT Attack on a U.S. Aerospace Company - John Dwyer - ESW #393

Listeners of the show are probably aware (possibly painfully aware) that I spend a lot of time analyzing breaches to understand how failures occurred. Every breach story contains lessons organizations can learn from to avoid suffering the same fate. A few details make today's breach story particularly interesting: It was a Chinese APT Maybe the B or C team? They seemed to be having a hard time Their target was a blind spot for both the defender AND the attacker Segment Resources: https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/ https://www.theregister.com/2024/09/18/chinesespiesfoundonushqfirm_network/ Show Notes: https://securityweekly.com/esw-393

Feb 10, 202531 min

The groundbreaking technology addressing employment scams and deepfakes - Aaron Painter - ESW #393

Spoiler: it's probably in your pocket or sitting on the table in front of you, right now! Modern smartphones are conveniently well-suited for identity verification. They have microphones, cameras, depth sensors, and fingerprint readers in some cases. With face scanning quickly becoming the de facto technology used for identity verification, it was a no-brainer for Nametag to build a solution around mobile devices to address employment scams. Segment Resources: Company website Aaron's book, Loyal Show Notes: https://securityweekly.com/esw-393

Feb 9, 202530 min

AI Cheese, CISA, Scaryware, Kimsuky Returns, Backups, Encryption, Jason Wood... - SWN #449

AI Cheese, CISA, Scaryware, Kimsuky Returns, Backups, Encryption, Jason Wood, and More, on this edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-449

Feb 7, 202535 min

Deepseek, AMD, and Forgotten Buckets - PSW #860

Deepseek troubles, AI models explained, AMD CPU microcode signature validation, what happens when you leave an AWS S3 bucket laying around, 3D printing tips, and the malware that never was on Ethernet to USB adapters. Show Notes: https://securityweekly.com/psw-860

Feb 6, 20252h 6m

C-Suite Cybersecurity Responsibilities, Humble Leaders, and Effective Communication - BSW #381

In the leadership and communications segment, Cybersecurity Responsibilities Across the C-Suite: A Breakdown for Every Executive, Humble Leaders Inspire Others to Step Up, Effective Communication in the Workplace, and more! Show Notes: https://securityweekly.com/bsw-381

Feb 5, 202529 min

Enforcement of the Digital Operational Resilience Act (DORA) - Madelein van der Hout - BSW #381

From online banking to mobile payments, nearly every aspect of our financial lives relies on digital systems. This reliance has brought incredible convenience, but it also means that any disruption — whether due to cyberattacks, system failures, or operational incidents— can have severe consequences. The Digital Operational Resilience Act (DORA) provides the framework to ensure that financial entities have robust measures to withstand and recover from disruptions. By addressing vulnerabilities in this highly digitized ecosystem, DORA not only protects financial institutions but also safeguards the stability and well-being of the European society as a whole. Madelein van der Hout, Senior Analyst at Forrester, joins Business Security Weekly to discuss why DORA is important, how prepared financial institutions are, the consequences of failing to comply, and the impact these regulations will have outside of the EU, including fines up to 2% of global annual turnover or €10 million—whichever is higher. Show Notes: https://securityweekly.com/bsw-381

Feb 5, 202532 min

DeepSeek, Nicolas Cage, OpenAI, Hackers, Ransomware, Canada, Joshua Marpet and More - SWN #448

Today, we've got: DeepSeek, Nicolas Cage, OpenAI, Hackers, Ransomware, Canada, Joshua Marpet and More, on this edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-448

Feb 4, 202529 min

New SLAP & FLOP Attacks, OCSP Fades Away, DeepSeek's ClickHouse, OAuth 2.0 Security - ASW #316

Speculative data flow attacks demonstrated against Apple chips with SLAP and FLOP, the design and implementation choices that led to OCSP's demise, an appsec angle on AI, updating the threat model and recommendations for implementing OAuth 2.0, and more! Show Notes: https://securityweekly.com/asw-316

