Interview with Snehal Antani - Rethinking Risk-Based Vulnerability Management

Vulnerability management is broken. Organizations basically use math to turn a crappy list into a slightly less crappy list, and the hardest part of the job as a CIO is deciding what NOT to fix. There has to be a better way, and there is...

Segment Resources:

• https://horizon3.ai/intelligence/blogs/vulnerability-management-is-broken-there-is-a-better-way/

This segment is sponsored by Horizon3.ai. Visit https://securityweekly.com/horizon3 to learn more about them!

Topic - Andy Ellis's Black Hat Expo Experience

Andy Ellis visited every booth at Black Hat. Every. Single. One. He wrote up what he learned and we discuss his findings!

https://www.duha.co/state-of-security-vendors-blackhat-2025/

News

Finally, in the enterprise security news,

1. Tons of handy new and free tools!
2. is cybersecurity really at the latter stages of consolidation?
3. new books
4. is our obsession with risk quantification hurting our credibility?
5. AI trends
6. is there an impending AI layoff-pocalypse?
7. we explain the kids’ favorite new term: Clanker

All that and more, on this episode of Enterprise Security Weekly.

Show Notes: https://securityweekly.com/esw-420

Creepy chatbots, Fortinet, CISA, Agentic AI, FIDO, EDR, Aaran Leyland, and More on this episode of the Security Weekly News.

Show Notes: https://securityweekly.com/swn-503

We kick things off with a deep dive into the Hackberry PI and how to build one. Then in the security news:

• Will Perplexity buy Chrome?
• ESP32 Bus Pirates
• Poisoned telemetry
• Docker image security
• Fully Open Source Quantum Sensors
• Securing your car, Flippers, and show me the money
• Bringing your printer and desktop to Starbucks
• Paying a ransom? You need approval
• AI: Shield or Spear?
• No authentication? That's a problem
• Transient Bugs: A realistic threat?
• You can run Linux
• And who still uses AOL dial-up?

Show Notes: https://securityweekly.com/psw-887

As brands grow more digital, the threats grow more personal. Attackers impersonate executives, spin up fake websites, and leak sensitive data — hurting business reputations and breaking customer trust. How do you defend your organization's reputation and customers' trust?

Santosh Nair, Co-Founder and CTO at Styx Intelligence, joins Business Security Weekly to discuss how to defend trust and reputation in the age of AI. Santosh will cover both the company and executive challenges of defending against the latest AI attacks, including:

• Impersonations and Deepfakes
• Employee Scams
• Financial Fraud

Segment Resources: - https://styxintel.com/blog/what-is-brand-protection/ - https://styxintel.com/blog/brand-impersonation-hurts-business/ - https://styxintel.com/blog/social-engineering-tactics/

In the leadership and communications section, Mind the overconfidence gap: CISOs and staff don’t see eye to eye on security posture, Your AI Strategy Needs More Than a Single Leader, Avoid These Communication Breakdowns When Launching Strategic Initiatives, and more!

Show Notes: https://securityweekly.com/bsw-408

300 Baud, Buddy Hackett Nudes, Dell, badUSB, Exchange, Erlang/OTP, Josh Marpet, and more on the Security Weekly News.

Show Notes: https://securityweekly.com/swn-502

Open source software is a massive contribution that provides everything from foundational frameworks to tiny single-purpose libraries. We walk through the dimensions of trust and provenance in the software supply chain with Janet Worthington. And we discuss how even with new code generated by LLMs and new terms like slopsquatting, a lot of the most effective solutions are old techniques.

Resources

• https://www.forrester.com/blogs/make-no-mistake-software-is-a-supply-chain-and-its-under-attack/
• https://www.forrester.com/report/the-future-of-software-supply-chain-security/RES184050

Show Notes: https://securityweekly.com/asw-343

Topic Segment - What's new at Black Hat?

We're coming live from hacker summer camp 2025, so it seemed appropriate to share what we've seen and heard so far at this year's event. Adrian's on vacation, so this episode is featuring Jackie McGuire and Ayman Elsawah!

News Segment

Then, in the enterprise security news,

1. Tons of funding!
2. SentinelOne picks up an AI security company weeks after Palo Alto closes the Protect AI deal
3. Vendors shove AI agents into everything they’ve got
4. Why SOC analysts ignore your playbooks
5. NVIDA pinkie swears to China: no back doors!
6. ChatGPT was allowing shared chat sessions to be indexed and crawled by search engines like Google
7. Who is gonna secure all this vibe code?
8. Who is gonna triage all these hallucinated bug reports?
9. Perplexity and Cloudflare duke it out
10. When you try to scrub your shady past off the Internet, it might just make things worse.

All that and more, on this episode of Enterprise Security Weekly.

Show Notes: https://securityweekly.com/esw-419

Hello and welcome to security weekly news, episode 501, on Aug 8, 2025.

This week we have, SonicWall, Confidential Informants Exposed, Cisco Vishing, Perplexity vs robots.txt, Microsoft’s Project Ire, Meta–Flo Jury Verdict, GPT‑5 Lands, TeaOnHer Data Leak, Josh Marpet, and more on the Security Weekly News..

