Podcasts about sboms

  • 140PODCASTS
  • 336EPISODES
  • 45mAVG DURATION
  • 1EPISODE EVERY OTHER WEEK
  • Jun 15, 2026LATEST

POPULARITY

20192020202120222023202420252026


Best podcasts about sboms

Latest podcast episodes about sboms

ChannelBuzz.ca
The Buzz: HPE Discover kicks off, Cato Networks launches integration hub, and Checkmarx report flags CISO pressure on security compliance

ChannelBuzz.ca

Play Episode Listen Later Jun 15, 2026 5:31


Today’s headline news for Canadian IT solution providers: HPE Discover 2026 kicks off: HPE Discover 2026 opens today at The Venetian in Las Vegas with the Partner Growth Summit, the partner-exclusive day that precedes the main conference. The General Session – “The Power of One” – is led by HPE channel head Simon Ewington and focuses on HPE’s unified partner strategy under the HPE Partner Ready Vantage program, spanning networking, cloud, and AI. This is the first Partner Growth Summit since HPE’s $14 billion Juniper Networks acquisition closed, and HPE is presenting partners with a fully unified portfolio story for the first time. ChannelBuzz.ca is on the ground all week: Tuesday’s Buzz will feature a full Partner Growth Summit recap, and In The Channel this week features a multi-part series with Jeremiah Jenson, HPE’s vice president of North America channel and partner ecosystem, covering the Discover announcements in depth. Cato Networks launches integration hub: Cato Networks has launched a new Technology Partner Program and a Platform Integration Hub, debuting with more than 100 out-of-the-box integrations with third-party security, cloud, and networking solutions. The SASE provider says the program is designed to simplify how partners and customers connect Cato’s platform with existing enterprise technology stacks. The move is significant for Canadian MSPs and MSSPs: a robust integration catalog reduces the custom API work that often slows deployment and increases delivery costs, making it easier to position Cato alongside the broader tools in a customer’s security environment. Checkmarx flags CISO compliance pressures: A new 2026 Future of Application Security Report from Checkmarx, based on a survey of more than 2,000 developers and CISOs, found that 95 per cent of CISOs report being pressured to suppress or delay compliance-related security issues when business deadlines loom. The research also highlights how AI-generated code is expanding the attack surface faster than many security teams can manage. For Canadian MSSPs, the data reinforces the value of independent, third-party security oversight – and the case for structured application security as a managed service. Dataminr and TD SYNNEX partner on AI cyber defense: Dataminr has signed a strategic distribution agreement with TD SYNNEX, making Dataminr for Cyber Defense available to more than 35,000 North American resellers. The platform combines external risk signals with internal telemetry to help security teams prioritize threats in real time. For Canadian partners already working with TD SYNNEX, the deal adds an AI-driven threat intelligence offering to the distributor’s security portfolio at a time when customers are asking for earlier warning around cyber risk. inforcer launches Microsoft 365 TDR platform: inforcer has launched inforcer Threat Detection and Response, a new platform that gives MSPs a single environment to manage detection, incident response, and reporting across the full Microsoft 365 estate – including Entra, Defender, Purview, Teams, and SharePoint. According to the company, the platform’s advantage is its existing policy and configuration context for each tenant, which it says allows the detection engine to separate real threats from alert noise. The product launched in early access at Pax8 Beyond last week. ConnectSecure introduces Patch 360: ConnectSecure has launched Patch 360, a patch management solution designed specifically for MSPs. According to the company, the platform gives MSPs more control over patch prioritization, testing, and approval workflows, and is designed to reduce deployment risk while accelerating patching across operating systems and third-party applications. NetRise launches Discovery Partner Program: Software supply chain security firm NetRise has launched the Discovery Partner Program for VARs, MSSPs, distributors, and systems integrators. The program provides partners access to the NetRise Platform, which analyzes compiled software artifacts – including binaries, firmware, and containers – to identify components and risks that may not appear in source-code scans or vendor-provided SBOMs. NetRise is positioning the program as a way for partners to address growing customer demand for independent software supply chain verification. Read Full Transcript This episode of The Buzz is brought to you by HPE Discover 2026. HPE Discover runs June 15 to 18 at The Venetian in Las Vegas. Discover what’s next at hpe.com/discover. Welcome to The Buzz from ChannelBuzz.ca, I’m Robert Dutt, today is Monday, June 15th, and here’s what’s happening in the channel today. The biggest event on HPE’s calendar opens today at The Venetian Convention and Expo Center in Las Vegas, and ChannelBuzz.ca is on the ground for the full week. But before the main conference opens to the broader audience tomorrow, today belongs exclusively to the channel. The HPE Partner Growth Summit – the partner-only day that kicks off Discover week – is underway as you’re hearing this. The centrepiece is the General Session called “The Power of One,” led by HPE channel head Simon Ewington alongside a lineup of HPE senior executives. The name captures the message HPE is sending its partner ecosystem heading into the back half of 2026: one comprehensive portfolio, one unified program under HPE Partner Ready Vantage, and one integrated experience across networking, cloud, and AI. The afternoon breakout agenda is dense – covering GreenLake and hybrid cloud, Aruba networking with AI, monetizing accelerated compute and agentic workloads, and HPE’s evolving service provider story. It’s also worth noting the context: this is the first Partner Growth Summit since HPE’s $14 billion acquisition of Juniper Networks cleared regulatory review and officially closed. Partners are getting their first look at a fully unified networking and compute story from a company that can now tell it cleanly. We’re bringing you the announcements as they happen all week.  In just a couple of hours on In The Channel, I’ll help you get ready for Discover, as I preview the event with the help of none other than Jeremiah Jenson, HPE’s vice president of North American channel and partner ecosystem.  Tomorrow on The Buzz, we’ll have all the news from Partner Growth Summit, and tomorrow’s In The Channel will also feature Jenson, as we take a deeper dive into the HPE’s partner programs and where he sees the biggest opportunities for the channel right now. Be sure to stick with us all week as we bring you full coverage from Vegas. Cato Networks is expanding its ecosystem with the launch of a new Technology Partner Program and a Platform Integration Hub. The SASE provider says the hub debuts with more than 100 integrations out of the box, offering streamlined connectivity with third-party security, cloud, and networking solutions. According to Cato, the program is designed to simplify how partners and customers integrate its platform with existing enterprise technology stacks, reducing friction and speeding up deployments. A vendor-led integration effort at this scale matters for the channel. As enterprise environments grow more layered and complex, MSPs rely on platforms that connect cleanly to an existing stack rather than requiring months of custom API work. Out-of-the-box integrations mean less time troubleshooting compatibility and more time delivering security outcomes to clients. It’s worth noting that Cato’s channel chief said earlier this year that seven out of ten deals the company closes are already partner-led. A stronger integration story could deepen that dependence on the channel by making it easier for MSPs and MSSPs to position Cato alongside the other tools in a customer’s security stack. A report released last week by application security vendor Checkmarx is putting hard numbers on a dynamic that security-focused channel partners have likely been seeing for some time. The 2026 Future of Application Security Report, based on a survey of more than 2,000 developers and CISOs, found that 95 per cent of CISOs say they have been pressured to suppress or delay compliance-related security issues when business deadlines loom. Compounding the problem: the adoption of AI-generated code is accelerating, which Checkmarx says is multiplying the attack surface in production environments faster than many security teams can manage. The business case for external, independent security oversight has rarely been clearer. When internal security leaders are being overruled on vulnerability management, an MSP or MSSP operating as a neutral third party – accountable to security outcomes rather than product launch timelines – steps into a genuine gap. The data also validates the case for application security as a structured managed service. As AI-generated code becomes standard in the development pipeline, organizations that can’t close that gap internally will need to find a partner who can. In Brief – Dataminr and TD SYNNEX have signed a distribution agreement that makes Dataminr for Cyber Defense available to more than 35,000 North American resellers through TD SYNNEX’s channel network.  Security vendor inforcer has launched inforcer Threat Detection and Response, a new platform designed to give MSPs a single environment to manage detection, incident response, and reporting for Microsoft 365.  ConnectSecure has introduced Patch 360, a patch management solution built specifically for MSPs that the company says reduces deployment risk while accelerating patching across operating systems and third-party applications.  NetRise has launched the Discovery Partner Program, targeting VARs, MSSPs, distributors, and systems integrators with software supply chain security capabilities built around compiled binary analysis rather than source code or vendor-provided SBOMs.  Full details and links in the show notes or the blog post. That’s how we’re seeing the headlines today. I’m Robert Dutt for ChannelBuzz.ca, thanks for listening. Have a great day.

