Afleveringen
-
Mobile applications have unique risks and threat models compared to server-side applications and infrastructure. Consequently, they need different strategies to ensure their business logic and workflows well secured. We'll dive into some of these defense-in-depth strategies and why they are important to mobile applications. Securing workflows goes beyond input validation and pattern matching suspicious payloads; it requires detailed attention to state machines, edge cases, and collecting signals to evaluate trust.
Segment Resources:
https://hubs.la/Q04jLKj70 https://mas.owasp.org/MASTG/0x04c-Tampering-and-Reverse-Engineering/ https://owasp.org/API-Security/editions/2023/en/0x00-header/This segment is sponsored by Guardsquare. Visit https://securityweekly.com/guardsquare to learn more about them!
Show Notes: https://securityweekly.com/asw-390
-
Interview with Sandy Bird, co-founder of Sonrai Security
In this week's interview, we kick off the conversation with how Sonrai's expertise in securing cloud identity permissions had the company well placed to address the explosion of AI agents and the clear risks they represented. On the surface, this looks like a cloud/hyperscaler permissions challenge, but it isn't that simple. As agents like Claude Code, Codex, and Hermes are connected to enterprise cloud agents, the risk spreads outside VPCs and onto endpoints.
Check out the episode to learn more about some of the most common risks Sandy finds and how Sonrai goes about addressing them.
This segment is sponsored by Sonrai Security. Visit https://securityweekly.com/sonrai to learn more about them!
Segment Resources
AWS Bedrock agent permissions: what you need to lock down before you go live Making Enterprise AI Agents Accountable with Amir Ofek, CEO and Co-Founder of aizomeOrganizations looking to unlock the power of Enterprise AI Agents, and in a controlled and safe way at the speed of AI. Identity is at the heart of it. However, NHI Governance Is Not Enough for Enterprise AI Agents.
The identity industry has responded to the rise of AI agents the same way it responds to every new identity challenge: extend existing frameworks. Map agents to human owners. Enforce least privilege. Govern them like non-human identities.
It is a reasonable instinct. It is also insufficient in ways that matter enormously. Non-human identity security was built for a deterministic world - service accounts, API keys, bots. These identities do what they are configured to do. Their behavior is predictable enough that static governance models work. Enterprise AI agents are categorically different. Not in degree - in kind. They don't execute fixed instructions. They reason, plan, and adapt in response to context. Their scope shifts with every task. Their behavior at runtime can diverge significantly from anything true at provisioning time. Unlike any identity that came before them, they frequently change their intent, at a pace no governance model built for human movers or machine credentials was designed to handle.
Wrapping them in the same framework you use for a service account isn't wrong. It's just insufficient in precisely the places where risk accumulates.
Download the SANS AI Security Maturity Model eBookThis segment is sponsored by aizome. Visit https://securityweekly.com/aizomeidv to learn more about them!
The Human Authorized. The Agent Acted. Who's Accountable? Interview with Howard Ting - CEO - Opal SecurityA self-driving car still has a license plate The accountability didn't change just because the driver did. The same has to be true for AI agents, but most environments can't trace an agent action back through the layers of delegation to the human who authorized it. Howard Ting, CEO of Opal Security, joins Security Weekly to discuss what the accountability model looks like when employees run swarms of agents, and what has to be in place before that accountability chain is tested.
https://www.opal.dev/resource-center/identity-governance-report-2026-ai-accessThis segment is sponsored by Opal Security. Visit https://securityweekly.com/opalidv to learn more about them!
Next Evolution of Identity Security: AI for Lower Cost, Efficiency & Governance with Ajay Gupta - President & CEO - SDGOrganizations have invested heavily in identity platforms, but many still struggle to maximize security, efficiency, and governance outcomes. As AI transforms both cyber defense and cyber threats, Identity Security is emerging as a critical foundation for securing human and non-human identities alike. In this discussion, we explore how AI is helping organizations reduce costs, improve operations, defend against AI-powered attacks, and address the governance challenges created by AI agents—highlighting the convergence of Identity Security, AI Security, and AI Governance.
This segment is sponsored by SDG. Visit https://securityweekly.com/sdgidv to learn more about them!
Show Notes: https://securityweekly.com/esw-466
-
Zijn er afleveringen die ontbreken?
-
This week we have a technical segment based on the response to "Atomic Arch", an updated open-source tool to help you catch malicious packages. In the security news:
Exploitarium A hot messy summer of vulnerabilities AI Squatting Linux LPE - no shortage of those Fingerprinting Favicons Windows 10 extended Can Clothes Make You Invisible to Facial Recognition? Fable and Mythos for All Do we care about Quantum? Execs have AI risk under control Biological warefare in Spyware The scripts in-scope for PCI We don't have privacy, but we may get age restrictionsShow Notes: https://securityweekly.com/psw-933
-
One of the biggest questions most executives ask is "Why does it still feel this hard when the talent is clearly there?" The answer, in almost every case, is not a people problem. It is an environment problem. And environment is something a leader can build.
