Secure Talk Podcast

In this episode of SecureTalk, host Justin Beals explores the evolving world of API technology and security with Sam Chehab, Head of Security at Postman - the platform used by over 35 million developers and 90% of Fortune 500 companies.Episode Insights:Postman's Strategic Position: Learn why Sam joined Postman in September 2024 and how they're positioned to be the connective tissue for the emerging AI agent ecosystemAPIs as Agent Infrastructure: Sam explains how Postman's catalog of hundreds of thousands of documented APIs creates the perfect foundation for AI agent interactionsSecurity by Design: Discover how Postman is embedding security throughout the API lifecycle - from conception to deploymentThe Human Factor in Security: Why security remains a collaborative responsibility across organizations and how to foster a security-minded cultureNext-Gen Challenges: Sam's perspective on balancing innovation with fundamental security hygiene concerns like supply chain vulnerabilities"I see such a larger ecosystem that's really going to get built here beyond what's out in the market today," says Sam, discussing how Postman will facilitate human-agent collaboration in building the next generation of applications.Sam brings unique insights from his previous roles at technology giants like Palo Alto Networks and NVIDIA, where he once demonstrated an early chatbot prototype to Jensen Huang himself. His experience taking products through rigorous FedRAMP certification processes provides a valuable perspective on enterprise-grade security implementation.This episode offers essential insights for developers, security professionals, and technology leaders interested in the intersection of APIs, AI, and enterprise security in today's rapidly evolving digital landscape.

In this eye-opening episode of SecureTalk, host Justin Beals welcomes Bryant Tow, Chief Security Officer at LeapFrog Services, to discuss why technology alone can't solve cybersecurity challenges. Bryant reveals how the "Ring of Security" concept shows that up to half of your attack surface lies outside of technology—in governance, policies, people, and processes. The conversation explores real-world examples like the Change Healthcare breach, why security frameworks often fall short, and how building a culture of security requires connecting protection of company assets to personal security concerns.Key TopicsThe Change Healthcare breach: How a single oversight led to a $2.9 billion loss despite substantial technology investmentsWhy frameworks like CIS are great starting points but insufficient on their ownHow the "Ring of Security" approach addresses the complete attack surfaceBuilding a security culture that resonates with employees on a personal levelWhy a business impact analysis is critical but often missing from frameworksThe importance of understanding your data before implementing AI solutionsNotable Quotes"When you do the root cause analysis on headline breaches, nearly all of them started somewhere outside the technology." - Bryant Tow"Even if you do your technology perfectly, you're leaving half of your attack surface open." - Bryant Tow"Strategy drives governance. Governance drives operation." - Bryant TowAbout the GuestBryant Tow serves as Chief Security Officer at LeapFrog Services, where he assists clients with comprehensive security programs including strategy, governance, and operations. Previously, he owned Cyber Risk Solutions and served on the Department of Homeland Security Sector Coordinating Council. His "Ring of Security" concept emphasizes that cybersecurity is an organizational problem that uses technology as just one tool in the solution.Resources MentionedThe "Ring of Security" conceptCIS Framework limitationsBusiness Impact AnalysisAI Readiness AssessmentDepartment of Homeland Security Sector Coordinating CouncilSecureTalk is hosted by Justin Beals, focusing on cybersecurity strategy, governance, and best practices for organizations of all sizes.

