Afleveringen
-
More than 48,000 vulnerabilities were disclosed in 2025, yet only about 1% are actively exploited. However, you're expected to mitigate all vulnerabilities, or at least critical and high. But what if there is no patch to fix the vulnerability or the software is unsupported?
Ben Lipcynski, Director Security and Regulatory Services at Optima, joins Business Security Weekly to discuss how organizations can take back control of your enterprise software. OPTAS — Origina Proactive Threat Assurance Service — predicts, validates, prioritizes, and mitigates threats specific to your environment. Unlike AI vulnerability tools that flag everything without context or mitigation guidance, OPTAS cuts through the noise. OPTAS helps security teams focus on the risks that matter instead of chasing the 99% that do not.
Segment Resources: - https://www.origina.com/optas#optas-overview
This segment is sponsored by Origina. Visit https://securityweekly.com/origina to request a consultation.
In the leadership and communications segment, US enterprises incorporate cyber risk into larger strategic focus, 75% of CISOs Fear Executives Don't Understand Cybersecurity Risks, AI agents are not your "coworkers", and more!
Show Notes: https://securityweekly.com/bsw-456
-
Zijn er afleveringen die ontbreken?
-
While LLMs and agents are new to appsec and everyone else, a lot of AI security requirements translate to well-known API security requirements. Jeremy Snyder helps us frame the OWASP LLM Top 10 into five layers in order to help orgs understand and prioritize their attack surface. A lot of orgs don't have to deal with model-specific threats or building their own GPU architecture, but every org adopting LLMs and agents should be aware of how those agents are being invoked and the output those agents are producing. That awareness of input and output helps in identifying and mitigating prompt injection attacks, ensuring agents are working within their expected boundaries, and taming token budgets.
Resources:
https://genai.owasp.org/llm-top-10/ https://github.com/rtk-ai/rtk https://docs.aws.amazon.com/bedrock/latest/userguide/prompt-caching.html https://www.firetail.ai/blog/beyond-the-spectacle-rsac-2026-and-the-5-layers-of-ai-securityShow Notes: https://securityweekly.com/asw-391
-
Interview with François Proulx from Boost Security
Software Supply Chain Security: Build Pipeline (CI/CD) Exploitation
Boost Security is the creator of some very popular build pipeline security tools, like Bagel and Poutine. Today, we discuss their latest tool, Smoked Meat. They describe it as "Like Metasploit, but for CI/CD pipelines".
Segment Resources:
Smoked Meat announcement Smoked Meat github Smoked Meat demo with Guillaume and François Identiverse Interview with Dr. John Prichard from Radiant LogicThe Three Identity Problem: Surviving Identity Security's Chaotic Era
Identity security has entered its chaotic era. Human, non-human, and agentic AI identities no longer just coexist. They form an uncontrolled inheritance chain in which a human creates an agent, the agent spins up service principals, OAuth grants, and role assignments, and that whole chain keeps running long after the human changes roles or leaves. Most of these chains are being spawned by business users on low-code and enterprise AI platforms, outside traditional identity controls and largely invisible to security.
In this segment, Radiant Logic CEO Dr. John Pritchard joins us to unpack why this is no longer a visibility problem. It is an observability problem. And it is shifting the center of gravity in identity security from authentication to authorization. Listeners will leave with a clearer view of where their current IAM, IGA, and NHI programs fall short, and a practical lens for governing the rapidly expanding population of AI agents already inside their environments.
To go deeper on what John discussed today, watch Radiant Logic's on-demand webinar Identities Under Attack: How Adversaries Exploit the Human-Machine-Agent Divide at https://securityweekly.com/radiantlogicidv.
Identiverse Interview with Cassie Christensen from SaviyntEveryone Wants an AI Assistant. Few Are Ready to Govern One
Explore a growing reality many professionals can relate to: the appeal of using AI agents to handle the work that keeps piling up - from inbox management to research and logistics - and the governance challenges that quickly follow. The real barrier to scaling personal or enterprise AI agents isn't the technology itself, but defining clear roles, access boundaries, oversight, and lifecycle management. As organizations deploy more autonomous AI agents, the same identity frameworks used to govern workforce and non-employee identities must now evolve to manage AI-driven access before scale and risk outpace control.
This segment is sponsored by Saviynt. Learn more or get a free demo at https://securityweekly.com/saviyntidv
Identiverse Interview with Jaime Lewis-Gross from SaviyntFrom Sales Engineer to Forward Deployed Engineer: The Rise of Hybrid Technical Roles
As technology organizations evolve, technical roles are becoming increasingly fluid - particularly at the intersection of product, engineering, and customer success. This conversation explores what it means to be a modern sales engineer and how the role is increasingly expanding into responsibilities often associated with forward deployed engineers: translating complex technical capabilities into real-world outcomes, solving customer challenges in real time, and serving as a critical bridge between product teams and end users. At the center of this evolution is a customer-first mindset - one that prioritizes listening, adaptability, and long-term partnership. As organizations race to innovate, the companies that stand out will be those that remain deeply focused on customer needs while empowering technical teams to operate beyond traditional role boundaries.