Feb 4, 202534 min

Threat Modeling That Helps the Business - Sandy Carielli, Akira Brand - ASW #316

Threat modeling has been in the appsec toolbox for decades. But it hasn't always been used and it hasn't always been useful. Sandy Carielli shares what she's learned from talking to orgs about what's been successful, and what's failed, when they've approached this practice. Akira Brand joins to talk about her direct experience with building threat models with developers. Show Notes: https://securityweekly.com/asw-316

Feb 4, 202536 min

Semgrep non-drama, Facebook hates Linux - Vulns in Cars, Cell Towers, M365, and more - ESW #392

This week in the enterprise security weekly news, we discuss funding and acquisitions Understanding the Semgrep license drama Ridiculous vulnerabilities everywhere: vulns to take down your entire city's cell service vulns to mess with your Subarus vulns in Microsoft 365 authentication cybersecurity regulations are worthless Facebook is banning people for mentioning Linux Vigilantes on Github Mastercard DNS error Qubes OS Turning a "No" into a conversation All that and more, on this episode of Enterprise Security Weekly! Show Notes: https://securityweekly.com/esw-392

Feb 3, 202556 min

Special Breaking AI News - there's too much AI news, can we please stop - ESW #392

This week, we've added an extra news segment just on AI. Not because we wanted to, but because the news cycle has bludgeoned us into it. My mom is asking about Chinese AI, my neighbor wants to know why his stocks tanked, my clients want to know how to prevent their employees from using DeepSeek, it's a mess. First, a DeepSeek primer, so we can make sure all Enterprise Security Weekly listeners know what they need to know. Then we get into some other AI news stories. DeepSeek Primer I think the most interesting aspect of the DeepSeek announcements is the business/market impact, which isn't really security-related, but could have some impact on security teams. By introducing models that are cheaper to train, sell access to, and less demanding to run on systems, DeepSeek has opened up more market opportunities. That means we'll see generative AI used in markets and ways that didn't make sense before, because it was too expensive. Another aspect that's really confusing is what DeepSeek is or does. For the most part, when someone says "DeepSeek", they could be referring to: the company the open source models released by the company the SaaS service (https://chat.deepseek.com) the mobile app (which is effectively just a front end for #3) the API (which is what the mobile app and SaaS service are built on top of) From a security perspective, there's little to no operational risk around downloading and using the models, though they're likely to get banned, so companies could get in trouble for using them. As for the app, API, or SaaS service, assume everything you type into them is getting collected by China (so, significantly less safe, probably no US companies should do this). But because these services are crazy cheap right now, I wouldn't be surprised if some suppliers and third parties will start using DeepSeek - if your third party service provider is using DeepSeek behind the scenes with your data, you still have problem #2, so best to ensure they're not doing this through updated contract language and call to confirm that they're not currently doing it (can take a while to get a new contract in place). Show Notes: https://securityweekly.com/esw-392

Feb 3, 202541 min

The Growth of Women in Cybersecurity Has Slowed - Why, and What Can We Do About It? - Lynn Dohm - ESW #392

Celebrating and Elevating Women in Cyber: Recently, International Women in Cyber Day (September 1) highlighted the ongoing challenges women face in the cybersecurity field, as well as the progress made in recent years. Women bring exceptional skills and knowledge to cybersecurity; however, it is estimated that they make up only 20% to 25% of the cybersecurity workforce—a percentage that has remained stagnant for years. Even more concerning, women often hit a glass ceiling just six to ten years into their cybersecurity careers. Lynn Dohm sheds light on these issues and emphasizes what the industry needs to focus on to continue celebrating and elevating women in cyber. Segment Resources: 2023 State of Inclusion Benchmark in Cybersecurity 2024 Cyber Talent Study by N2K and WiCyS WiCyS Programs Show Notes: https://securityweekly.com/esw-392

Feb 2, 202533 min

.ASS, Deepseek, AI Time Travel, Google, HeartBlocker, TikTok, Aaran Leyland, and More - SWN #447