Cyber Security Headlines
The Department of Know: GemStuffer attack, AI SBOMs, and AI-created zero-days

Cyber Security Headlines

Play Episode Listen Later May 15, 2026 34:47


This week's Department of Know is hosted by Rich Stroffolino, with guests Gary Chan, CISO, SSM Health and Peter Liebert, CISO, Salesloft. Missed the live show? Check it out on YouTube. The Department of Know is live every Friday at 4:00 p.m. ET. Join us each week by registering for the open discussion at CISOSeries.com. Huge thanks to our sponsor, Doppel Social engineering attacks look trustworthy — a routine request, an internal email, a familiar face on a call. But Doppel sees through the disguise. Our AI-native platform detects and disrupts attacks across every channel, while training employees to recognize deepfakes and deception. We fight relentlessly to protect your business, brand, and people. Doppel. Outpacing what's next in social engineering. Learn more at doppel.com.

PolySécure Podcast
Actu - 10 mai 2026 - Parce que... c'est l'épisode 0x2F6!

PolySécure Podcast

Play Episode Listen Later May 11, 2026 53:42


Parce que… c'est l'épisode 0x2F6! Shameless plug 9 au 17 mai 2026 - NorthSec 2026 3 au 5 juin 2026 - SSTIC 2026 24 et 25 juin 2026 - Troopers 26 et 27 juin 2026 - leHACK 19 septembre 2026 - Bsides Montréal 1 au 3 décembre 2026 - Forum INCYBER - Canada 2026 24 et 25 février 2027 - SéQCure 2027 Notes IA ou Ghost in the shell Mythos ou le grand réveil Mozilla says AI helped squash 423 Firefox security bugs Opinion: Actually, Mythos is the best cybersecurity news we've ever had Spooked by Mythos, Trump suddenly realized AI safety testing might be good AI-BOMs replace SBOMs as way to track AI agents and bots AI didn't delete your database, you did Chrome installe en douce un modèle IA de 4 Go sur votre disque sans rien demander Malicious OpenClaw DeepSeek Skill Exploits Agentic AI Workflows to Deliver RAT and Stealer Hackers Hate AI Slop Even More Than You Do Thousands of Vibe-Coded Apps Expose Corporate and Personal Data on the Open Web Kevin Beaumont: “got owned by teenagers copying and pasting commands from PDFs written in 2019 by Jurass1cKn0b316” - Cyberplace La guerre, la guerre, c'est pas une raison pour se faire mal! Inside Israel's AI targeting system: How data from a phone become a death sentence Polish intelligence warns hackers attacked water treatment control systems Souveraineté ou vive le numérique libre! DHS Demanded Google Surrender Data on Canadian's Activity, Location Over Anti-ICE Posts Privacy ou cachez ces informations que je ne saurais voir Apple Security Updates: What They Mean for Mac and iPhone Privacy (1) Alberta voter list leak is a potential public safety disaster: Enforcement experts Canadian election databases use “canary traps”—and they work A college student is suing a dating app that allegedly used her TikTok videos to target men in her dormitory PSA: Instagram Encrypted Messaging Ends on Friday, May 8 I am the law Protégeons nos enfants 16% of Parents Help Their Children Bypass Online Age Checks, Study Finds. One 15-Year-Old Just Uses a Fake Moustache Some children are drawing on fake moustaches to bypass online age checks, report finds Meta, Zuckerberg Sued Over Alleged Copyright Infringement by Book Publishers and Scott Turow One House Democrat is pressing Commerce on the government's spyware use Elon Musk faces criminal probe in France after ignoring summons in X case France Moves to Break Encrypted Messaging Red ou tout ce qui est brisé Copy for the fail CISA says ‘Copy Fail' flaw now exploited to root Linux systems ‘Copy Fail' is a real Linux security crisis wrapped in AI slop Ransomware is getting uglier as cybercriminals fake leaks and skip encryption entirely Microsoft Edge Stores Passwords in Process Memory, Posing Risk VoidStealer Malware Darts Past Google Chrome's Encryption Azure AD Conditional Access Bypassed Through Phantom Device Registration and PRT Abuse White House App Is a Terrifying Security Mess Guessable admin password exposes sloppy network security 60% of MD5 password hashes are crackable in under an hour Blue ou tout ce qui améliore notre posture Security Through Obscurity Is NOT Bad Achieving CVE Remediation in an Era of Escalating Vulnerabilities Divers ou parce que j'ai aucune idée où les placer 1 in 8 workers say selling company logins is justifiable Kevin Beaumont: “Always good when your EDR provider gets hit by a ransomware group.” - Cyberplace Collaborateurs Nicolas-Loïc Fortin Crédits Montage par Intrasecure inc Locaux réels par Moxy Montreal Downtown

The InfoQ Podcast
How SBOMs and Engineering Discipline Can Help You Avoid Trivy's Compromise

The InfoQ Podcast

Play Episode Listen Later Apr 13, 2026 37:43


Viktor Peterson, part of the CISA task force working on SBOM blueprints and co-founder of sbomify, explores the shifting landscape of software supply chain security as the EU's Cyber Resilience Act (CRA) comes into force, a "GDPR moment" for the industry. Beyond mere compliance, Peterson argues that SBOMs provide significant operational value as tools for automated security audits and license management, provided they are generated using ecosystem-specific tools rather than generic scanners. He also points to providing critical security insights into the risks of weaponised code, citing recent incidents where security tools themselves became attack vectors, and emphasises the need for vendor-neutral discovery mechanisms like the Transparency Exchange API (TEA) to secure the software lifecycle. Read a transcript of this interview: https://bit.ly/41eFG34 Subscribe to the Software Architects' Newsletter for your monthly guide to the essential news and experience from industry peers on emerging patterns and technologies: https://www.infoq.com/software-architects-newsletter Upcoming Events: QCon AI Boston 2026 (June 1-2, 2026) Learn how real teams are accelerating the entire software lifecycle with AI. https://boston.qcon.ai QCon San Francisco 2026 (November 16-20, 2026) https://qconsf.com/ The InfoQ Podcasts: Weekly inspiration to drive innovation and build great teams from senior software leaders. Listen to all our podcasts and read interview transcripts: - The InfoQ Podcast https://www.infoq.com/podcasts/ - Engineering Culture Podcast by InfoQ https://www.infoq.com/podcasts/#engineering_culture - Generally AI: https://www.infoq.com/generally-ai-podcast/ Follow InfoQ: - Mastodon: https://techhub.social/@infoq - X: https://x.com/InfoQ?from=@ - LinkedIn: https://www.linkedin.com/company/infoq/ - Facebook: https://www.facebook.com/InfoQdotcom# - Instagram: https://www.instagram.com/infoqdotcom/?hl=en - Youtube: https://www.youtube.com/infoq - Bluesky: https://bsky.app/profile/infoq.com Write for InfoQ: Learn and share the changes and innovations in professional software development. - Join a community of experts. - Increase your visibility. - Grow your career. https://www.infoq.com/write-for-infoq

ITSPmagazine | Technology. Cybersecurity. Society
The Illusion of Transparency: What Most Organizations Don't Know About Their Software and AI Supply Chains | A Brand Spotlight at RSAC Conference 2026 with Daniel Bardenstein, CEO and Co-Founder of Manifest Cyber

