Security Weekly Podcast Network (Video)

Segment 1: David Brauchler on AI attacks and stopping them David Brauchler says AI red teaming has proven that eliminating prompt injection is a lost cause. And many developers inadvertently introduce serious threat vectors into their applications – risks they must later eliminate before they become ingrained across application stacks. NCC Group’s AI security team has surveyed dozens of AI applications, exploited their most common risks, and discovered a set of practical architectural patterns and input validation strategies that completely mitigate natural language injection attacks. David's talk aimed at helping security pros and developers understand how to design/test complex agentic systems and how to model trust flows in agentic environments. He also provided information about what architectural decisions can mitigate prompt injection and other model manipulation risks, even when AI systems are exposed to untrusted sources of data. More about David's Black Hat talk: Video of the talk and accompanying slides: https://www.nccgroup.com/research-blog/when-guardrails-arent-enough-reinventing-agentic-ai-security-with-architectural-controls/ Talk abstract: https://www.blackhat.com/us-25/briefings/schedule/#when-guardrails-arent-enough-reinventing-agentic-ai-security-with-architectural-controls-46112 Slide presentation only: https://i.blackhat.com/BH-USA-25/Presentations/USA-25-Brauchler-When-Guardrails-Arent-Enough.pdf Additional blogs by David about AI security: Analyzing Secure AI Architectures: https://www.nccgroup.com/research-blog/analyzing-secure-ai-architectures/ Analyzing Secure AI Design Principles: https://www.nccgroup.com/research-blog/analyzing-secure-ai-design-principles/ Analyzing AI Application Threat Models: https://www.nccgroup.com/research-blog/analyzing-ai-application-threat-models/ Building Security‑First AI Applications: A Best Practices Guide for CISOs: https://www.nccgroup.com/building-security-first-ai-applications-a-best-practices-guide-for-cisos/ Building Trust by Design for Secure AI Applications: Tips for CISOs: https://www.nccgroup.com/building-trust-by-design-for-secure-ai-applications-tips-for-cisos/ AI and Cyber Security: New Vulnerabilities CISOs Must Address: https://www.nccgroup.com/ai-and-cyber-security-new-vulnerabilities-cisos-must-address/ Segment 2: Should we replace the CIA triad? An op-ed on CSO Online made us think - should we consider the CIA triad 'dead' and replace it? We discuss the value and longevity of security frameworks, as well as the author's proposed replacement. Segment 3: The Weekly Enterprise News Finally, in the enterprise security news, Slow week for funding, older companies raising via debt financing A useful AI framework from the Cloud Security Alliance two interesting essays, one of which is wrong Folks are out here blasting unencrypted data to and from Satellites, while anyone can sniff and capture it getting hacked during a job interview LLM poisoning is far easier than previously thought F5 got breached Be careful when patching your Jeep (’s software) All that and more, on this episode of Enterprise Security Weekly. Show Notes: https://securityweekly.com/esw-429

Erotic Chats, UEFI, F5, Cisco, Doug Sings, Insiders, Lastpass, Sora, Aaran Leyland, and More on this edition of the Security Weekly News. Show Notes: https://securityweekly.com/swn-521

First up is a technical segment on UEFI shells: determining if they contain dangerous functionality that allows attackers to bypass Secure Boot. Then in the security news: Your vulnerability scanner is your weakest link Scams that almost got me The state of EDR is not good You don't need to do that on a phone or Raspberry PI Hash cracking and exploits Revisiting LG WebOS Hardening Docker images Hacking Moxa NPort Shoddy academic research The original sin of computing Bodycam hacking A new OS for ESP32 The AI bubble is going to burt Mobile VPNs are not always secure Show Notes: https://securityweekly.com/psw-896

Still managing compliance in a spreadsheet? Don't have enough time or resources to verify your control or risk posture? And you wonder why you can't get the budget to move your compliance and risk programs forward. Maybe it's time for a different approach. Trevor Horwitz, Founder and CISO at TrustNet joins Business Security Weekly to discuss how the evolution of Agentic AI can automate compliance and risk programs. Move beyond spreadsheets and let the power of AI streamline your compliance and risk program. In the leadership and communications segment,Is the CISO chair becoming a revolving door?, When Integrity Collides with Bureaucracy: The Price of Leadership in Cybersecurity — and Why Walking Away Can Be the Bravest Act!, Improve Communication With Others By Talking Less — Not More, and more! Show Notes: https://securityweekly.com/bsw-417