This segment is sponsored by Saviynt. Learn more or get a free demo at https://securityweekly.com/saviyntidv
Identiverse Interview with Kim Brown from LexisNexisStop Identity Fraud: Modern Strategies for Insurance and Healthcare
Identity fraud is growing more sophisticated across both insurance and healthcare, making identity management a critical line of defense. In this executive interview, Kim Brown, VP of Product Management, will explore how organizations can strengthen identity verification, authentication, and risk assessment to reduce fraud while improving user experiences. The discussion will highlight emerging threats, evolving regulatory expectations, and practical strategies for deploying identity solutions at scale. Attendees will gain actionable insights to protect customers, patients, and their organizations without adding friction.
This segment is sponsored by LexisNexis Risk Solutions. Visit https://securityweekly.com/lexisnexisidv to learn more about them!
Show Notes: https://securityweekly.com/esw-467
-
In the security news:
Son of Anton strikes again! HalluSquatting and using Claude to defend itself CISA KEV's Revolving Door LLM's hallucinate and companies get sued Additionally - GitLost Yet even more Linux vulnerabilities Citrix just keeps bleeding Old hardware is new again A sneak peak into next week's tech segment Tenda hidden backdoors We're still talking about Mirai Today was not a good day for Roundcube Canada is hacking criminals AI safeguards are still annnoying All cars will spy on you The FatFs unpatched vulnerability in millions of embedded devices Windows OS market share drops below 60% (Paul uses Arch) 'We Cannot Choose to Become Idiots' - or can we?Show Notes: https://securityweekly.com/psw-934
-
The latest generation of AI models has collapsed the time from vulnerability discovery to weaponized exploit from weeks to minutes, and reactive, module-based tools built around static dashboards simply can't keep up.
In this episode, Tanium COO Matt Quinn joins Business Security Weekly to discuss Tanium Atlas, the new autonomous operating system for IT and security. Matt explains why "good enough" operations are now a liability, how Atlas turns a single operator into the equivalent of an entire team, giving organizations the speed, scale, and efficiency to match the pace of today's threat environment. He also breaks down why nearly two decades of real-time endpoint telemetry across more than 36 million endpoints is the foundation no AI model can replicate on its own.
This segment is sponsored by Tanium. Visit https://securityweekly.com/tanium to learn more about them!
In the leadership and communications segment, CEOs, CIOs clash over AI's value, Aspiring Leaders, Don't Just Network Up, Your Talent Strategy Has to Keep Up with Your AI Transformation, and more!
Show Notes: https://securityweekly.com/bsw-455
-
Mobile applications have unique risks and threat models compared to server-side applications and infrastructure. Consequently, they need different strategies to ensure their business logic and workflows well secured. We'll dive into some of these defense-in-depth strategies and why they are important to mobile applications. Securing workflows goes beyond input validation and pattern matching suspicious payloads; it requires detailed attention to state machines, edge cases, and collecting signals to evaluate trust.
Segment Resources:
https://hubs.la/Q04jLKj70 https://mas.owasp.org/MASTG/0x04c-Tampering-and-Reverse-Engineering/ https://owasp.org/API-Security/editions/2023/en/0x00-header/This segment is sponsored by Guardsquare. Visit https://securityweekly.com/guardsquare to learn more about them!
Show Notes: https://securityweekly.com/asw-390
-
Interview with Sandy Bird, co-founder of Sonrai Security
In this week's interview, we kick off the conversation with how Sonrai's expertise in securing cloud identity permissions had the company well placed to address the explosion of AI agents and the clear risks they represented. On the surface, this looks like a cloud/hyperscaler permissions challenge, but it isn't that simple. As agents like Claude Code, Codex, and Hermes are connected to enterprise cloud agents, the risk spreads outside VPCs and onto endpoints.
Check out the episode to learn more about some of the most common risks Sandy finds and how Sonrai goes about addressing them.
This segment is sponsored by Sonrai Security. Visit https://securityweekly.com/sonrai to learn more about them!
Segment Resources
AWS Bedrock agent permissions: what you need to lock down before you go live Making Enterprise AI Agents Accountable with Amir Ofek, CEO and Co-Founder of aizomeOrganizations looking to unlock the power of Enterprise AI Agents, and in a controlled and safe way at the speed of AI. Identity is at the heart of it. However, NHI Governance Is Not Enough for Enterprise AI Agents.