ITSPmagazine | Technology. Cybersecurity. Society

Play Episode Listen Later Apr 1, 2026 23:13


Daniel Bardenstein, CEO and co-founder of Manifest Cyber, opens with a candid assessment: the fundamental problem hasn't changed since Log4Shell. Organizations still don't understand what's inside the software and AI they build and buy. A recent Manifest Cyber study found a 40-50% gap between how well CISOs believed their security posture was managed and how their own AppSec teams rated the reality. Traditional SCA tools bury analysts in alerts without enabling response. Third-party tools hand out letter grades without reflecting actual empirical risk. The result is what Bardenstein calls the illusion of transparency -- confidence in visibility that doesn't actually exist. The hidden sources of risk go deeper than most teams realize. C/C++ code underpins critical infrastructure across medical devices, automotive, defense, and financial services -- yet most scanning tools can't effectively analyze it. Third-party binaries carry serious risk that vendors rarely disclose. Open source libraries that haven't been updated in years represent quiet exposure. And AI adoption is adding a new layer of opacity: datasets of unknown provenance, open-weight models with untested risk profiles, and AI-embedded applications where organizations have no visibility into what models or agents are operating underneath. Bardenstein frames the path forward in three dimensions: rapid response when a new issue emerges, proactive inventory and monitoring of critical dependencies, and supply chain risk stopped at the procurement gate before it enters the enterprise. When customers demand SBOMs as a condition of doing business, vendors improve -- and those improvements flow to all their other customers as well. Manifest Cyber sees this market dynamic as one of the most powerful forces for making the software ecosystem more secure. The conversation also takes on accountability. Drawing on his time leading technology strategy at CISA, Bardenstein argues that the burden of transparency must fall on the people who write software, not those who buy and use it. The "transparency tax" -- the hidden cost of cheap or opaque technology -- only surfaces after something goes wrong, in the form of incident response, people-hours, and exposure. Compliance drivers like the EU Cyber Resilience Act are reinforcing this shift, but market pressure from major banks, pharmaceutical companies, and government is already moving faster than regulation. Manifest Cyber automates the hard work: generating SBOMs, analyzing binaries, surfacing risk in C/C++ and third-party dependencies, and enabling fast, owner-assigned remediation. One customer went from zero to generating SBOMs across their entire fleet in 90 seconds -- without touching a command line. The platform is built to keep engineer velocity high, surface risk in plain language for procurement and risk teams, and make supply chain security accessible to the entire organization, not just the AppSec team. This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight GUEST Daniel Bardenstein, CEO and Co-Founder, Manifest Cyber LinkedIn: https://www.linkedin.com/in/bardenstein/ RESOURCES Manifest Cyber: https://www.manifestcyber.com Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Daniel Bardenstein, Manifest Cyber, Sean Martin, Marco Ciappelli, brand spotlight, brand marketing, marketing podcast, software supply chain security, SBOM, Software Bill of Materials, AIBOM, AI supply chain, Log4Shell, software transparency, SCA tools, C/C++ security, open source risk, Secure by Design, EU Cyber Resilience Act, supply chain risk management, third-party risk, RSAC Conference 2026, cybersecurity Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

GOTO - Today, Tomorrow and the Future
State of the Art of Container Security • Adrian Mouat & Charles Humble

GOTO - Today, Tomorrow and the Future

Play Episode Listen Later Mar 27, 2026 39:57


This interview was recorded for GOTO State of the Art in November 2025.https://gotopia.techRead the full transcription of this interview here:https://gotopia.tech/articles/425Adrian Mouat - Developer Relations at Chainguard & Author of 'Using Docker'Charles Humble - Freelance Techie, Podcaster, Editor, Author & ConsultantRESOURCESAdrianhttps://bsky.app/profile/adrianmouat.comhttps://twitter.com/adrianmouathttps://github.com/amouathttps://linkedin.com/in/adrianmouathttp://www.adrianmouat.comCharleshttps://bsky.app/profile/charleshumble.bsky.socialhttps://linkedin.com/in/charleshumblehttps://mastodon.social/@charleshumblehttps://conissaunce.comLinkshttps://images.chainguard.devhttps://www.cisa.gov/sbomhttps://www.chainguard.dev/supply-chain-security-101/the-npm-registry-cant-protect-you-the-new-javascript-supply-chain-attackshttps://oxide-and-friends.transistor.fm/episodes/discovering-the-xz-backdoor-with-andres-freundhttps://edu.chainguard.devDESCRIPTIONIn this State of the Art episode, Charles Humble speaks with Adrian Mouat, Developer Relations at Chainguard and author of "Using Docker", about the evolution of container security and the persistent challenge of outdated packages.Adrian explains how traditional Linux distributions weren't designed for the immutable, frequently-replaced nature of containers, leading to security vulnerabilities that scanners detect but teams struggle to address. He discusses how Chainguard tackles this problem by building everything from source using Wolfi, creating minimal "distroless" images with near-zero CVEs, and how concepts like SBOMs, attestations, and defense in depth are reshaping security practices.The conversation also covers major security incidents including the XZ Utils backdoor and Shai-hulud attacks, emphasizing the importance of building from source, using short-lived credentials, and replacing rather than updating containers – practices pioneered by companies like Google that are gradually spreading across the industry.RECOMMENDED BOOKSAdrian Mouat • Using Docker • https://amzn.to/3PEYIJLLiz Rice • Container Security • https://amzn.to/3oU4iJeLiz Rice • Kubernetes Security • https://www.oreilly.com/library/view/kubernetes-security/9781492039075BlueskyInstagramLinkedInFacebookCHANNEL MEMBERSHIP BONUSJoin this channel to get early access to videos & other perks:https://www.youtube.com/channel/UCs_tLP3AiwYKwdUHpltJPuA/joinLooking for a unique learning experience?Attend the next GOTO conference near you! Get your ticket: gotopia.techSUBSCRIBE TO OUR YOUTUBE CHANNEL - new videos posted daily!

Cybercrime Magazine Podcast
Securing The Build. SBOMs That Actually Matter. Amir Shahmiri, Mend.io.

Cybercrime Magazine Podcast

Play Episode Listen Later Mar 20, 2026 6:36


Amir Shahmiri is the Senior Solutions Engineer at Mend.io. In this episode, he joins host Charlie Osborne to discuss SBOMs that actually matter, including how automation makes SBOMs useful at dev speed, visibility effectiveness, and more. Securing The Build is brought to you by Mend.io, the leading application security solution, helping organizations reduce application risk efficiently. To learn more about our sponsor, visit https://mend.io.

securing mend sboms senior solutions engineer
ITSPmagazine | Technology. Cybersecurity. Society
Software Supply Chains, AI Risk, and the Transparency Gap | A Brand Spotlight with Daniel Bardenstein of Manifest | RSAC 2026