.ASS, Deepseek, AI Time Travel, Google, HeartBlocker, TikTok, Aaran Leyland, and More, on this edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-447

Jan 31, 202532 min

Cred Vaults, Cheap AI, and Hacking Devices - PSW #859

This week, we talked to our friends at Bitwarden about password vaults, storing more than just passwords, free software to manage those SSH keys, and vaults for developers. In the news, new/old Palo Alto vulnerabilities explained, taking down the power grid with a FlipperZero, more vulnerable bootloaders, putting garbage in your .ASS file, the US Government wants to look at routers, magic backdoors, weak password hashing, everyone is talking about Deepseek, hardware-level Anti-Virus, VMware ESXi and SSH, and if you pay the ransom you likely will not get your data back! This segment is sponsored by Bitwarden. Visit https://securityweekly.com/bitwarden to learn more about them! Show Notes: https://securityweekly.com/psw-859

Jan 30, 20252h 5m

The CISO Role Elevates, Boosts, Rises, and Evolves - BSW #380

In the leadership and communications segment, How CISOs can elevate cybersecurity in boardroom discussions, Nearly half of CISOs now report to CEOs, showing their rising influence, Steve Jobs Shared 1 Crystal Clear Way You'll Spot an Exceptional Leader, and more! Show Notes: https://securityweekly.com/bsw-380

Jan 29, 202522 min

AI in 2025: The Shifting Regulatory Landscape For Artificial Intelligence - BSW #380

The last five weeks have seen a flurry of news on Artificial Intelligence, especially this last week. It started on December 17, 2024 when the Bipartisan House Task Force on Artificial Intelligence (AI) released a report on "[g]uiding principles, forward-looking recommendations, and policy proposals to ensure America continues to lead the world in responsible AI innovation." Then a new administration, which: revoked more than 50 prior executive orders, including Executive Order 14110 of October 30, 2023 (Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence). announced a private-sector $500 billion investment in AI infrastructure tasked federal agencies with drafting a new AI action plan within 180 days signed an executive order on developing artificial intelligence 'free from ideological bias' The Business Security Weekly crew tries to make sense of it all. Show Notes: https://securityweekly.com/bsw-380

Jan 29, 202521 min

DeepSeek, AIDs, Sex Crime, Microsoft, PayPal, GitHub, Joshua Marpet and More - SWN #446

DeepSeek, AIDs, Sex Crime, Microsoft, PayPal, GitHub, Joshua Marpet and More, on this edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-446

Jan 28, 202529 min

Opengrep & Semgrep, Hacking Subarus, Hacking Synths, Stealing Cookies, and RANsacked - ASW #315

An open source security project forks in response to license changes (and an echo of how we've been here before), car hacking via spectacularly insecure web apps, hacking a synth via spectacularly cool MIDI messages, cookie parsing problems, the RANsacked paper of 100+ LTE/5G vulns found from fuzzing, and more! Show Notes: https://securityweekly.com/asw-315

Jan 28, 202534 min

Security the AI SDLC - Niv Braun - ASW #315

A lot of AI security boils down to the boring, but important, software security topics that appsec teams have been dealing with for decades. Niv Braun explains the distinctions between AI-related and AI-specific security as we avoid the FUD and hype of genAI to figure out where appsec teams can invest their time. He notes that data scientists have been working with ML and sensitive data sets for a long time, and it's good to have more scrutiny on what controls should be present to protect that data. This segment is sponsored by Noma Security. Visit https://securityweekly.com/noma to learn more about them! Show Notes: https://securityweekly.com/asw-315

Jan 28, 202533 min

IPOs are back, AI jumps the shark, NGFWs have some serious security issues - ESW #391

In this week's enterprise security news, the first cybersecurity IPO in 3.5 years! new companies new tools the fate of CISA and the cyber safety review board things we learned about AI in 2024 is the humanless SOC possible? NGFWs have some surprising vulnerabilities what did generative music sound like in 1996? All that and more, on this episode of Enterprise Security Weekly. Show Notes: https://securityweekly.com/esw-391