In this eye-opening episode of SecureTalk, host Justin Beals welcomes Joe Gronemeyer, Solutions Engineer at Akamai Technologies, for a masterclass in how internet security has evolved from basic content delivery to sophisticated edge protection powering 30% of global web traffic. From stories of literally burning servers in 1999 to today's quantum-resistant cryptography, this conversation tracks the incredible journey of cybersecurity infrastructure.### Key Highlights:- **The Birth of Edge Networks**: How Akamai transformed from emergency content delivery savior to cybersecurity powerhouse- **Massive Security Scale**: Processing 26 billion web attacks monthly and analyzing 7 trillion DNS queries daily- **Zero Trust Evolution**: Why identity-aware proxies are replacing traditional VPNs for enterprise security- **Micro-segmentation Explained**: Creating "mini-firewalls" at every endpoint to contain breaches and limit attack radius- **Bot Attack Revolution**: The evolution from simple DDoS to sophisticated credential abuse and account takeover attempts- **API Security Challenges**: Why APIs have become the new security frontier as other defenses improve- **Client-Side Security**: How PCI DSS v4 is forcing new approaches to JavaScript security monitoring- **Quantum-Resistant Future**: Akamai's implementation of NIST-approved quantum-resistant cryptography### Notable Quotes:"If you had our auto rules applied during the Log4J incident, you wouldn't have had to take any action during Christmas - it would have been protecting you automatically." - Joe Gronemeyer"At some point I think it was in 2011-2012, is when we would start looking at the traffic coming in and protecting websites from attacks as well. So applying security at the edge, keeping the bad actors away from your servers." - Joe Gronemeyer### About Our Guest:Joe Gronemeyer serves as a Solutions Engineer at Akamai Technologies with nearly a decade of experience. Previously, he spent 13 years at Accenture as a Senior Manager leading digital solutions for Fortune 500 companies across pharmaceuticals, consumer goods, and telecommunications industries. He holds a BS in Industrial and Systems Engineering from Georgia Tech and is CISSP certified.### Resources Mentioned:- Web Application Firewall (WAF) technology- Zero Trust Network Access (ZTNA)- Enterprise Application Access- Client-Side Access and Compliance (formerly Page Integrity Manager)- OWASP Top 10 for web, API, and AI security- PCI DSS version 4 compliance requirements- NIST standards for quantum-resistant cryptography*Don't miss our next episode where we'll continue exploring cutting-edge cybersecurity approaches for enterprise organizations.*#EdgeSecurity #ZeroTrust #MicroSegmentation #APIProtection #WAF #PCICompliance #QuantumCryptography #CyberDefense

In this eye-opening episode of SecureTalk, host Justin Beals sits down with Nick Furneaux, renowned cryptocurrency investigator and author of the provocatively titled book "There's No Such Thing as Crypto Crime." Furneaux shares his extensive expertise on blockchain technology, cryptocurrency investigations, and the evolving landscape of digital financial crimes.Key Topics Discussed:The meaning behind Furneaux's book title "There's No Such Thing as Crypto Crime" and why traditional investigation skills remain relevantThe fundamental differences between Bitcoin and newer cryptocurrencies like Ethereum and SolanaHow blockchain technology actually helps investigators through its open ledger systemThe mechanics behind "rug pulls" and other crypto-related scamsThe role of mining in cryptocurrency ownership and valueHow TRM Forensics tools help trace illicit cryptocurrency transactionsThe concerning rise of human trafficking in crypto scam operationsHow AI is transforming both criminal schemes and investigation techniquesNotable Quotes:"There is no such thing as a crypto-only crime. There is no new criminal category. There is just a new payment mechanism." - Nick Furneaux"The Bitcoin source code is some of the most beautiful code ever written. It is extraordinary... and it's never been hacked." - Nick Furneaux"We're in a situation now where the victim is a victim, and the scammer is a victim." - Nick Furneaux on trafficking in scam compoundsAbout Nick Furneaux:Nick Furneaux is a digital forensics expert, cryptocurrency investigator, and cybersecurity specialist. He has worked in digital forensics for many years and is known for his expertise in cryptocurrency investigations. He has served as a trainer and consultant for law enforcement agencies and private organizations on matters related to digital forensics and cryptocurrency tracing.He is the author of *There’s No Such Thing as Cryptocrime* (2024) and *Investigating Cryptocurrencies* (2018). He has trained thousands of investigators in the essential skills needed to track cryptocurrencies involved in criminal activities. Currently, he works as a Blockchain Intelligence Expert and Master Trainer at TRM Labs and serves as an advisor to the Board of Asset Reality.Resources Mentioned:Book: "There's No Such Thing as Crypto Crime" by Nick Furneaux (link)Book: "Investigating Cryptocurrencies" by Nick Furneaux (link)TRM Forensics Investigative ToolkitThis episode provides invaluable insights for cybersecurity professionals, financial investigators, and anyone interested in understanding cryptocurrency's role in modern digital crime investigations.SecureTalk is hosted by Justin Beals, bringing you expert conversations with the leading minds in cybersecurity.#Cryptocurrency #BlockchainForensics #CryptoInvestigation #Cybersecurity #DigitalForensics #Bitcoin #Ethereum #CryptoScams #FinancialCrime