ITSPmagazine | Technology. Cybersecurity. Society

Play Episode Listen Later Mar 14, 2026 21:55


As RSAC 2026 approaches, Daniel Bardenstein, CEO and Co-Founder of Manifest, joins hosts Sean Martin and Marco Ciappelli to unpack the growing disconnect between how security leaders perceive their AI and software supply chain posture and what practitioners on the ground actually experience. Drawing from Manifest's new research report — Beyond the Black Box — Bardenstein connects the dots between shadow AI, SBOM adoption gaps, and a dangerous pattern: history is repeating itself as organizations rush to adopt AI with the same disregard for security that characterized the early cloud era.   In a wide-ranging pre-event conversation ahead of RSAC 2026, Daniel Bardenstein, CEO and Co-Founder of Manifest, explores what it means to truly secure the software and AI supply chain — not just check the compliance box. Manifest's new research report, Beyond the Black Box, surveyed more than 300 security and AI leaders globally to understand the reality of AI adoption and software supply chain risk. One of the most striking findings was not a statistic, but a structural problem: a significant perception gap exists between how confident executive security leadership feels about their AI security posture and how unprepared frontline practitioners actually are. Where there is misalignment, Bardenstein notes, there is risk.   The conversation draws a vivid parallel to the cloud adoption wave of a decade ago, when organizations rushed to SaaS and cloud infrastructure without thinking through security implications — and gave birth to entire new industries to clean up the mess. Today, the same dynamic is playing out with AI. Nearly two-thirds of the survey respondents reported encountering shadow AI within their organizations, as employees freely use tools like ChatGPT, DeepSeek, or locally downloaded models without centralized governance. When that AI eventually gets embedded into software that organizations build, deploy, and sell, the blind spots compound.   SBOMs — software bills of materials — represent a promising step toward supply chain transparency, and Bardenstein credits the US government's regulatory nudging for driving adoption. Manifest's research shows that roughly 60% of organizations are now generating SBOMs, a meaningful milestone. But generation is not governance. Too many organizations treat an SBOM as a compliance artifact — a JSON file on a hard drive — rather than an operational tool that could dramatically accelerate vulnerability response, regulatory compliance, and incident management. The prescription has been filled; it's just not being taken.   To reframe the urgency, Bardenstein introduces the concept of the "transparency tax" — the hidden cost organizations pay in time, money, and risk when they build or buy opaque technology. Just as consumers demand ingredient labels on food, Carfax reports on used cars, and active ingredient disclosures on prescriptions, the technology sector needs to normalize the same transparency for software and AI. For organizations willing to do the math, the case for investing in supply chain visibility becomes not just a security argument, but a business one.   Heading into RSAC 2026, Manifest will not have a booth but will be active across the conference floor, meeting with customers, partners, and prospects. Bardenstein will appear on an invite-only panel alongside leadership from Corridor Dev, 1Password, and Google to discuss secure software and secure AI. The team is also planning to announce new platform capabilities designed to close the governance gaps their research surfaced — helping organizations move fast without creating the kind of blind spots that make AI adoption a liability rather than an advantage.   Tune in for this sharp, candid pre-event conversation — and look for the full on-location Brand Spotlight recorded live at RSAC 2026 in San Francisco.  

Paul's Security Weekly
Breaking in with CrashFix, supply chain security, and CMMC phase 1 - David Zendzian, Anna Pham, Jacob Horne - ESW #449

Paul's Security Weekly

Play Episode Listen Later Mar 9, 2026 94:33


Interview with Anna Pham Breaking in with ClickFix: Anatomy of a modern endpoint attack Cybersecurity company Huntress just published a report on a new ClickFix variant they've discovered, which they've dubbed CrashFix. This technique was developed by KongTuke to serve as the primary lure within a new custom malicious browser extension also created by the group. In short, the team observed the threat actors using KongTuke's malicious browser extension to display a fake security warning, claiming the browser had “stopped abnormally” and prompting users to run a “scan” to remediate the threats. Upon “running the scan,” the user is presented with a fake “Security issues detected” alert and instructed to manually “fix” the issue by opening the Windows Run dialog, pasting from their clipboard, and pressing Enter. The malicious extension silently copies a PowerShell command to the clipboard, disguised as a legitimate repair command. From there, they execute the malicious command. Segment Resources: BLOG - Dissecting CrashFix: KongTuke's New Toy Interview with David Zendzian Continuous compliance and real security lifecycle management Supply chain attacks are not just on the rise; attackers are learning from the past, making these attacks even more effective and dangerous than before. It was just over a month ago when the Shai-Hulud attack first impacted NPM packages, forcing enterprises around the world into lockdown. While only 187 packages were compromised in that initial incident, it served as a wake-up call for many: an accurate inventory of systems is good, but a clear, real-time Software Bill of Materials (SBOM) for applications is non-negotiable. In this world of manifest based infrastructure and container based applications with (real) "devsecops", the dream of continuous upgrades of OS/Runtime/Stack/App and App Dependencies is very mature and there are solid examples of companies and federal entities managing this at scale without thousands of teams and people. Segment Resources: BLOG - Supply Chain Security: How accurate SBOMs can deliver proactive threat mitigation Interview with Jacob Horne CMMC Phase 1 Enforcement — What the November 10 Deadline Means for the Defense Supply Chain With the upcoming CMMC Phase 1 enforcement on November 10, cybersecurity teams across the defense and federal supply chain are facing new compliance requirements that directly affect contract eligibility and data-protection standards. Jacob Horne, Chief Cybersecurity Evangelist at Summit 7, can break down what this milestone means for enterprise security leaders, MSPs/MSSPs, and contractors preparing for audits. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-449

Enterprise Security Weekly (Audio)
Breaking in with CrashFix, supply chain security, and CMMC phase 1 - David Zendzian, Anna Pham, Jacob Horne - ESW #449

Enterprise Security Weekly (Audio)

Play Episode Listen Later Mar 9, 2026 94:33


Interview with Anna Pham Breaking in with ClickFix: Anatomy of a modern endpoint attack Cybersecurity company Huntress just published a report on a new ClickFix variant they've discovered, which they've dubbed CrashFix. This technique was developed by KongTuke to serve as the primary lure within a new custom malicious browser extension also created by the group. In short, the team observed the threat actors using KongTuke's malicious browser extension to display a fake security warning, claiming the browser had "stopped abnormally" and prompting users to run a "scan" to remediate the threats. Upon "running the scan," the user is presented with a fake "Security issues detected" alert and instructed to manually "fix" the issue by opening the Windows Run dialog, pasting from their clipboard, and pressing Enter. The malicious extension silently copies a PowerShell command to the clipboard, disguised as a legitimate repair command. From there, they execute the malicious command. Segment Resources: BLOG - Dissecting CrashFix: KongTuke's New Toy Interview with David Zendzian Continuous compliance and real security lifecycle management Supply chain attacks are not just on the rise; attackers are learning from the past, making these attacks even more effective and dangerous than before. It was just over a month ago when the Shai-Hulud attack first impacted NPM packages, forcing enterprises around the world into lockdown. While only 187 packages were compromised in that initial incident, it served as a wake-up call for many: an accurate inventory of systems is good, but a clear, real-time Software Bill of Materials (SBOM) for applications is non-negotiable. In this world of manifest based infrastructure and container based applications with (real) "devsecops", the dream of continuous upgrades of OS/Runtime/Stack/App and App Dependencies is very mature and there are solid examples of companies and federal entities managing this at scale without thousands of teams and people. Segment Resources: BLOG - Supply Chain Security: How accurate SBOMs can deliver proactive threat mitigation Interview with Jacob Horne CMMC Phase 1 Enforcement — What the November 10 Deadline Means for the Defense Supply Chain With the upcoming CMMC Phase 1 enforcement on November 10, cybersecurity teams across the defense and federal supply chain are facing new compliance requirements that directly affect contract eligibility and data-protection standards. Jacob Horne, Chief Cybersecurity Evangelist at Summit 7, can break down what this milestone means for enterprise security leaders, MSPs/MSSPs, and contractors preparing for audits. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-449

Paul's Security Weekly TV
Breaking in with CrashFix, supply chain security, and CMMC phase 1 - Anna Pham, David Zendzian, Jacob Horne - ESW #449