Bikers, Apple, Storm-657, Astaroth, EES, Salesforce, Aaran Leyland, and more on the Security Weekly News. Show Notes: https://securityweekly.com/swn-520

Interest and participation in the OWASP GenAI Security Project has exploded over the last two years. Steve Wilson explains why it was important for the project to grow beyond just a Top Ten list and address more audiences than just developers. He also talks about how the growth of AI Agents influences the areas that appsec teams need to focus on. Whether apps are created by genAI or directly use genAI, the future of securing software is going to be busy. Resources https://genai.owasp.org https://genai.owasp.org/llm-top-10/ LLM security book on Amazon at https://a.co/d/6LZoXxQ This segment is sponsored by The OWASP GenAI Security Project. Visit https://securityweekly.com/owasp to learn more! Show Notes: https://securityweekly.com/asw-352

Segment 1 - Interview with Dr. Anand Singh We're always thrilled to have authors join us to discuss their new book releases, and this week, it is Dr. Anand Singh. He seriously hustled to get his new book, Data Security in the Age of AI, out as soon as possible so that it could help folks dealing with securing AI rollouts right now! We'll discuss why he wrote it, how he got it done so quickly, and who needs to read it. Segment Resources: Get the book on Amazon: Data Security in the Age of AI (available in Kindle and print) Segment 2 - Topic: The reasons why CISOs buy (and the things that don't matter to them) Val Tsanev, founder of ExecWeb, part of the CyberRisk Alliance family, posted shared some VERY spicy insights about how CISOs buy products. This elicited some passionate responses. There are many interesting insights, but the biggest and most interesting is that 76% of CISOs choose products that presents the least risk to them, personally. Career safety trumps product performance, it would seem. Segment 3 - News In the enterprise security news, Shifting Zero Cyber insurance, unlike cyber crime, doesn’t pay New AI security categories are popping up to serve Agentic and MCP servers how tech companies measure AI impact first malicious MCP server in the wild is your computer mouse listening to you? The Korean government did not follow the backup rule of three Think you’ve seen the absolute worst idea for a mobile app? Wait until you hear about Neon. We have no less than three squirrel stories involving bullets, lasers, and greasy snacks All that and more, on this episode of Enterprise Security Weekly. Show Notes: https://securityweekly.com/esw-428

This week we kick things off with a special interview: Kieran Human from Threat Locker talks about EDR bypasses and other special projects. In the security news: Hacking TVs Flushable wipes are not the only problem People just want to spy on their pets, except the devices can be hacked Linux EDR is for the birds What does my hat say we love exploits and hashes ESP32s in your router RF signal generator on a PI Zero Mic-E-Mouse and other things that will probably never happen, until they do Hacking with money Uninitialized variables and other things the compiler should catch Breaking out of the shell Hacking with sound, for real, not just another side channel attack Bring back 2G When the game engine gets hacked Oracle 0-days This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them! Show Notes: https://securityweekly.com/psw-895

Global spending on cybersecurity products and services will see a strong 14.4% CAGR from 2024 through 2029 and will hit $302.5 billion in 2029, driven by continued concerns around cyberattacks across all verticals and geographies. But where is the spending occuring and how do you prepare? Merritt Maxim, VP & Research Director at Forrester, joins Business Security Weekly to discuss the Global Cybersecurity Market Forecast, 2024 To 2029 report. Merritt will discuss the findings, including: In 2029, 69% of cybersecurity spending will be on software across seven prime functional disciplines of cybersecurity (applications, cloud, data, endpoint, network, identity, and security operations); the remaining spending will be allocated to security services, excluding security outsourcing, implementation, and deployment services; and AI software spending will grow at a CAGR of 21.2%, from $74.3 billion in 2024 to $194.3 billion by 2029. See Merritt's blog of the results at https://www.forrester.com/blogs/global-cybersecurity-spending-to-exceed-300b-by-2029/. In the leadership and communications segment, The problem with cybersecurity is not just hackers – it’s how we measure risk, What California’s new AI law means for CIOs (and CISOs), The Language of Leadership: How to Set Firm Boundaries Without Sounding Like a Jerk, and more! Show Notes: https://securityweekly.com/bsw-416