In this eye-opening episode of SecureTalk, host Justin Beals interviews Johann Rehberger, a seasoned cybersecurity expert and Red Team Director at Electronic Arts, about his groundbreaking discovery of a critical vulnerability in ChatGPT's memory system. Johann shares how his security background and curiosity about AI led him to uncover the "SPAIWARE" attack - a persistent malicious instruction that can be injected into ChatGPT's long-term memory, potentially leading to data exfiltration and other security risks.Key Topics CoveredJohann's journey from Microsoft development consultant to becoming a leading red team expert specializing in AI securityThe discovery of ChatGPT's memory system vulnerability and how it could be exploitedHow traditional security concepts like the CIA security triad (Confidentiality, Integrity, Availability) apply to AI systemsThe development of "SPAIWARE" - a persistent prompt injection attack that can leak user dataCommand and control infrastructure using prompt injection techniquesThe challenges of securing agentic AI systems that can control web browsers and execute tasksThe evolving relationship between security researchers and AI companies like OpenAINotable Quotes"I think using this system is just so important because it can help you. They are so powerful. I started using it daily. But the security mindset of course too, because I use it for my productivity, but I always use it for trying to find the flaws and trying to understand how it works." - Johann Rehberger"What I did basically was use that technique and then insert that instruction in memory. So that whenever there's a conversation turn, the user has a question, ChatGPT responds. Every single conversation turn will be sent to the third-party server. So this is where the word spyware basically kind of came from." - Johann Rehberger"The better the models become, the better they follow instructions, including attacker instructions." - Johann RehbergerAbout Johann RehbergerJohann Rehberger is the Red Team Director at Electronic Arts with extensive experience in cybersecurity. His career includes roles at Microsoft, where he led the Red Team for Azure Data, and Uber, where he served as Red Team Lead. Johann is known for his pioneering work in AI security, specifically identifying and responsibly disclosing vulnerabilities in large language models like ChatGPT.Resources MentionedJohann's blog on machine learning security (https://embracethered.com/blog/index.html)Black Hat Europe presentation on ChatGPT security vulnerabilitiesLLM Owasp Top 10 vulnerability classificationsConnect With UsFollow SecureTalk for more insights on cybersecurity trends and emerging threats. Visit our website at www.securetalkpodcast.com  for more episodes and resources.#AISecurityRisks #PromptInjection #ChatGPT #Cybersecurity #AIVulnerabilities #RedTeaming #SecureTalk

What if there was a way to precisely predict the risk of a major data breach when sharing information? In this illuminating episode of Secure Talk, Justin Beals sits down with Simson Garfinkel, renowned computer scientist, journalist, and author who helped implement differential privacy for the U.S. Census Bureau's 2020 census. As a fellow of the American Association for the Advancement of Science, the Association for Computing Machinery, and the IEEE, and with leadership positions at both the Department of Homeland Security and U.S. Census Bureau, Garfinkel offers unparalleled insights into how mathematics is creating an entirely new frontier in privacy protection in his new book “Differential Privacy”.Differential privacy is a reliable mathematical framework that quantifies privacy risk or the potential for a major breach. It can transform how organizations understand, measure, and control data exposure. Yet most security, compliance, and legal professionals haven't grasped its revolutionary implications for measuring and predicting a major privacy breach.Join Justin and Simson as they reveal:- How differential privacy allows organizations to calculate privacy risk with mathematical precision- Why this new field of privacy research eliminates guesswork when combining and distributing sensitive data- The revolutionary balance between data utility and privacy protection that was previously impossible- How forward-thinking organizations are using these mathematical formula to unlock data value safelyThis isn't abstract theory – it's a practical revolution in how we approach data sharing. Garfinkel, who literally wrote the book on "Differential Privacy," shares real-world examples from his work with the U.S. Census Bureau, where differential privacy enabled the release of valuable population data while mathematically predicting individual privacy. In his book, Simson breaks down complex mathematical concepts into clear, actionable insights for security leaders, compliance officers, and legal counsel.Listen now to discover how differential privacy is creating a future where data-sharing decisions are based on mathematical certainty rather than best guesses and crossed fingers.Link to Simson's book: https://mitpress.mit.edu/9780262551656/differential-privacy/