Jan 27, 20251h 1m

Guiding an Open Source-Based Business Through Troubled Times - Francis Dinha - ESW #391

This interview is a bit different from our norm. We talk to the founder and CEO of OpenVPN about what it is like to operate a business based on open source, particularly through trying times like the recent pandemic. How do you compete when your competitors are free to build products using your software and IP? It seems like an oxymoron, but an open source-based business actually has some significant advantages over the closed source commercial approach. Show Notes: https://securityweekly.com/esw-391

Jan 27, 202532 min

AI Red Teaming Comes to Bug Bounties - Michiel Prins - ESW #391

HackerOne's co-founder, Michiel Prins walks us through the latest new offensive security service: AI red teaming. At the same time enterprises are globally trying to figure out how to QA and red team generative AI models like LLMs, early adopters are challenged to scale these tests. Crowdsourced bug bounty platforms are a natural place to turn for assistance with scaling this work, though, as we'll discuss on this episode, it is unlike anything bug hunters have ever tackled before. Segment Resources: https://www.hackerone.com/ai/snap-ai-red-teaming https://www.hackerone.com/thought-leadership/ai-safety-red-teaming Show Notes: https://securityweekly.com/esw-391

Jan 26, 202533 min

Cursive Funk, Microsoft, Ivanti, Sonic Wall, Exchange, PowerSchool, Aaran Leyland... - SWN #445

Cursive Funk, Microsoft, Ivanti, Sonic Wall, Exchange, PowerSchool, Aaran Leyland, and More, on this edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-445

Jan 24, 202532 min

Vulnerability Prioritization In The Real World - PSW #858

Andy Jaquith joins us to discuss how to prioritize vulnerabilities and remmediation in the real-world, including asset management and more! In the security news: ESP32s in the wild and security, Google oAuth flaw, DDoS targets, Ban on auto components, Bambu firmware updates, Silk Road founder is free, one last cybersecurity executive order, US Treasury hack update, Mitre launches a new program to deal with naming things, and educational content on Pornhub? (not what you think, its SFW!) Show Notes: https://securityweekly.com/psw-858

Jan 23, 20252h 19m

The Future Of The CISO - Part 2 - Jess Burn, Jeff Pollard - BSW #379

Jeff Pollard, Vice-President, Principal Analyst on the Security and Risk Team, and Jess Burn, Principal Analyst, both from Forrester Research join Business Security Weekly to discuss the second part of The Future Of The CISO report. What if you don't like the future of the CISO role and want to get out? The report also provides guidance on what comes after the CISO role, as leaders contemplate the next step in their career. If you think it's a board role, you better know what skills are needed, as cybersecurity by itself is not enough. Join in for part 2. Show Notes: https://securityweekly.com/bsw-379

Jan 22, 202527 min

The Future Of The CISO - Part 1 - Jess Burn, Jeff Pollard - BSW #379

Becoming a CISO is a lofty goal for many security and risk pros, and the role brings new sets of challenges. CISOs who accept the wrong opportunities will be forced to conform, rather than excel, and take on outsized liability for the scope of responsibilities. Jeff Pollard, Vice-President, Principal Analyst on the Security and Risk Team, and Jess Burn, Principal Analyst, both from Forrester Research join Business Security Weekly to discuss The Future Of The CISO report. This report outlines the six most common types of CISOs based on Forrester Research and interactions with security leaders, including the characteristics and competencies of each type. This report helps security leaders define who they are, their values, and optimal situations for their skill set. Show Notes: https://securityweekly.com/bsw-379

Jan 22, 202532 min

Smishing, Microsoft, Star Blizzard, Sneaky Log, VMARE, Josh Marpet, and more... - SWN #444

Smishing, Microsoft, Star Blizzard, Sneaky Log, VMARE, Josh Marpet, and more on the Security Weekly News. Show Notes: https://securityweekly.com/swn-444