The identity industry has responded to the rise of AI agents the same way it responds to every new identity challenge: extend existing frameworks. Map agents to human owners. Enforce least privilege. Govern them like non-human identities.
It is a reasonable instinct. It is also insufficient in ways that matter enormously. Non-human identity security was built for a deterministic world - service accounts, API keys, bots. These identities do what they are configured to do. Their behavior is predictable enough that static governance models work. Enterprise AI agents are categorically different. Not in degree - in kind. They don't execute fixed instructions. They reason, plan, and adapt in response to context. Their scope shifts with every task. Their behavior at runtime can diverge significantly from anything true at provisioning time. Unlike any identity that came before them, they frequently change their intent, at a pace no governance model built for human movers or machine credentials was designed to handle.
Wrapping them in the same framework you use for a service account isn't wrong. It's just insufficient in precisely the places where risk accumulates.
Download the SANS AI Security Maturity Model eBookThis segment is sponsored by aizome. Visit https://securityweekly.com/aizomeidv to learn more about them!
The Human Authorized. The Agent Acted. Who's Accountable? Interview with Howard Ting - CEO - Opal SecurityA self-driving car still has a license plate The accountability didn't change just because the driver did. The same has to be true for AI agents, but most environments can't trace an agent action back through the layers of delegation to the human who authorized it. Howard Ting, CEO of Opal Security, joins Security Weekly to discuss what the accountability model looks like when employees run swarms of agents, and what has to be in place before that accountability chain is tested.
https://www.opal.dev/resource-center/identity-governance-report-2026-ai-accessThis segment is sponsored by Opal Security. Visit https://securityweekly.com/opalidv to learn more about them!
Next Evolution of Identity Security: AI for Lower Cost, Efficiency & Governance with Ajay Gupta - President & CEO - SDGOrganizations have invested heavily in identity platforms, but many still struggle to maximize security, efficiency, and governance outcomes. As AI transforms both cyber defense and cyber threats, Identity Security is emerging as a critical foundation for securing human and non-human identities alike. In this discussion, we explore how AI is helping organizations reduce costs, improve operations, defend against AI-powered attacks, and address the governance challenges created by AI agents—highlighting the convergence of Identity Security, AI Security, and AI Governance.
This segment is sponsored by SDG. Visit https://securityweekly.com/sdgidv to learn more about them!
Show Notes: https://securityweekly.com/esw-466
-
This week we have a technical segment based on the response to "Atomic Arch", an updated open-source tool to help you catch malicious packages. In the security news:
Exploitarium A hot messy summer of vulnerabilities AI Squatting Linux LPE - no shortage of those Fingerprinting Favicons Windows 10 extended Can Clothes Make You Invisible to Facial Recognition? Fable and Mythos for All Do we care about Quantum? Execs have AI risk under control Biological warefare in Spyware The scripts in-scope for PCI We don't have privacy, but we may get age restrictionsShow Notes: https://securityweekly.com/psw-933
-
One of the biggest questions most executives ask is "Why does it still feel this hard when the talent is clearly there?" The answer, in almost every case, is not a people problem. It is an environment problem. And environment is something a leader can build.
Greg Hoffman, President at Ascension Performance Group, joins Business Security Weekly to discuss his new book, Performance Through People, a leadership parable that shows a practical operating model for building the conditions where people perform at their highest level. It is written as a story, but it is built as a framework. Greg will discuss the core pillars of this framework, including:
Leadership First Mindset Operational Clarity Capability Empowerment ImpactSegment Resources: - https://a.co/d/053FuwYT - https://ascensionpg.com/articles/
In the leadership and communications segment, What the New Quantum Executive Orders Mean for Business Leaders, What I Learned About Burnout the Hard Way (and How to Actually Fix it, Mentorship Matters, and more!
Show Notes: https://securityweekly.com/bsw-454
-
SquidBleed reveals another vuln that's been lurking for decades, but its real lesson is in managing an attack surface. Regardless of whatever programming language you use, removing code is one of the best security steps you can take, followed by changing default configs to turn off uncommon features and ancient protocols.
The Linux kernel's removal of strncpy is another example of managing attack surface by replacing a notoriously misused and ambiguous function with more specific versions that better match the developers intent. It was a six-year journey for the kernel, but one that should remove a class of vulns and, importantly, improve performance.
Then it's on to agents with a discussion of the newly released OWASP AISVS and yet another example of evaluating LLMs as code reviewers.
Agentic AI Has an Identity Problem
AI agents are already running inside enterprise environments, operating on credentials, API tokens, and cloud roles that most security teams have never inventoried. When an agent acts autonomously across production systems, the security question is no longer just what it can do but who it is and whether that identity is governed at all. Itamar Apelblat, Co-Founder and CEO of Token Security, discusses why identity is the right lens for understanding agentic AI risk and what practical steps security teams can take now.