How do you secure a nation? Hint: look for the risks to the most critical infrastructure.In this critical episode of SecureTalk, host Justin Beals sits down with Robert Kolasky, former founding director of the National Risk Management Center at DHS and current Senior VP for Critical Infrastructure at Exiger. As the new administration implements sweeping changes to federal security requirements, Kolasky provides an insider's perspective on what these shifts mean for contractors, the Defense Industrial Base, and organizations managing critical infrastructure.Drawing from his experience protecting everything from elections to the electrical grid, Kolasky offers rare insights into:The future of the Cybersecurity Maturity Model Certification (CMMC) programHow companies can prepare for evolving compliance standardsThe relationship between FedRAMP and other security frameworksEmerging hybrid threats to national securitySupply chain vulnerabilities and third-party risk managementWhether you're a federal contractor navigating new requirements or a security professional concerned about critical infrastructure protection, this conversation provides essential guidance during a time of unprecedented change in the national security landscape.

In a groundbreaking conversation on SecureTalk, legal scholar James Boyle explores the complex landscape of artificial intelligence and biological innovation, challenging our understanding of personhood and consciousness. Drawing from his recent book “The Line: Artificial Intelligence and the Future of Personhood”, Boyle dissects the potential future of artificial general intelligence and biological engineering through the lens of legal and ethical frameworks. We shine a light on how our current technological advancements are forcing us to reexamine fundamental questions about what constitutes a "person" – a journey that parallels historical shifts like human rights and the evolution of corporate personhood.Boyle also delves into the equally provocative realm of biological engineering, where technologies like CRISPR are blurring the lines between species and challenging our ethical boundaries. He warns that we're entering an era where genetic modifications could fundamentally alter human capabilities, raising critical questions about ownership, consent, and the rights of an invention. For cybersecurity professionals, AI researchers and corporate leaders, Boyle's legal insights offer a crucial roadmap for navigating the complex ethical terrain of emerging technologies, emphasizing the importance of proactive, critical thinking in shaping our technological future.You can find the book here: https://scholarship.law.duke.edu/faculty_books/9/

If you've ever found yourself frustrated watching deadlines slip by as your development team waits on yet another security review, you're not alone. In today's competitive landscape, companies are caught in a difficult balancing act: move quickly to deliver the features customers want or slow down to ensure those features don't introduce vulnerabilities that could lead to the next headline-making breach.Security reviews have become the speed bump on the road to innovation that everyone acknowledges is necessary, but few have figured out how to navigate efficiently. Development teams push for velocity while security teams pull the emergency brake, creating tension that reverberates throughout organizations.Today, we're joined by Dimitri Shvartsman, co-founder of Prime Security and prior Head of Cybersecurity at PayPal, to discuss how enterprise organizations are innovating security solutions to reduce the time to feature delivery. We'll explore how AI tools can actually enable rather than impede innovation and examine practical approaches to integrating AI security tools earlier in the development lifecycle.Whether you're a CISO trying to balance security with business needs, a developer tired of security roadblocks, or a product leader navigating these competing priorities, this conversation will give you actionable insights to transform security from a bottleneck into a business enabler.

In this episode of SecureTalk, Justin Beals welcomes Daniel Oberhaus, the author of Silicon Shrink, to discuss the revolutionary and controversial integration of artificial intelligence (AI) in mental health care. Daniel demystifies the central theme of his book, explaining the concept of Silicon Shrink and exploring how AI tools are increasingly being used to diagnose and treat mental health conditions. He highlights the alarming implications of leveraging AI in psychiatry, the historical intersection of these two fields, and the potential pitfalls and ethical challenges this marriage presents. He also delves into the technical, policy, and philosophical dimensions of using AI in psychiatry, bringing attention to various case studies and real-world applications such as emotion-recognition technology and AI-driven triage systems like those used by the Crisis Text Line. Daniel's insights present a compelling narrative, urging a cautious yet hopeful approach to adopting AI technologies in areas as sensitive as mental health, underscoring the need for transparency, privacy, and ethical considerations.Book: Oberhaus, Daniel. The Silicon Shrink: How Artificial Intelligence Made the World an Asylum. MIT Press, 2025.  (Link)