Paul's Security Weekly TV

Play Episode Listen Later Mar 9, 2026 94:33


Interview with Anna Pham Breaking in with ClickFix: Anatomy of a modern endpoint attack Cybersecurity company Huntress just published a report on a new ClickFix variant they've discovered, which they've dubbed CrashFix. This technique was developed by KongTuke to serve as the primary lure within a new custom malicious browser extension also created by the group. In short, the team observed the threat actors using KongTuke's malicious browser extension to display a fake security warning, claiming the browser had "stopped abnormally" and prompting users to run a "scan" to remediate the threats. Upon "running the scan," the user is presented with a fake "Security issues detected" alert and instructed to manually "fix" the issue by opening the Windows Run dialog, pasting from their clipboard, and pressing Enter. The malicious extension silently copies a PowerShell command to the clipboard, disguised as a legitimate repair command. From there, they execute the malicious command. Segment Resources: BLOG - Dissecting CrashFix: KongTuke's New Toy Interview with David Zendzian Continuous compliance and real security lifecycle management Supply chain attacks are not just on the rise; attackers are learning from the past, making these attacks even more effective and dangerous than before. It was just over a month ago when the Shai-Hulud attack first impacted NPM packages, forcing enterprises around the world into lockdown. While only 187 packages were compromised in that initial incident, it served as a wake-up call for many: an accurate inventory of systems is good, but a clear, real-time Software Bill of Materials (SBOM) for applications is non-negotiable. In this world of manifest based infrastructure and container based applications with (real) "devsecops", the dream of continuous upgrades of OS/Runtime/Stack/App and App Dependencies is very mature and there are solid examples of companies and federal entities managing this at scale without thousands of teams and people. Segment Resources: BLOG - Supply Chain Security: How accurate SBOMs can deliver proactive threat mitigation Interview with Jacob Horne CMMC Phase 1 Enforcement — What the November 10 Deadline Means for the Defense Supply Chain With the upcoming CMMC Phase 1 enforcement on November 10, cybersecurity teams across the defense and federal supply chain are facing new compliance requirements that directly affect contract eligibility and data-protection standards. Jacob Horne, Chief Cybersecurity Evangelist at Summit 7, can break down what this milestone means for enterprise security leaders, MSPs/MSSPs, and contractors preparing for audits. Show Notes: https://securityweekly.com/esw-449

Enterprise Security Weekly (Video)
Breaking in with CrashFix, supply chain security, and CMMC phase 1 - Anna Pham, David Zendzian, Jacob Horne - ESW #449

Enterprise Security Weekly (Video)

Play Episode Listen Later Mar 9, 2026 94:33


Interview with Anna Pham Breaking in with ClickFix: Anatomy of a modern endpoint attack Cybersecurity company Huntress just published a report on a new ClickFix variant they've discovered, which they've dubbed CrashFix. This technique was developed by KongTuke to serve as the primary lure within a new custom malicious browser extension also created by the group. In short, the team observed the threat actors using KongTuke's malicious browser extension to display a fake security warning, claiming the browser had "stopped abnormally" and prompting users to run a "scan" to remediate the threats. Upon "running the scan," the user is presented with a fake "Security issues detected" alert and instructed to manually "fix" the issue by opening the Windows Run dialog, pasting from their clipboard, and pressing Enter. The malicious extension silently copies a PowerShell command to the clipboard, disguised as a legitimate repair command. From there, they execute the malicious command. Segment Resources: BLOG - Dissecting CrashFix: KongTuke's New Toy Interview with David Zendzian Continuous compliance and real security lifecycle management Supply chain attacks are not just on the rise; attackers are learning from the past, making these attacks even more effective and dangerous than before. It was just over a month ago when the Shai-Hulud attack first impacted NPM packages, forcing enterprises around the world into lockdown. While only 187 packages were compromised in that initial incident, it served as a wake-up call for many: an accurate inventory of systems is good, but a clear, real-time Software Bill of Materials (SBOM) for applications is non-negotiable. In this world of manifest based infrastructure and container based applications with (real) "devsecops", the dream of continuous upgrades of OS/Runtime/Stack/App and App Dependencies is very mature and there are solid examples of companies and federal entities managing this at scale without thousands of teams and people. Segment Resources: BLOG - Supply Chain Security: How accurate SBOMs can deliver proactive threat mitigation Interview with Jacob Horne CMMC Phase 1 Enforcement — What the November 10 Deadline Means for the Defense Supply Chain With the upcoming CMMC Phase 1 enforcement on November 10, cybersecurity teams across the defense and federal supply chain are facing new compliance requirements that directly affect contract eligibility and data-protection standards. Jacob Horne, Chief Cybersecurity Evangelist at Summit 7, can break down what this milestone means for enterprise security leaders, MSPs/MSSPs, and contractors preparing for audits. Show Notes: https://securityweekly.com/esw-449

CISSP Cyber Training Podcast - CISSP Training Program
CCT 330: SOC Preparation for Agentic AI Plus Five Skills For Bigger Cyber Security Paychecks

CISSP Cyber Training Podcast - CISSP Training Program

Play Episode Listen Later Mar 9, 2026 33:14 Transcription Available


Send us Fan MailThe ground under cybersecurity careers is shifting, and the fastest movers are pairing CISSP with modern, high-leverage skills that command premium pay. We dig into a practical roadmap: first, how to prepare your SOC for agentic AI with four concrete moves—reskill analysts to supervise and validate models, establish new roles for AI governance and orchestration, redesign playbooks around automation and escalation, and enforce tight guardrails with approvals and audit trails. The goal is simple: turn AI from chaos into a disciplined force multiplier.From there, we unpack five high-income skills that dovetail with CISSP's leadership mindset. Modern GRC is no longer paperwork; it's resilience, litigation exposure, and executive storytelling—with VCISO opportunities that reward clear risk narratives and continuous evidence automation. Cloud security architecture centers on software-defined security, Terraform policies as code, zero trust in Kubernetes, and the legal boundaries of shared responsibility and data residency. AI ethics and governance emerges as the unofficial ninth domain, where shadow AI containment, dataset audits for PII, and prompt-injection testing meet global regulation and model risk policy.We also dive into advanced identity as the new perimeter—taming machine identities, secrets sprawl, and rolling out phishing-resistant FIDO2 to make zero trust real. Finally, we get tactical with software supply chain security: SBOMs, signed artifacts, dependency hygiene, and CI/CD security gates that protect velocity without breaking builds. Along the way, we share market pay signals, “decision architect” expectations for senior roles, and smart bridge certifications like CISM, AI governance credentials, and CISA that accelerate credibility.If you're ready to pivot from “security says no” to “here's how to do it safely,” this is your map. Subscribe, share with a teammate who needs a nudge, and leave a quick review to help more CISSPs find their niche and lead the way.Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox!  Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

@BEERISAC: CPS/ICS Security Podcast Playlist
From NIST to Nation-State: Securing Embedded Systems through Compliance and Trust

@BEERISAC: CPS/ICS Security Podcast Playlist

Play Episode Listen Later Mar 2, 2026 32:54


Podcast: Exploited: The Cyber Truth Episode: From NIST to Nation-State: Securing Embedded Systems through Compliance and TrustPub date: 2026-02-26Get Podcast Transcript →powered by Listen411 - fast audio-to-text and summarizationIn this episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by RunSafe Security CEO Joe Saunders and Cordell Robinson, CEO of Brownstone Consulting, to explore how security frameworks like NIST 800-53 are evolving from paperwork exercises into real drivers of security maturity. From continuous monitoring and secure-by-design development to Software Bills of Materials (SBOMs) and vulnerability transparency, the conversation examines what it takes to build trust in embedded and operational technology (OT) systems, especially as regulators sharpen their focus and nation-state threats grow more sophisticated. Together, they explore: Why compliance should cover people, processes, and technology—not just policiesHow NIST frameworks are shifting from checklists to operational rigorThe growing importance of SBOMs in supply chain transparencyHow AI is reshaping both cyber defense and attacker capabilityWhat new regulatory pressure (including the EU Cyber Resilience Act) means for manufacturers Whether you build embedded systems, ship software to government agencies, or manage critical infrastructure, this episode offers practical insight into building compliance programs that strengthen security and earn trust.The podcast and artwork embedded on this page are from RunSafe Security, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Federal Drive with Tom Temin
The White House has scrapped the one‑size‑fits‑all SBOM mandate and told agency leaders to own their cyber risk, now flexibility meets accountability

Federal Drive with Tom Temin

Play Episode Listen Later Feb 20, 2026 11:34


OMB's new memo rescinds the Biden‑era requirements and shifts software and hardware security to an agency‑driven, risk‑based model. SBOMs and attestations move from “must” to “may.” That means CIOs and CISOs can tailor what they ask for from vendors, but they'll also carry the burden of proving those choices keep mission systems safe. We'll dig into what this change unlocks and where it could create blind spots with Jean‑Paul Bergeaux, Federal CTO at GuidePoint Security.See Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.

