Security Weekly Podcast Network (Audio)

Security metrics often fail because they measure activity rather than actual risk, often failing to connect with business impact, making them difficult to explain to boards and executives. How do you build efffective metrics that are actionable, contextual, and valuable?

Ben Wilcox, CTO & CISO at ProArch, joins Business Security Weekly to help us speak the language of the board. Ben will cover how to develop measurable, strategic, ...

What happens when secure coding guidance goes stale? What happens LLMs write code from scratch? Mark Curphy walks us through his experience updating documentation for writing secure code in Go and recreating one of his own startups.

One of the themes of this conversation is how important documentation is, whether it's intended for humans or for prompts to LLMs. Importantly, LLMs don't innovate on their own -- they rely on the data ...

Interview with Jeremy Snyder from FireTail about AI Governance

Death by a thousand cuts: the AI shadow IT problem

I think the best description of the AI governance problem during this interview was the title of the award-winning movie, Everything, Everywhere, All At Once. Generative AI has been disrupting businesses, products, and vendor risk management for a few years now. FireTail is one of the companies trying to addres...

This episode is all about trust getting abused at scale.

We start with Chinese-nexus operators pivoting fast onto Qatar using conflict lures and familiar tradecraft.

Then we hit banking, because they deserve it: Lloyds, Halifax, and Bank of Scotland customers seeing other people’s transactions in-app, a straight confidentiality failure, not “someone hacked my phone”.

From there it’s the Middle East conflict exposing what “cloud res...

In the security news this week:

• The XZ backdoor documentary
• Zero days - the clock isn't ticking
• Vulnerability Mis-Management
• Reversing traffic light controllers
• Reversing with Claude
• Don't curl to bash!
• Reading CVEs makes my head hurt
• Dumping browser secrets
• I open-sourced a new(ish) tool
• D-LINK exploits
• There is no password
• I control the building
• When old vulnerabilities become new
• Tile is for stalkers
• Hacking AI
• Iran War: Wh...

AI has created a dilemma for security teams. Attackers are using AI to develop exploits to newly disclosed vulnerabilities faster than security teams can patch them. Security teams have not fully leveraged the capabilities of AI to autonomously prevent these attacks. Without a radical change in approach, organizations will be exposed to an exponentially increasing attack surface. How long can your organization tolerate being exploi...

Medical devices are a special segment of the IoT world where availability and patient safety are paramount. Tamil Mathi explains why many devices need to fail open -- the opposite of what traditional appsec approaches might initially think -- and what makes threat modeling these devices interesting and unique. He also covers how to get started in this space, from where to learn hardware hacking basics to reviewing firmware and movi...

Interview with Anna Pham

Breaking in with ClickFix: Anatomy of a modern endpoint attack

Cybersecurity company Huntress just published a report on a new ClickFix variant they’ve discovered, which they’ve dubbed CrashFix. This technique was developed by KongTuke to serve as the primary lure within a new custom malicious browser extension also created by the group.

In short, the team observed the threat actors using KongTuke’...

In the security news this week:

• Remembering "FX"
• Finding and analyzing Windows drivers
• Network monitoring with Gibson
• the backdoor in your PAM
• The edge is fraying - and attackers have the advantage
• Age verification for Linux?
• Banning AI
• TPMS tracking
• BLE tracking
• weird strings
• Airsnitch
• RESURGE in and on Ivanti
• Attackers using Claude
• Government iPhone hacking kits
• Cisco SD-WAN, Linux, and 2023
• Leakbase leaks
• and Bro, upgrade y...

With the introduction of Agentic AI, autonomous "everything" is all the rage. But we've been burned by automation in the past. Remember the days of Intrusion Prevention Systems and why we never put them into blocking mode? Automation may be the future of security and IT operations, but the path to autonomous "everything" must be earned. How do you build autonomous capabilities with confidence and trust?

Tim Morris, Financial Servic...

As more developers turn to LLMs to generate code, more appsec teams are turning to LLMs to conduct security code reviews. One of the biggest themes in all the discussion around LLMs, agents, and code is speed -- more code created faster. James Wickett shares why speed continues to pose a challenge to appsec teams and why that's often because teams haven't invested enough in foundational appsec principles.

Visit https://www.security...

Interview - Ben Worthy from Airbus Protect

The current state of OT security and business resilience

In this episode of Enterprise Security Weekly, we sit down with Ben Worthy, OT Security Specialist at Airbus Protect, to explore the evolving landscape of business resilience in safety-critical sectors. With over 25 years of experience across aerospace, nuclear, water, oil & gas, and other industries, Ben shares insights on ...

First up is a technical segment called "Paul's Linux Hacks". I finally got around to releasing a bunch of scripts and tutorials for Linux that I've created over the years. We'll go over scripts that can give you a supply chain security report and help you update your Arch-based Linux systems and the tutorial for using Linux KVM/Qemu/Libvirt. Repo is here: https://github.com/pasadoorian/Linux_Hacks

Next up is the security news:

...

Most organizations view security as a cost center, a "check-the-box" expense rather than a strategic investment. This mindset leads to chronic underfunding, reactive, panic-driven decision-making, and high staff turnover. It also hampers innovation, strategic initiatives, and customer trust. What if security was viewed as a business enabler, not a cost center?

Elyse Gunn, CISO at Nasuni, joins Business Security Weekly to discuss ho...