Greg Hoffman, President at Ascension Performance Group, joins Business Security Weekly to discuss his new book, Performance Through People, a leadership parable that shows a practical operating model for building the conditions where people perform at their highest level. It is written as a story, but it is built as a framework. Greg will discuss the core pillars of this framework, including:
Leadership First Mindset Operational Clarity Capability Empowerment ImpactSegment Resources: - https://a.co/d/053FuwYT - https://ascensionpg.com/articles/
In the leadership and communications segment, What the New Quantum Executive Orders Mean for Business Leaders, What I Learned About Burnout the Hard Way (and How to Actually Fix it, Mentorship Matters, and more!
Show Notes: https://securityweekly.com/bsw-454
-
SquidBleed reveals another vuln that's been lurking for decades, but its real lesson is in managing an attack surface. Regardless of whatever programming language you use, removing code is one of the best security steps you can take, followed by changing default configs to turn off uncommon features and ancient protocols.
The Linux kernel's removal of strncpy is another example of managing attack surface by replacing a notoriously misused and ambiguous function with more specific versions that better match the developers intent. It was a six-year journey for the kernel, but one that should remove a class of vulns and, importantly, improve performance.
Then it's on to agents with a discussion of the newly released OWASP AISVS and yet another example of evaluating LLMs as code reviewers.
Agentic AI Has an Identity Problem
AI agents are already running inside enterprise environments, operating on credentials, API tokens, and cloud roles that most security teams have never inventoried. When an agent acts autonomously across production systems, the security question is no longer just what it can do but who it is and whether that identity is governed at all. Itamar Apelblat, Co-Founder and CEO of Token Security, discusses why identity is the right lens for understanding agentic AI risk and what practical steps security teams can take now.
Segment Resources:
https://www.token.security/product https://www.token.security/lp/ai-agent-identity-security-buyers-guide-ebook https://www.token.security/enzo https://www.token.security/ai-agent-calculatorThis segment is sponsored by Token Security. To lean more, visit https://securityweekly.com/tokenidv
Blended Identities and the challenge of IAM for AI
AI agents aren't quite human and aren't traditional machines. So how do you secure workflows that involve humans using AI to access sensitive data, and do it at machine speed and scale? David breaks down the challenges and discusses actual implementations of IAM for AI to explain how to solve them.
Segment Resources:
https://aembit.io/case-study/a-300b-investment-firm-secures-claude-access-with-aembit/ https://aembit.io/blog/aembit-now-secures-microsoft-copilot-studio-agents/ https://www.youtube.com/watch?v=cSInzRUXvNcThis segment is sponsored by Aembit. Get the cloud security alliance survey on AI Identities at https://securityweekly.com/aembitidv
Show Notes: https://securityweekly.com/asw-389
-
Interview with Adriel Desautels - the pentest is broken
Adriel joins us for a discussion on the state of penetration testing, why it hasn't done much to help security teams over the last 20 years, and why AI won't save it.
Segment Resources:
https://hbr.org/2026/04/boards-are-falling-short-on-cybersecurity https://www.scworld.com/perspective/how-to-build-a-breach-ready-security-posture-without-the-enterprise-price-tag https://netragard.com/blog/what-is-penetration-testing/ Topic: Why Meta is destroying its engineering organizationThe titular essay: https://newsletter.pragmaticengineer.com/p/why-is-meta-destroying-its-engineering
A very interesting analysis of what's going on inside big tech companies as they try to dogfood their own AI hype and tokenmaxx themselves into oblivion. There have been a LOT of stories on this, but this is the most comprehensive and enlightening. A few more are linked below.
This is relevant to security, because heavier AI use appears to be linked to a much higher occurrence of availability and security issues.
'Tell Him He's a Piece of Shit': Meta's New AI Unit Is a Total Mess The Newest Instagram "Exploit" is the Goofiest I've Seen Meta CTO Andrew Bosworth Admits the Company's AI Reorg Was 'Atrocious' Meta's months-old AI unit is a soul-crushing gulag, say the engineers stuck inside it The Weekly Enterprise NewsFinally, in the enterprise security news,
an AI vibe check An AI SOC vendor shuts down Cybersecurity vendor layoffs funding & acquisitions cascading breaches digital estate management criminals don't trust AI either some devs won't code without AI, even if you pay them to Midjourney is now a healthcare company?All that and more, on this episode of Enterprise Security Weekly.
Show Notes: https://securityweekly.com/esw-465
-
First up is Sandy Bird from Sonrai discussing how to protect our cloud infrastructure!
This segment is sponsored by Sonrai Security. Visit https://securityweekly.com/sonrai to learn more about them!