@BEERISAC: CPS/ICS Security Podcast Playlist
Balancing Speed and Security: The Open Source Dilemma in Embedded Development

@BEERISAC: CPS/ICS Security Podcast Playlist

Play Episode Listen Later Jan 30, 2026 29:30


Podcast: Exploited: The Cyber Truth Episode: Balancing Speed and Security: The Open Source Dilemma in Embedded DevelopmentPub date: 2026-01-29Get Podcast Transcript →powered by Listen411 - fast audio-to-text and summarizationIn this episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by RunSafe Security Founder and CEO Joseph M. Saunders and embedded systems expert Elecia White, host of Embedded.fm and author of Making Embedded Systems, to discuss the trade-offs of using open source in embedded development. The conversation goes beyond debates about “open vs. proprietary” to explore how a single library can quietly introduce sprawling dependency chains, unclear maintenance responsibilities, licensing obligations, and long-term security exposure,  especially in devices expected to operate for years or decades. Elecia and Joe share guidance for using open source intentionally, including how to set guardrails early, limit dependency blast radius, and design systems that can respond when vulnerabilities emerge, even when patching isn't easy. Together, they cover: Why embedded teams don't get burned by open source, they get burned by unexamined dependenciesHow transitive dependencies and “helpful” packages quietly expand attack surfaceWhy professionalism, documentation, and disclosure practices signal trustworthy projectsWhy build-time SBOMs matter more than after-the-fact analysisHow Secure by Design thinking reduces reliance on emergency patching For embedded engineers, product leaders, and security teams balancing delivery pressure with long-lived risk, this episode offers advice for using open source without inheriting future incidents.The podcast and artwork embedded on this page are from RunSafe Security, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

design security balancing speed dilemma open source embedded listen notes sboms elecia embedded development paul ducklin elecia white
MedTech Speed to Data
The Real Cost of Adding Cybersecurity Late in Medical Device Development : 44

MedTech Speed to Data

Play Episode Listen Later Jan 29, 2026 28:16


Design for Security from the Start: Making Medical Device Cybersecurity More ResilientMedTech innovation is revolutionizing healthcare but is also introducing new cyberattack vectors that can put manufacturers, hospitals, and patients at risk.In Episode 44 of the MedTech Speed to Data Podcast, Key Tech VP of Business Development Andy Rogers and Senior Computer Engineer Jamie Kendall discuss the FDA's latest cybersecurity guidance.Need to knowSmart, connected devices have greater risks — Medical devices are emerging vectors for bad actors targeting the healthcare industry.FDA's 2025 cybersecurity guidance update — The agency recommends risk-based development frameworks to make device cybersecurity more resilient.Clarifying “cyber devices” — The FDA's guidance applies to any medical device that runs software and could connect to the Internet.The nitty-gritty“Cybersecurity was always baked into our process,” Jaime explains. More specifically, Key Tech has adapted the TIR57 risk-based standard for managing medical device security to the new rules. “[The FDA's] 2023 guidance really laid the groundwork for our latest process. We've tweaked it slightly with the [latest update]. There are more explicit documentation requirements around vulnerability monitoring and more details on the software bill of materials (SBOMs).”Jamie goes on to describe how Key Tech's cybersecurity risk management plan informs product development. The security team starts by developing a threat model based on evaluations of data flows, data storage, and the cybersecurity activities protecting that data. “One of the first things that we always do is a threat model. This is a visual model of the system to show the elements of the device, where data is flowing, and where your trust boundaries are. This is a one-page, digestible visual that everyone can look at, assess, and go ‘yep, that makes sense' and then build your initial architecture and risk assessment based on that.”The security team documents the resulting security architectures using the FDA's recommended views:Global System View: Describes how software integrates with hardware and networks and the associated cybersecurity mitigations.Multi-Patient Harm View: Identifies mitigations for vulnerabilities or failures that could compromise multiple devices and harm multiple patients.Updateability/Patchability View: Summarizes the end-to-end process for distributing software updates and patches, especially if manufacturers do not control the entire path.Security Use Case View: Documents scenarios in which vulnerabilities can compromise the device's safety or effectiveness.“To give a sense of scale,” Jamie says, “this isn't one or two documents. It's a pretty large effort, and it's one of those things that you want to start early in your development process.”Data that made the difference:Throughout his conversation with Andy, Jamie shares some of the lessons Key Tech has learned about designing secure medical devices, including:Design for security from the beginning. Late changes are expensive, especially once in pre-production or after your FDA submission.Avoid cyber rabbit holes. Rather than addressing every possible threat, use data and risk to prioritize the real threats.Don't roll your own cybersecurity. Stick to standard practices, or you risk introducing unknown, novel vulnerabilities.Fully document your SBOMs. Standard libraries introduce layers of dependencies that you must understand. That's the only way to control your exposure to new vulnerabilities.Design devices that are truly safe. Cybersecurity risks are real. Don't treat compliance as a check box.Watch the whole conversation in the video below to learn more about designing for cybersecurity, the importance of third-party penetration testing, and more.

Federal Tech Podcast: Listen and learn how successful companies get federal contracts
Ep. 296 Securing the Federal Software Supply Chain: Why SBOMs aren't enough

Federal Tech Podcast: Listen and learn how successful companies get federal contracts

Play Episode Listen Later Jan 22, 2026 19:53


One of the biggest trends in software development over the past 10 years is the shift from writing code to "assembling" code from off-the-shelf components. During today's interview with Javed Hasan from Lineaje, we learned that 70% of that pre-assembled code is open source. In other words, an anonymous person in some countries modified software instructions. This casual approach may be fine for small businesses, but an organization like the federal government must be highly cautious. Hasan describes how his company was one of the first to work with the federal government to set standards for this existing code. These initial efforts began ten years ago and resulted in Executive Order #14028, which requires a Software Bill of Materials for any organization selling to the federal government. This initiative expanded in 2021-2022 when NIST published related guidelines. These efforts are a good start. However, federal leaders must evaluate SBOM technology from many perspectives. For example, how to incorporate this mandate into air-gapped networks, legacy COTS, or even in a classified environment. System administrators also need to know if they are exposed. Further, every organization has a varying definition of what "deep software transparency" is. Hassan also discusses Lineage's innovative approach to creating "Gold open source" software, ensuring it is free of malware and vulnerabilities. If you are interested in seeing a demonstration of how Lineaje can help with software forensics, there is an event at the Carahsoft office in Reston, Virginia, on January 30 = = Connect to John Gilroy on LinkedIn   https://www.linkedin.com/in/john-gilroy/ Want to listen to other episodes? www.Federaltechpodcast.com  

@BEERISAC: CPS/ICS Security Podcast Playlist
2026 ICS Security Predictions: What's Next for Critical Infrastructure