Show Notes: https://securityweekly.com/swn-501

• Why should hate AI
• When firmware attacks
• The 300 second breach
• Old ways still work, AI might help
• And so begins the crawler wars
• Turn off your SonicWall VPN
• Your Pie may be wrapped in PII
• Attackers will find a way
• Signed kernel drivers
• D-Link on the KEV
• Rasperry PIs attack
• Stealthy LoRa
• LLM's don't commit code, people do
• Jame's Bond style rescue with drones
• SRAM has no chill
• In the full view of the public...

Show Notes: https://securityweekly.com/psw-886

Recent findings of AI ecosystem insecurities and attacks show the importance of needing AI governance in the supply chain. And this supply chain is rapidly expanding to include not only open-source software but also collaborative platforms where custom models, agents, prompts, and other AI resources are used. And with this expansion of third-party AI component and services use comes an expanded security threat often not included in traditional supply chain management processes. It's time to update our supply chain management process to include AI governance. Easier said than done.

In this Say Easy, Do Hard segment, we invite three CISOs to discuss the challenges of AI and the supply chain, including:

• Data privacy concerns
• Flaws and malicious code in AI dependencies
• Lack of security tools to test for AI
• Vibe coding risks

and more. But we also do the hard part, by discussing the changes needed to your supply chain management process to address these concerns.

Show Notes: https://securityweekly.com/bsw-407

MFA Bypass, SonicWall, BIOS Shade, Sex Toys, FBI Warnings, Claude vs GPT-5, Josh Marpet, and more on the Security Weekly News.

Show Notes: https://securityweekly.com/swn-500

Maintaining code is a lot more than keeping dependencies up to date. It involved everything from keeping old code running to changing frameworks to even changing implementation languages. Jonathan Schneider talks about the engineering considerations of refactoring and rewriting code, why code maintenance is important to appsec, and how to build confidence that adding automation to a migration results in code that has the same workflows as before.

Resources

• https://docs.openrewrite.org
• https://github.com/openrewrite

Then, instead of our usual news segment, we do a deep dive on some recent vulns NVIDIA's Triton Inference Server disclosed by Trail of Bits' Will Vandevanter. Will talks about the thought process and tools that go into identify potential vulns, the analysis in determining whether they're exploitable, and the disclosure process with vendors. He makes the important point that even if something doesn't turn out to be a vuln, there's still benefit to the learning process and gaining experience in seeing the different ways that devs design software. Of course, it's also more fun when you find an exploitable vuln -- which Will did here!

Resources

• https://nvidia.custhelp.com/app/answers/detail/a_id/5687
• https://github.com/triton-inference-server/server
• https://blog.trailofbits.com/2025/07/31/hijacking-multi-agent-systems-in-your-pajamas/
• https://blog.trailofbits.com/2025/07/28/we-built-the-security-layer-mcp-always-needed/

Show Notes: https://securityweekly.com/asw-342

The Weekly Enterprise News (segments 1 and 2)

This week, we’ve had to make some last minute adjustments, so we’re going to do the news first, split into two segments.

This week, we’re discussing:

1. Some interesting funding
2. Two acquisitions - one picked up for $250M, the other slightly larger, at $25 BILLION
3. Interesting new companies!
4. On the 1 year anniversary of that thing that happened, Crowdstrike would like to assure you that they’re REALLY making sure that thing never happens again
5. Flipping the script
6. How researchers rooted Copilot, but not really
7. talks to check out at Hacker Summer Camp
8. detection engineering tips
9. the Cloud Security Alliance has a new AI Controls Matrix
10. sending in the National Guard to handle a breach!
11. and how to read an AI press release

Interview: Guillaume Ross on Building Security from Scratch

Guillaume shares his experiences building security from scratch at Canadian FinTech, Finaptic. Imagine the situation: you're CISO, and literally NOTHING is in place yet. No policies, no controls, no GRC processes. Where do you start? What do you do first? Are there things you can get away with that would be impossible in older, well-established financial firms?

Show Notes: https://securityweekly.com/esw-418

Pipes, Thorium, Excel, Weird Ports, ATM Hillbilly Cannibal Attack, Lambdas, National Guard, AIs, Aaran Leyland, and More on this episode of the Security Weekly News.

Show Notes: https://securityweekly.com/swn-499

In the security news:

• Hacking washing machines, good clean fun!
• Hacking cars via Bluetooth
• More Bluetooth hacking with Breaktooth
• Making old vulnerabilities great again: exploiting abandoned hardware
• Clorox and Cognizant point fingers
• AI generated Linux malware
• Attacking Russian airports
• When user verification data leaks
• Turns out you CAN steal cars with a Flipper Zero, so we're told
• The UEFI vulnerabilities - the hits keep coming
• Hijacking Discord invites
• The Raspberry PI laptop
• The new Hack RF One Pro
• Security appliances still fail to be secure
• Person Re-Identification via Wi-Fi

Show Notes: https://securityweekly.com/psw-885

Popup Porn, LoveSense, Tea, Fire Ant, Scatterede Spider, AI Pricing, Josh Marpet, and more on the Security Weekly News.