Jan 21, 202534 min

Appsec Predictions for 2025 - Cody Scott - ASW #314

What's in store for appsec in 2025? Sure, there'll be some XSS and SQL injection, but what about trends that might influence how appsec teams plan? Cody Scott shares five cybersecurity and privacy predictions and we take a deep dive into three of them. We talk about finding value to appsec from AI, why IoT and OT need both programmatic and technical changes, and what the implications of the next XZ Utils attack might be. Segment resources: https://www.forrester.com/blogs/predictions-2025-cybersecurity-risk-privacy/ Show Notes: https://securityweekly.com/asw-314

Jan 21, 202552 min

Enterprise News - ESW #390

This week in the enterprise news - Cymulate acquires CYNC Secure, Tidal Cyber acquires Zero-Shot, Amazon ransomware attack, and more! Show Notes: https://securityweekly.com/esw-390

Jan 20, 202557 min

50,000 critical exposures + one of the most vulnerable IT environments: our schools - Kiran Chinnagangannagari, Jeff Smith - ESW #390

I've been so excited to see the external attack surface management (EASM) market take off in the past few years. This market category focuses exclusively on security issues exposed to the public Internet - issues ANYONE can see. All organizations have exposure management problems, but industries that are traditionally underfunded when it comes to cybersecurity and IT are particularly worse off. We see breaches in these industries every day - industries like manufacturing, healthcare, and education. Of course, exposure issues don't stop at the network boundary - all organizations have internal exposures to worry about as well. With all the breaches we see every week, we've become somewhat desensitized to them. Is it possible to address even just the most critical exposures (a fraction of 1% of all vulnerabilities) in one of the most underfunded industries? In this episode, we dive into how a small school system in New Mexico took on this challenge. Show Notes: https://securityweekly.com/esw-390

Jan 20, 202533 min

The Next Era of Data Security: AI, Cloud, & Compliance - Dimitri Sirota - ESW #390

Today's data landscape is undergoing a seismic shift with increasing regulatory pressures, rapid acceleration to the cloud, and AI adoption. Join BigID's CEO and Co-Founder, Dimitri Sirota, to learn how organizations can adopt a holistic approach to their data security and compliance strategy to keep up with the revolution in data, transforming their data into a competitive advantage. This segment is sponsored by BigID! Start protecting your sensitive data wherever your data lives at https://securityweekly.com/bigid. Show Notes: https://securityweekly.com/esw-390

Jan 19, 202532 min

AIs in Love, UEFI, Fortinet, Godaddy, Juggalos, Aaran Leyland, and More. - SWN #443

AIs in Love, UEFI, Fortinet, Godaddy, Juggalos, Aaran Leyland, and More. In this edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-443

Jan 17, 202539 min

Stopping The Bad Things - PSW #857

Rob from ThreatLocker comes on the show to talk about how we can disrupt attacker techniques, including Zero Trust, privilege escalation, LOLbins, and evil virtualization. In the news we talk about security appliances and vulnerabilities, rsync vulnerabilities, Shmoocon, hacking devices, and more! This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them! Show Notes: https://securityweekly.com/psw-857

Jan 17, 20252h 33m

Boards Stepping Up, as CISOs Build Stronger Bonds with Legal and Safeguard Leadership - BSW #378

In the leadership and communications segment, New Year, New Cyber Threats: How Boards Are Stepping Up (or Not), Why CISOs should build stronger bonds with the legal function in 2025, New Managers: You Don't Need to Know It All, and more! Show Notes: https://securityweekly.com/bsw-378

Jan 15, 202536 min

Smishing, Beyond Trust, CryptoReligion, Aviatrix, Azure, Josh Marpet, and more... - SWN #442

Smishing, Beyond Trust, CryptoReligion, Aviatrix, Azure, Little Red Books, AI Abuse, Josh Marpet, and more on the Security Weekly News. Show Notes: https://securityweekly.com/swn-442

Jan 14, 202539 min

PyPI's Quarantine, Phishing & Awareness, Porting Fishshell to Rust, Cyber Trust Mark - ASW #313