@BEERISAC: CPS/ICS Security Podcast Playlist

Play Episode Listen Later Jan 1, 2026 31:41


Podcast: Exploited: The Cyber Truth Episode: 2026 ICS Security Predictions: What's Next for Critical InfrastructurePub date: 2025-12-30Get Podcast Transcript →powered by Listen411 - fast audio-to-text and summarizationAs industrial control systems become more connected, more Linux-based, and more exposed to IT-style threats, 2026 is shaping up to be a turning point for ICS security. In this end-of-year predictions episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by RunSafe Security Founder & CEO Joseph M. Saunders and CTO Shane Fry to discuss what will define ICS and critical infrastructure security in 2026. The episode explores a bold prediction: We will see a major ICS breach originating from a web application vulnerability running directly on an embedded control device. As full Linux operating systems, Node.js apps, and web servers increasingly appear inside OT equipment, long-standing IT vulnerabilities are colliding with systems that are difficult—or impossible—to patch. Joe and Shane dig into why detection-only strategies fall short in constrained, long-lived devices, and why secure by design engineering, memory safety, and runtime protections are becoming essential. They also discuss the importance of accurate, build-time Software Bills of Materials, especially as regulations like the EU Cyber Resilience Act push manufacturers toward transparency, accountability, and provable supply-chain visibility. Together, they cover: Why ICS exploitation is shifting from theoretical to operationalHow web app and RCE vulnerabilities are creeping into OT devicesThe limits of detection-only security strategiesWhy memory safety and runtime protections reduce exploitable riskHow build-time SBOMs improve vulnerability tracking and trustThe podcast and artwork embedded on this page are from RunSafe Security, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Paul's Security Weekly
AI-Era AppSec: Transparency, Trust, and Risk Beyond the Firewall - Felipe Zipitria, Steve Springett, Aruneesh Salhotra, Ken Huang - ASW #363

Paul's Security Weekly

Play Episode Listen Later Dec 30, 2025 66:43


In an era dominated by AI-powered security tools and cloud-native architectures, are traditional Web Application Firewalls still relevant? Join us as we speak with Felipe Zipitria, co-leader of the OWASP Core Rule Set (CRS) project. Felipe has been at the forefront of open-source security, leading the development of one of the world's most widely deployed WAF rule sets, trusted by organizations globally to protect their web applications. Felipe explains why WAFs remain a critical layer in modern defense-in-depth strategies. We'll explore what makes OWASP CRS the go-to choice for security teams, dive into the project's current innovations, and discuss how traditional rule-based security is evolving to work alongside — not against — AI. Segment Resources: github.com/coreruleset/coreruleset coreruleset.org The future of CycloneDX is defined by modularity, API-first design, and deeper contextual insight, enabling transparency that is not just comprehensive, but actionable. At its heart is the Transparency Exchange API, which delivers a normalized, format-agnostic model for sharing SBOMs, attestations, risks, and more across the software supply chain. As genAI transforms every sector of modern business, the security community faces a question: how do we protect systems we can't fully see or understand? In this fireside chat, Aruneesh Salhotra, Project Lead for OWASP AIBOM and Co-Lead of OWASP AI Exchange, discusses two groundbreaking initiatives that are reshaping how organizations approach AI security and supply chain transparency. OWASP AI Exchange has emerged as the go-to single resource for AI security and privacy, providing over 200 pages of practical advice on protecting AI and data-centric systems from threats. Through its official liaison partnership with CEN/CENELEC, the project has contributed 70 pages to ISO/IEC 27090 and 40 pages to the EU AI Act security standard OWASP, achieving OWASP Flagship project status in March 2025. Meanwhile, the OWASP AIBOM Project is establishing a comprehensive framework to provide transparency into how AI models are built, trained, and deployed, extending OWASP's mission of making security visible to the rapidly evolving AI ecosystem. This conversation explores how these complementary initiatives are addressing real-world challenges—from prompt injection and data poisoning to model provenance and supply chain risks—while actively shaping international standards and regulatory frameworks. We'll discuss concrete achievements, lessons learned from global collaboration, and the ambitious roadmap ahead as these projects continue to mature and expand their impact across the AI security landscape. Segment Resources: https://owasp.org/www-project-aibom/ https://www.linkedin.com/posts/aruneeshsalhotra_owasp-ai-aisecurity-activity-7364649799800766465-DJGM/ https://www.youtube.com/@OWASPAIBOM https://www.youtube.com/@RobvanderVeer-ex3gj https://owaspai.org/ Agentic AI introduces unique and complex security challenges that render traditional risk management frameworks insufficient. In this keynote, Ken Huang, CEO of Distributedapps.ai and a key contributor to AI security standards, outlines a new approach to manage these emerging threats. The session will present a practical strategy that integrates the NIST AI Risk Management Framework with specialized tools to address the full lifecycle of Agentic AI. Segment Resources: aivss.owasp.org https://kenhuangus.substack.com/p/owasp-aivss-the-new-framework-for https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-363

Paul's Security Weekly TV
AI-Era AppSec: Transparency, Trust, and Risk Beyond the Firewall - Felipe Zipitria, Steve Springett, Aruneesh Salhotra, Ken Huang - ASW #363

Paul's Security Weekly TV

Play Episode Listen Later Dec 30, 2025 66:43


In an era dominated by AI-powered security tools and cloud-native architectures, are traditional Web Application Firewalls still relevant? Join us as we speak with Felipe Zipitria, co-leader of the OWASP Core Rule Set (CRS) project. Felipe has been at the forefront of open-source security, leading the development of one of the world's most widely deployed WAF rule sets, trusted by organizations globally to protect their web applications. Felipe explains why WAFs remain a critical layer in modern defense-in-depth strategies. We'll explore what makes OWASP CRS the go-to choice for security teams, dive into the project's current innovations, and discuss how traditional rule-based security is evolving to work alongside — not against — AI. Segment Resources: github.com/coreruleset/coreruleset coreruleset.org The future of CycloneDX is defined by modularity, API-first design, and deeper contextual insight, enabling transparency that is not just comprehensive, but actionable. At its heart is the Transparency Exchange API, which delivers a normalized, format-agnostic model for sharing SBOMs, attestations, risks, and more across the software supply chain. As genAI transforms every sector of modern business, the security community faces a question: how do we protect systems we can't fully see or understand? In this fireside chat, Aruneesh Salhotra, Project Lead for OWASP AIBOM and Co-Lead of OWASP AI Exchange, discusses two groundbreaking initiatives that are reshaping how organizations approach AI security and supply chain transparency. OWASP AI Exchange has emerged as the go-to single resource for AI security and privacy, providing over 200 pages of practical advice on protecting AI and data-centric systems from threats. Through its official liaison partnership with CEN/CENELEC, the project has contributed 70 pages to ISO/IEC 27090 and 40 pages to the EU AI Act security standard OWASP, achieving OWASP Flagship project status in March 2025. Meanwhile, the OWASP AIBOM Project is establishing a comprehensive framework to provide transparency into how AI models are built, trained, and deployed, extending OWASP's mission of making security visible to the rapidly evolving AI ecosystem. This conversation explores how these complementary initiatives are addressing real-world challenges—from prompt injection and data poisoning to model provenance and supply chain risks—while actively shaping international standards and regulatory frameworks. We'll discuss concrete achievements, lessons learned from global collaboration, and the ambitious roadmap ahead as these projects continue to mature and expand their impact across the AI security landscape. Segment Resources: https://owasp.org/www-project-aibom/ https://www.linkedin.com/posts/aruneeshsalhotra_owasp-ai-aisecurity-activity-7364649799800766465-DJGM/ https://www.youtube.com/@OWASPAIBOM https://www.youtube.com/@RobvanderVeer-ex3gj https://owaspai.org/ Agentic AI introduces unique and complex security challenges that render traditional risk management frameworks insufficient. In this keynote, Ken Huang, CEO of Distributedapps.ai and a key contributor to AI security standards, outlines a new approach to manage these emerging threats. The session will present a practical strategy that integrates the NIST AI Risk Management Framework with specialized tools to address the full lifecycle of Agentic AI. Segment Resources: aivss.owasp.org https://kenhuangus.substack.com/p/owasp-aivss-the-new-framework-for https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference! Show Notes: https://securityweekly.com/asw-363

Application Security Weekly (Audio)
AI-Era AppSec: Transparency, Trust, and Risk Beyond the Firewall - Felipe Zipitria, Steve Springett, Aruneesh Salhotra, Ken Huang - ASW #363

