Paul's Security Weekly

Open source software is a massive contribution that provides everything from foundational frameworks to tiny single-purpose libraries. We walk through the dimensions of trust and provenance in the software supply chain with Janet Worthington. And we discuss how even with new code generated by LLMs and new terms like slopsquatting, a lot of the most effective solutions are old techniques. Resources https://www.forrester.com/blogs/make-no-mistake-software-is-a-supply-chain-and-its-under-attack/ https://www.forrester.com/report/the-future-of-software-supply-chain-security/RES184050 Show Notes: https://securityweekly.com/asw-343

Topic Segment - What's new at Black Hat? We're coming live from hacker summer camp 2025, so it seemed appropriate to share what we've seen and heard so far at this year's event. Adrian's on vacation, so this episode is featuring Jackie McGuire and Ayman Elsawah! News Segment Then, in the enterprise security news, Tons of funding! SentinelOne picks up an AI security company weeks after Palo Alto closes the Protect AI deal Vendors shove AI agents into everything they’ve got Why SOC analysts ignore your playbooks NVIDA pinkie swears to China: no back doors! ChatGPT was allowing shared chat sessions to be indexed and crawled by search engines like Google Who is gonna secure all this vibe code? Who is gonna triage all these hallucinated bug reports? Perplexity and Cloudflare duke it out When you try to scrub your shady past off the Internet, it might just make things worse. All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show

This week we have, SonicWall, Confidential Informants Exposed, Cisco Vishing, Perplexity vs robots.txt, Microsoft’s Project Ire, Meta–Flo Jury Verdict, GPT‑5 Lands, TeaOnHer Data Leak, Josh Marpet, and more on the Security Weekly News.. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-501

Why should hate AI When firmware attacks The 300 second breach Old ways still work, AI might help And so begins the crawler wars Turn off your SonicWall VPN Your Pie may be wrapped in PII Attackers will find a way Signed kernel drivers D-Link on the KEV Rasperry PIs attack Stealthy LoRa LLM's don't commit code, people do Jame's Bond style rescue with drones SRAM has no chill In the full view of the public... Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-886

Recent findings of AI ecosystem insecurities and attacks show the importance of needing AI governance in the supply chain. And this supply chain is rapidly expanding to include not only open-source software but also collaborative platforms where custom models, agents, prompts, and other AI resources are used. And with this expansion of third-party AI component and services use comes an expanded security threat often not included in traditional supply chain management processes. It's time to update our supply chain management process to include AI governance. Easier said than done. In this Say Easy, Do Hard segment, we invite three CISOs to discuss the challenges of AI and the supply chain, including: Data privacy concerns Flaws and malicious code in AI dependencies Lack of security tools to test for AI Vibe coding risks and more. But we also do the hard part, by discussing the changes needed to your supply chain management process to address these concerns. Visit https://www.securityweekly.com/bsw for all t

MFA Bypass, SonicWall, BIOS Shade, Sex Toys, FBI Warnings, Claude vs GPT-5, Josh Marpet, and more on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-500

Maintaining code is a lot more than keeping dependencies up to date. It involved everything from keeping old code running to changing frameworks to even changing implementation languages. Jonathan Schneider talks about the engineering considerations of refactoring and rewriting code, why code maintenance is important to appsec, and how to build confidence that adding automation to a migration results in code that has the same workflows as before. Resources https://docs.openrewrite.org https://github.com/openrewrite Then, instead of our usual news segment, we do a deep dive on some recent vulns NVIDIA's Triton Inference Server disclosed by Trail of Bits' Will Vandevanter. Will talks about the thought process and tools that go into identify potential vulns, the analysis in determining whether they're exploitable, and the disclosure process with vendors. He makes the important point that even if something doesn't turn out to be a vuln, there's still benefit to the learning process and gaining experience in see

The Weekly Enterprise News (segments 1 and 2) This week, we’ve had to make some last minute adjustments, so we’re going to do the news first, split into two segments. This week, we’re discussing: Some interesting funding Two acquisitions - one picked up for $250M, the other slightly larger, at $25 BILLION Interesting new companies! On the 1 year anniversary of that thing that happened, Crowdstrike would like to assure you that they’re REALLY making sure that thing never happens again Flipping the script How researchers rooted Copilot, but not really talks to check out at Hacker Summer Camp detection engineering tips the Cloud Security Alliance has a new AI Controls Matrix sending in the National Guard to handle a breach! and how to read an AI press release Interview: Guillaume Ross on Building Security from Scratch Guillaume shares his experiences building security from scratch at Canadian FinTech, Finaptic. Imagine the situation: you're CISO, and literally NOTHING is in place yet. No policies, no controls,

Pipes, Thorium, Excel, Weird Ports, ATM Hillbilly Cannibal Attack, Lambdas, National Guard, AIs, Aaran Leyland, and More on this episode of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-499

In the security news: Hacking washing machines, good clean fun! Hacking cars via Bluetooth More Bluetooth hacking with Breaktooth Making old vulnerabilities great again: exploiting abandoned hardware Clorox and Cognizant point fingers AI generated Linux malware Attacking Russian airports When user verification data leaks Turns out you CAN steal cars with a Flipper Zero, so we're told The UEFI vulnerabilities - the hits keep coming Hijacking Discord invites The Raspberry PI laptop The new Hack RF One Pro Security appliances still fail to be secure Person Re-Identification via Wi-Fi Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-885