Design lessons from PyPI's Quarantine capability, effective ways for appsec to approach phishing, why fishshell is moving to Rust component by component (and why that's a good thing!), what behaviors the Cyber Trust Mark might influence, and more! Show Notes: https://securityweekly.com/asw-313

Jan 14, 202531 min

Discussing Useful Security Requirements with Developers - Ixchel Ruiz - ASW #313

There's a pernicious myth that developers don't care about security. In practice, they care about code quality. What developers don't care for is ambiguous requirements. Ixchel Ruiz shares her experience is discussing software designs, the challenges in prioritizing dev efforts, and how to help open source project maintainers with their issue backlog. Segment resources: https://github.com/ossf/scorecard https://www.commonhaus.org/ https://www.hackergarten.net/ Show Notes: https://securityweekly.com/asw-313

Jan 14, 202536 min

Celebrity investors, creator metrics, and Chrome extension compromise - ESW #389

In this latest Enterprise Security Weekly episode, we explored some significant cybersecurity developments, starting with Veracode's acquisition of Phylum, a company specializing in detecting malicious code in open-source libraries. The acquisition sparked speculation that it might be more about Veracode staying relevant in a rapidly evolving market rather than a strategic growth move, especially given the rising influence of AI-driven code analysis tools. We also covered One Password's acquisition of a UK-based shadow IT detection firm, raising interesting questions about their expansion into access management. Notably, the deal involved celebrity investors like Matthew McConaughey and Ashton Kutcher, suggesting a trend where Hollywood influence intersects with cybersecurity branding. A major highlight was the Cyber Haven breach, where a compromised Chrome extension update led to stolen credentials. The attack was executed through a phishing campaign disguised as a Google policy violation warning. To their credit, Cyber Haven responded swiftly, pulling the extension within two hours and maintaining transparency throughout. This incident underscored broader concerns around the poor security of browser extensions, an issue that continues to be exploited due to lax marketplace oversight. We also reflected on Corey Doctorow's concept of "Enshittification," critiquing platforms that prioritize profit and engagement metrics over genuine user experiences. His decision to disable vanity metrics resonated, especially considering how often engagement numbers are inflated in corporate settings. The episode wrapped with a thoughtful discussion on how CISOs can say "no" more effectively, emphasizing "yes, but" strategies and the importance of consistency. We also debated the usability frustrations of "magic links" for authentication, arguing that simpler alternatives like passkeys or multi-factor codes could offer a better balance between security and convenience. Show Notes: https://securityweekly.com/esw-389

Jan 13, 202554 min

Building a map of hacker history, one conversation at a time - Nathan Sportsman - ESW #389

We're a fan of hacker lore and history here at Security Weekly. In fact, Paul's Security Weekly has interviewed some of the most notable (and notorious) personalities from both the business side of the industry and the hacker community. We're very excited to share this new effort to document hacker history through in-person interviews. The series is called "Where Warlocks Stay Up Late", and is the creation of Nathan Sportsman and other folks at Praetorian. The timing is crucial, as a lot of the original hackers and tech innovators are getting older, and we've already lost a few. References: Check out the Where the Warlocks Stay Up Late website and subscribe to get notified of each episode as it is released Check out the anthropological hacker map and relive your misspent youth! Show Notes: https://securityweekly.com/esw-389

Jan 13, 202531 min

How threat-informed defense benefits each security team member - Frank Duff - ESW #389

We're thrilled to have Frank Duff on to discuss threat-informed defense. As one of the MITRE folks that helped create MITRE ATT&CK and ATT&CK evaluations, Frank has been working on how best to define and communicate attack language for many years now. The company he founded, Tidal Cyber is in a unique position to both leverage what MITRE has built with ATT&CK and help enterprises operationalize it. Segment Resources: Tidal Cyber website Tidal Cyber Community Edition Show Notes: https://securityweekly.com/esw-389

Jan 12, 202534 min