Show Notes: https://securityweekly.com/swn-498

A successful strategy in appsec is to build platforms with defaults and designs that ease the burden of security choices for developers. But there's an important difference between expecting (or requiring!) developers to use a platform and building a platform that developers embrace. Julia Knecht shares her experience in building platforms with an attention to developer needs, developer experience, and security requirements. She brings attention to the product management skills and feedback loops that make paved roads successful -- as well as the areas where developers may still need or choose their own alternatives. After all, the impact of a paved road isn't in its creation, it's in its adoption.

Show Notes: https://securityweekly.com/asw-341

Interview Segment - Lessons Learned from the tj-actions GitHub Action Supply Chain Attack with Dimitri Stiliadis

Breach analysis is one of my favorite topics to dive into and I’m thrilled Dimitri is joining us today to reveal some of the insights he’s pulled out of this GitHub Actions incident. It isn’t an overstatement to say that some of the lessons to be learned from this incident represent fundamental changes to how we architect development environments.

Why are we talking about it now, 4 months after it occurred? In the case of the Equifax breach, the most useful details about the breach didn’t get released to the public until 18 months after the incident. It takes time for details to come out, but in my experience, the learning opportunities are worth the wait.

Topic Segment - Should the US Go on the Cyber Offensive?

Triggered by an op-ed from Dave Kennedy, the discussion of whether the US should launch more visible offensive cyber operations starts up again. There are a lot of factors and nuances to discuss here, and a lot of us have opinions here. We'll see if we can do any of it justice in 15 minutes.

News Segment

Finally, in the enterprise security news,

1. We discuss the latest fundings
2. a few acquisitions
3. a vibe coding campfire story
4. how to hack AI agents
5. zero-days in AI coding apps
6. more AI zero days
7. why Ivanti vulns are still alive and well in Japan
8. how wiper commands made their way into Amazon’s AI coding agent
9. it seems like vulnerabilities and AI are pairing up in this week’s news stories!

All that and more, on this episode of Enterprise Security Weekly.

Show Notes: https://securityweekly.com/esw-417

Total Recall, Steam, Storm-2063, Unmarker, Altair, Josh Marpet, and More on this episode of the Security Weekly News.

Show Notes: https://securityweekly.com/swn-497

We chat with Material Security about protecting G Suite and MS365. How else are you monitoring the most commonly used cloud environments and applications?

In the security news:

• Google Sues Badbox operators
• Authenticated or Unauthenticated, big difference and my struggle to get LLMs to create exploits for me
• Ring cameras that were not hacked
• Malicous AURs
• Killing solar farms
• Weak passwords are all it takes
• Microsoft's UEFI keys are expiring
• Kali Linux and Raspberry PI Wifi updates
• Use lots of electricity, get a visit from law enforcement
• Sharepoint, vulnerabilities, nuclear weapons, and why you should use the cloud
• The time to next exploit is short
• Sonicwall devices are getting exploited
• How not to vibe code
• SMS blasters

This segment is sponsored by Material Security. Visit https://securityweekly.com/materialsecurity to see purpose-built Google Workspace and Office 365 security in action!

Show Notes: https://securityweekly.com/psw-884

How do we get security right? The answer varies by many factors, including industry, what you're trying to protect, and what the C Suite and Board care about.

Khaja Ahmed, Advisor at CISO Forum, joins Business Security Weekly to discuss how to get consensus on your security program. CISOs, executives, and the Board need to be aligned on the risks and how best to address them. And it's not technical risks, it's business risks measured by legal or financial impact. Khaja will help guide new and existing CISOs on how to:

• Work across the business to build consensus
• Identify and quantify risks in financial and legal terms
• Design security from the start
• Be effective as a security leader

In the leadership and communications section, Is the C-Suite Right for You?, What Fortune 100s are getting wrong about cybersecurity hiring, Why Communication Is Exhausting in Chaotic Workplaces, and more!

Show Notes: https://securityweekly.com/bsw-405

Donatello, SharePoint, CrushFTP, WordPress, Replit, AllaKore, Rob Allen, and more on the Security Weekly News.

Segment Resources: https://www.darkreading.com/threat-intelligence/matanbuchus-loader-ransomware-infections

This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them!

Show Notes: https://securityweekly.com/swn-496

AI is more than LLMs. Machine learning algorithms have been part of infosec solutions for a long time. For appsec practitioners, a key concern is always going to be how to evaluate the security of software or a system. In some cases, it doesn't matter if a human or an LLM generated code -- the code needs to be reviewed for common flaws and design problems. But the creation of MCP servers and LLM-based agents is also adding a concern about what an unattended or autonomous piece of software is doing.

Sohrob Kazerounian gives us context on how LLMs are designed, what to expect from them, and where they pose risk and reward to modern software engineering.

Resources

• https://www.vectra.ai/research

Show Notes: https://securityweekly.com/asw-340

Existential Dread and Seawater, MCP, Cloudflare, ESxi, QR Codes, Salt Typhoon, Aaran Leyland, and More on this episode of the Security Weekly News.

Show Notes: https://securityweekly.com/swn-495