In the leadership and communications section, The CISO code of conduct: Ditch the ego, lead for real, The books shaping today’s cybersecurity leaders, How to Succeed in Your Career When Change Is a Constant, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-406

Popup Porn, LoveSense, Tea, Fire Ant, Scatterede Spider, AI Pricing, Josh Marpet, and more on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-498

A successful strategy in appsec is to build platforms with defaults and designs that ease the burden of security choices for developers. But there's an important difference between expecting (or requiring!) developers to use a platform and building a platform that developers embrace. Julia Knecht shares her experience in building platforms with an attention to developer needs, developer experience, and security requirements. She brings attention to the product management skills and feedback loops that make paved roads successful -- as well as the areas where developers may still need or choose their own alternatives. After all, the impact of a paved road isn't in its creation, it's in its adoption. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-341

Interview Segment - Lessons Learned from the tj-actions GitHub Action Supply Chain Attack with Dimitri Stiliadis Breach analysis is one of my favorite topics to dive into and I’m thrilled Dimitri is joining us today to reveal some of the insights he’s pulled out of this GitHub Actions incident. It isn’t an overstatement to say that some of the lessons to be learned from this incident represent fundamental changes to how we architect development environments. Why are we talking about it now, 4 months after it occurred? In the case of the Equifax breach, the most useful details about the breach didn’t get released to the public until 18 months after the incident. It takes time for details to come out, but in my experience, the learning opportunities are worth the wait. Topic Segment - Should the US Go on the Cyber Offensive? Triggered by an op-ed from Dave Kennedy, the discussion of whether the US should launch more visible offensive cyber operations starts up again. There are a lot of factors and nuances to

Total Recall, Steam, Storm-2063, Unmarker, Altair, Josh Marpet, and More on this episode of the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-497

We chat with Material Security about protecting G Suite and MS365. How else are you monitoring the most commonly used cloud environments and applications? In the security news: Google Sues Badbox operators Authenticated or Unauthenticated, big difference and my struggle to get LLMs to create exploits for me Ring cameras that were not hacked Malicous AURs Killing solar farms Weak passwords are all it takes Microsoft's UEFI keys are expiring Kali Linux and Raspberry PI Wifi updates Use lots of electricity, get a visit from law enforcement Sharepoint, vulnerabilities, nuclear weapons, and why you should use the cloud The time to next exploit is short Sonicwall devices are getting exploited How not to vibe code SMS blasters This segment is sponsored by Material Security. Visit https://securityweekly.com/materialsecurity to see purpose-built Google Workspace and Office 365 security in action! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-884

How do we get security right? The answer varies by many factors, including industry, what you're trying to protect, and what the C Suite and Board care about. Khaja Ahmed, Advisor at CISO Forum, joins Business Security Weekly to discuss how to get consensus on your security program. CISOs, executives, and the Board need to be aligned on the risks and how best to address them. And it's not technical risks, it's business risks measured by legal or financial impact. Khaja will help guide new and existing CISOs on how to: Work across the business to build consensus Identify and quantify risks in financial and legal terms Design security from the start Be effective as a security leader In the leadership and communications section, Is the C-Suite Right for You?, What Fortune 100s are getting wrong about cybersecurity hiring, Why Communication Is Exhausting in Chaotic Workplaces, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-405

Donatello, SharePoint, CrushFTP, WordPress, Replit, AllaKore, Rob Allen, and more on the Security Weekly News. Segment Resources: https://www.darkreading.com/threat-intelligence/matanbuchus-loader-ransomware-infections This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them! Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-496

AI is more than LLMs. Machine learning algorithms have been part of infosec solutions for a long time. For appsec practitioners, a key concern is always going to be how to evaluate the security of software or a system. In some cases, it doesn't matter if a human or an LLM generated code -- the code needs to be reviewed for common flaws and design problems. But the creation of MCP servers and LLM-based agents is also adding a concern about what an unattended or autonomous piece of software is doing. Sohrob Kazerounian gives us context on how LLMs are designed, what to expect from them, and where they pose risk and reward to modern software engineering. Resources https://www.vectra.ai/research Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-340

Segment 1 - Interview with Helen Patton: Introducing the Cybersecurity Canon Did you know that there’s a hall-of-fame for cybersecurity books? Over the past decade, the Cybersecurity Canon has published reviews on dozens of cybersecurity books and established a hall of fame. Hall of fame books are defined as titles that all cybersecurity professionals should read - a great short list for those new to the field and overwhelmed by choices. Helen Patton, co-founder and Chief of Staff for the Cybersecurity Canon joins us to tell us all about the Canon, how it came to be, and its transformation into a more visible and active organization. We’ll also discuss Helen’s own book, “Navigating the Cybersecurity Career Path”, and an upcoming second book she’s working on as well! Segment Resources: Helen's personal website The Cybersecurity Canon website Segment 2 - Topic: Does the SOC 2 need to die? AJ Yawn thinks so. The TL;DR is that he thinks industry-specific frameworks are more appropriate and effective. You can ch