Next up in the security news:
Help, I am Fortibleeding Cisco SD-WAN needs help The secret life of probe requests Help, I am Squidbleeding XSS to RCE and why CVSS isn't the full picture TVs spy on you Foundational security practices Cybersecurity costs money Happy "Its too late to update your KEK key" day You don't have security flaws if no one can report them Rickrolling FIFA Domain takeovers End of life, out of luck The key to Encryption...Show Notes: https://securityweekly.com/psw-932
-
The 2026 Verizon DBIR has arrived and the results are in... Even with a substantial increase in Exploitation of Vulnerabilities, All Credential Abuse is still the top initial access vector for breaches, which means the human is still the weakest link. Why haven't security awareness training and phishing campaigns worked?
Robert Siciliano, Architect of of The Strategic Human Firewall™ at ProtectNow, joins Business Security Weekly to explore why humans, not hackers, are the ultimate deciding factor in organizational security. The industry needs to shift from security awareness to security appreciation. Robert will discuss:
How you can build a culture that actually protects your people, your data, and your operations in an era of AI deception. Why most companies are still performing 'Security Theater'—checking boxes and hoping for the best—instead of driving genuine behavior change. How Trust and Denial quietly fuel most disasters, why interactive training is the only way to make the lessons stick, and how leaders can scale this entire framework without needing a Hollywood budget.Segment Resources:
https://protectnowllc.com/ai-cyber-security-keynote-speaker/
In the leadership and communications segment, Should CEOs Be Held Personally Accountable for Cyber Attacks?, Placing communication at the center of every leadership transition, AI isn't solving cybersecurity workforce woes, and more!
Show Notes: https://securityweekly.com/bsw-453
-
Appsec has seen machine identities from daemons and processes to services, microservices, and cloud accounts. And now we have agents. Ev Kontsevoy talks about what it means to have engineers and agents interacting in an environment, and why a focus on actions can be more effective than roles. One of the biggest challenges in securing agents along with all of the other identities that organizations manage is how fragmented that management has become. But a unified engineering view of identities is just a start. Once you're able to shift to a practice where access is granted based on attributes and limited durations, then your environment becomes more resilient to mistakes and unexpected actions, not to mention the security concerns that come with agents acting on their own.
Who Is Responsible for an AI Agent's Actions? As AI agents gain the ability to access systems, invoke tools, and take action on behalf of users, organizations need clear frameworks that define responsibility for machine-driven decisions and outcomes. This segment examines how accountability, delegation, and attribution can be established across users, developers, security teams, and business stakeholders. Neha will explore how governance models support transparent, auditable agent-driven workflows while helping organizations manage risk and maintain trust.
This segment is sponsored by P0 Security. Visit https://securityweekly.com/p0idv to learn more about them!
The rapid rise of agentic AI and non-human identities is fundamentally reshaping the future of identity security, challenging traditional IAM and PAM models built around predictable human behavior. In this executive interview at Identiverse 2026, Amit Masand discusses how autonomous systems, AI agents, and machine identities are creating new operational and governance challenges for modern enterprises. Drawing from more than two decades of industry experience, the conversation explores the growing complexity of continuous governance in a world where identities increasingly operate at machine speed.
Segment Resources: https://www.idmexpress.com/post/preventing-cybersecurity-incidents-through-managed-services https://www.idmexpress.com/post/cyberark-securing-aws https://www.idmexpress.com/post/turning-roadblocks-into-breakthroughs-a-custom-oracle-pam-integration-story
Contact IDMEXPRESS! Secure Your Tomorrow, Today: https://securityweekly.com/idmidv
Show Notes: https://securityweekly.com/asw-388
-
Interview with Ankita Gupta, CEO of Akto
How to Navigate Shadow AI Risk in the enterprise
This week, we discuss AI governance in the enterprise, starting with the nuts and bolts of how to discover and understand shadow AI. Following that, we dive into what security and tech leaders should do next with this information: apply guardrails? Limit vendor options?
Ankita has a wealth of experience and anecdotes to share here, from years of working with customers and seeing all the unexpected things that happen with AI in today's workplace.
Segment Resources:
Website: https://www.akto.io Book a Free Demo: https://www.akto.io/agentic-security-demo LinkedIn: https://www.linkedin.com/company/akto-io YouTube: https://www.youtube.com/@aktodotioThis segment is sponsored by Akto. Visit https://securityweekly.com/akto to secure your AI agents before attackers do.
Topic Segment: Verizon's Breach Impact StudyThe same team that delivers the DBIR every year gave us a bonus, based on over 70,000 insurance claims!