Segment Resources:
https://www.token.security/product https://www.token.security/lp/ai-agent-identity-security-buyers-guide-ebook https://www.token.security/enzo https://www.token.security/ai-agent-calculatorThis segment is sponsored by Token Security. To lean more, visit https://securityweekly.com/tokenidv
Blended Identities and the challenge of IAM for AI
AI agents aren't quite human and aren't traditional machines. So how do you secure workflows that involve humans using AI to access sensitive data, and do it at machine speed and scale? David breaks down the challenges and discusses actual implementations of IAM for AI to explain how to solve them.
Segment Resources:
https://aembit.io/case-study/a-300b-investment-firm-secures-claude-access-with-aembit/ https://aembit.io/blog/aembit-now-secures-microsoft-copilot-studio-agents/ https://www.youtube.com/watch?v=cSInzRUXvNcThis segment is sponsored by Aembit. Get the cloud security alliance survey on AI Identities at https://securityweekly.com/aembitidv
Show Notes: https://securityweekly.com/asw-389
-
Interview with Adriel Desautels - the pentest is broken
Adriel joins us for a discussion on the state of penetration testing, why it hasn't done much to help security teams over the last 20 years, and why AI won't save it.
Segment Resources:
https://hbr.org/2026/04/boards-are-falling-short-on-cybersecurity https://www.scworld.com/perspective/how-to-build-a-breach-ready-security-posture-without-the-enterprise-price-tag https://netragard.com/blog/what-is-penetration-testing/ Topic: Why Meta is destroying its engineering organizationThe titular essay: https://newsletter.pragmaticengineer.com/p/why-is-meta-destroying-its-engineering
A very interesting analysis of what's going on inside big tech companies as they try to dogfood their own AI hype and tokenmaxx themselves into oblivion. There have been a LOT of stories on this, but this is the most comprehensive and enlightening. A few more are linked below.
This is relevant to security, because heavier AI use appears to be linked to a much higher occurrence of availability and security issues.
'Tell Him He's a Piece of Shit': Meta's New AI Unit Is a Total Mess The Newest Instagram "Exploit" is the Goofiest I've Seen Meta CTO Andrew Bosworth Admits the Company's AI Reorg Was 'Atrocious' Meta's months-old AI unit is a soul-crushing gulag, say the engineers stuck inside it The Weekly Enterprise NewsFinally, in the enterprise security news,
an AI vibe check An AI SOC vendor shuts down Cybersecurity vendor layoffs funding & acquisitions cascading breaches digital estate management criminals don't trust AI either some devs won't code without AI, even if you pay them to Midjourney is now a healthcare company?All that and more, on this episode of Enterprise Security Weekly.
Show Notes: https://securityweekly.com/esw-465
-
First up is Sandy Bird from Sonrai discussing how to protect our cloud infrastructure!
This segment is sponsored by Sonrai Security. Visit https://securityweekly.com/sonrai to learn more about them!
Next up in the security news:
Help, I am Fortibleeding Cisco SD-WAN needs help The secret life of probe requests Help, I am Squidbleeding XSS to RCE and why CVSS isn't the full picture TVs spy on you Foundational security practices Cybersecurity costs money Happy "Its too late to update your KEK key" day You don't have security flaws if no one can report them Rickrolling FIFA Domain takeovers End of life, out of luck The key to Encryption...Show Notes: https://securityweekly.com/psw-932
-
The 2026 Verizon DBIR has arrived and the results are in... Even with a substantial increase in Exploitation of Vulnerabilities, All Credential Abuse is still the top initial access vector for breaches, which means the human is still the weakest link. Why haven't security awareness training and phishing campaigns worked?
Robert Siciliano, Architect of of The Strategic Human Firewall™ at ProtectNow, joins Business Security Weekly to explore why humans, not hackers, are the ultimate deciding factor in organizational security. The industry needs to shift from security awareness to security appreciation. Robert will discuss:
How you can build a culture that actually protects your people, your data, and your operations in an era of AI deception. Why most companies are still performing 'Security Theater'—checking boxes and hoping for the best—instead of driving genuine behavior change. How Trust and Denial quietly fuel most disasters, why interactive training is the only way to make the lessons stick, and how leaders can scale this entire framework without needing a Hollywood budget.Segment Resources:
https://protectnowllc.com/ai-cyber-security-keynote-speaker/
In the leadership and communications segment, Should CEOs Be Held Personally Accountable for Cyber Attacks?, Placing communication at the center of every leadership transition, AI isn't solving cybersecurity workforce woes, and more!
Show Notes: https://securityweekly.com/bsw-453
- Laat meer zien