Some of my favorite insights:
Cost of breaches, broken out by SMB, mid-sized enterprise, and large The claim amount as a percentage of the company's revenue Losses broken down by loss TYPEThis data validates something I think everyone in cyber needs to understand: cyber events are rarely business-ending events. Every cybersecurity professional and vendor, frustrated by companies "not taking security seriously enough" now have data explaining why: breaches don't hurt as much as you thought they did. Maybe you think they should hurt more? Push for regulation/fines/etc.
With that said, the report also shows breach costs increasing significantly over the past 6 years and the quantity of incidents shooting up. Specifically, the median impact has almost doubled.
Security failures aren't getting any cheaper.
Weekly Enterprise NewsFinally, in the enterprise security news,
A $100M seed round! Accenture acquires 3 security vendors Some thoughts on the government takedown of Fable and Mythos One of the craziest security mistakes I've ever seen, in the software FIFA uses to manage World Cup streams! A Critical Copilot vulnerability 75,000 Fortinet Firewalls get compromised Remediation is broken Using guardrails to evade detectionAll that and more, on this episode of Enterprise Security Weekly.
Show Notes: https://securityweekly.com/esw-464
-
Doug and Rob Allen talk about Identity, EDR, Your Great Aunt Ida Meets some hot firefighters, and more.
Segment Resources:
Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools: https://thehackernews.com/2026/04/qilin-and-warlock-ransomware-use.html
This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them!
Show Notes: https://securityweekly.com/swn-591
-
In the security news this week:
GPS spoofing and satellite jamming are getting way too accessible Rekeying satellites in orbit sounds terrifying Cyber extortion and whether criminals still have ethics AI helping cybersecurity research... and drug discovery Data centers eating regional power grids Nuclear, solar, natural gas, and the future of AI infrastructure What happens when GPS stops being trustworthy? Satellite constellations as the next critical infrastructure target AI guardrails and why sci-fi warned us first Cyber ranges that don't simulate reality anymore The weird morality line between hackers, scammers, and criminals Future satellite warfare without calling it warfare Security standards for infrastructure nobody thought would be online Historical cybersecurity stories that suddenly feel very current Why AI changes both offense and defense simultaneously And how much of modern cyber defense is just educated guessingShow Notes: https://securityweekly.com/psw-931
-
The browser has become the primary gateway to work, data, and AI. In this episode, Arunesh Chandra, Head of Product, Microsoft Edge for Business at Microsoft Edges for Business, will discuss why security and IT teams are rethinking the role of the browser and what sets Edge for Business apart as a secure, enterprise-ready solution. Arunesh cover how built-in security, native integration with existing IT tools, and centralized management can simplify operations, reduce risk, and support modern work across managed devices, BYOD, and contractors. A must listen for IT pros and security experts navigating browser sprawl and AI adoption.
This segment is sponsored by Microsoft Edge for Business. Visit https://securityweekly.com/edgeforbusiness to learn more about them!
In the leadership and communications segment, CISO role changes as cyber-risk appetites in the C-suite grow, AI is exposing the biggest weakness in cybersecurity: We never built a health model. Until now!, 6 Ways Leaders Harness Stress, and more!
Show Notes: https://securityweekly.com/bsw-452
-
Agents and LLMs are creating and reviewing code. They're a new tool to help developers write software and they're a new abstraction layer for expressing what code should do. But if we're focused on determining whether code is secure, where do we focus our attention on ensuring a secure outcome? Matias Madou talks about the challenges of finding metrics to help answer these questions. We walk through many of the questions we'd like to see answered and our desire to see appsec (finally?) shift out of a find-and-fix mode into a future of secure design.
Show Notes: https://securityweekly.com/asw-387
-
Interview with Shiva Pillay from Veeam
Safe AI at Scale
AI investment is exploding, yet nearly 90% of enterprise initiatives fail because the data powering AI cannot be trusted. That's the uncomfortable truth the industry is facing right now. Safe AI at scale requires more than just great models—it demands trusted, governed, and recoverable data.
This segment is sponsored by Veeam. Visit https://securityweekly.com/veeam to learn more about them!
Segment resources:
Veeam Launches New Data and AI Trust Maturity Model to Help Organizations Benchmark AI Readiness Topic: Sure, we know how initial access works, but what about lateral movement?A special topic segment where we're joined by Albert Estevez Polo, field CTO for Zero Networks (a community guest, not a podcast sponsor). Zero Networks just released some very interesting data on what attackers are doing after they gain access to victim's environments and how they're doing it.
Segment Resources:
Link to report page Weekly Enterprise Security NewsFinally, in the enterprise security news,
Funding and acquisitions Good news, Mythos isn't dangerous anymore! An excellent breach analysis Cyber insurance rates are dropping, but there's a catch CISA updates vulnerability remediation guidance Zoom calls are worse than you think, and maybe not for the reasons you think Remember when it was illegal to rip DVDs?All that and more, on this episode of Enterprise Security Weekly.
Show Notes: https://securityweekly.com/esw-463
- Laat meer zien