Application Security Weekly (Audio)

Play Episode Listen Later Dec 30, 2025 66:43


In an era dominated by AI-powered security tools and cloud-native architectures, are traditional Web Application Firewalls still relevant? Join us as we speak with Felipe Zipitria, co-leader of the OWASP Core Rule Set (CRS) project. Felipe has been at the forefront of open-source security, leading the development of one of the world's most widely deployed WAF rule sets, trusted by organizations globally to protect their web applications. Felipe explains why WAFs remain a critical layer in modern defense-in-depth strategies. We'll explore what makes OWASP CRS the go-to choice for security teams, dive into the project's current innovations, and discuss how traditional rule-based security is evolving to work alongside — not against — AI. Segment Resources: github.com/coreruleset/coreruleset coreruleset.org The future of CycloneDX is defined by modularity, API-first design, and deeper contextual insight, enabling transparency that is not just comprehensive, but actionable. At its heart is the Transparency Exchange API, which delivers a normalized, format-agnostic model for sharing SBOMs, attestations, risks, and more across the software supply chain. As genAI transforms every sector of modern business, the security community faces a question: how do we protect systems we can't fully see or understand? In this fireside chat, Aruneesh Salhotra, Project Lead for OWASP AIBOM and Co-Lead of OWASP AI Exchange, discusses two groundbreaking initiatives that are reshaping how organizations approach AI security and supply chain transparency. OWASP AI Exchange has emerged as the go-to single resource for AI security and privacy, providing over 200 pages of practical advice on protecting AI and data-centric systems from threats. Through its official liaison partnership with CEN/CENELEC, the project has contributed 70 pages to ISO/IEC 27090 and 40 pages to the EU AI Act security standard OWASP, achieving OWASP Flagship project status in March 2025. Meanwhile, the OWASP AIBOM Project is establishing a comprehensive framework to provide transparency into how AI models are built, trained, and deployed, extending OWASP's mission of making security visible to the rapidly evolving AI ecosystem. This conversation explores how these complementary initiatives are addressing real-world challenges—from prompt injection and data poisoning to model provenance and supply chain risks—while actively shaping international standards and regulatory frameworks. We'll discuss concrete achievements, lessons learned from global collaboration, and the ambitious roadmap ahead as these projects continue to mature and expand their impact across the AI security landscape. Segment Resources: https://owasp.org/www-project-aibom/ https://www.linkedin.com/posts/aruneeshsalhotra_owasp-ai-aisecurity-activity-7364649799800766465-DJGM/ https://www.youtube.com/@OWASPAIBOM https://www.youtube.com/@RobvanderVeer-ex3gj https://owaspai.org/ Agentic AI introduces unique and complex security challenges that render traditional risk management frameworks insufficient. In this keynote, Ken Huang, CEO of Distributedapps.ai and a key contributor to AI security standards, outlines a new approach to manage these emerging threats. The session will present a practical strategy that integrates the NIST AI Risk Management Framework with specialized tools to address the full lifecycle of Agentic AI. Segment Resources: aivss.owasp.org https://kenhuangus.substack.com/p/owasp-aivss-the-new-framework-for https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-363

@BEERISAC: CPS/ICS Security Podcast Playlist
Rail Cybersecurity & OT SOCs in the Middle East (Arabic) | 56

@BEERISAC: CPS/ICS Security Podcast Playlist

Play Episode Listen Later Dec 30, 2025 55:27


Podcast: ICS Arabia PodcastEpisode: Rail Cybersecurity & OT SOCs in the Middle East (Arabic) | 56Pub date: 2025-12-26Get Podcast Transcript →powered by Listen411 - fast audio-to-text and summarizationIn this first-ever ICS Arabia Podcast episode focused on rail cybersecurity and OT Security Operations Centers (SOCs), I sit down with Omar Sherin, Consulting Partner at PwC Middle East and a pioneer in the region's critical infrastructure protection.We explore:1- Rail-specific cyber threats and how OT SOCs are built to defend them2- Real-world challenges in the Middle East's transportation sector3- National efforts to build security labs for firmware, SBOMs, and ICS hardware4- How Arab countries can strategically improve their OT cybersecurity postureThe podcast and artwork embedded on this page are from ICS ARABIA PODCAST, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Application Security Weekly (Video)
AI-Era AppSec: Transparency, Trust, and Risk Beyond the Firewall - Felipe Zipitria, Steve Springett, Aruneesh Salhotra, Ken Huang - ASW #363

Application Security Weekly (Video)

Play Episode Listen Later Dec 30, 2025 66:43


In an era dominated by AI-powered security tools and cloud-native architectures, are traditional Web Application Firewalls still relevant? Join us as we speak with Felipe Zipitria, co-leader of the OWASP Core Rule Set (CRS) project. Felipe has been at the forefront of open-source security, leading the development of one of the world's most widely deployed WAF rule sets, trusted by organizations globally to protect their web applications. Felipe explains why WAFs remain a critical layer in modern defense-in-depth strategies. We'll explore what makes OWASP CRS the go-to choice for security teams, dive into the project's current innovations, and discuss how traditional rule-based security is evolving to work alongside — not against — AI. Segment Resources: github.com/coreruleset/coreruleset coreruleset.org The future of CycloneDX is defined by modularity, API-first design, and deeper contextual insight, enabling transparency that is not just comprehensive, but actionable. At its heart is the Transparency Exchange API, which delivers a normalized, format-agnostic model for sharing SBOMs, attestations, risks, and more across the software supply chain. As genAI transforms every sector of modern business, the security community faces a question: how do we protect systems we can't fully see or understand? In this fireside chat, Aruneesh Salhotra, Project Lead for OWASP AIBOM and Co-Lead of OWASP AI Exchange, discusses two groundbreaking initiatives that are reshaping how organizations approach AI security and supply chain transparency. OWASP AI Exchange has emerged as the go-to single resource for AI security and privacy, providing over 200 pages of practical advice on protecting AI and data-centric systems from threats. Through its official liaison partnership with CEN/CENELEC, the project has contributed 70 pages to ISO/IEC 27090 and 40 pages to the EU AI Act security standard OWASP, achieving OWASP Flagship project status in March 2025. Meanwhile, the OWASP AIBOM Project is establishing a comprehensive framework to provide transparency into how AI models are built, trained, and deployed, extending OWASP's mission of making security visible to the rapidly evolving AI ecosystem. This conversation explores how these complementary initiatives are addressing real-world challenges—from prompt injection and data poisoning to model provenance and supply chain risks—while actively shaping international standards and regulatory frameworks. We'll discuss concrete achievements, lessons learned from global collaboration, and the ambitious roadmap ahead as these projects continue to mature and expand their impact across the AI security landscape. Segment Resources: https://owasp.org/www-project-aibom/ https://www.linkedin.com/posts/aruneeshsalhotra_owasp-ai-aisecurity-activity-7364649799800766465-DJGM/ https://www.youtube.com/@OWASPAIBOM https://www.youtube.com/@RobvanderVeer-ex3gj https://owaspai.org/ Agentic AI introduces unique and complex security challenges that render traditional risk management frameworks insufficient. In this keynote, Ken Huang, CEO of Distributedapps.ai and a key contributor to AI security standards, outlines a new approach to manage these emerging threats. The session will present a practical strategy that integrates the NIST AI Risk Management Framework with specialized tools to address the full lifecycle of Agentic AI. Segment Resources: aivss.owasp.org https://kenhuangus.substack.com/p/owasp-aivss-the-new-framework-for https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro This interview is sponsored by the OWASP GenAI Security Project. Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the OWASP 2025 Global AppSec Conference! Show Notes: https://securityweekly.com/asw-363

The Kubelist Podcast
Ep. #48, Unpacking Software Supply Chain Security with Justin Cappos

The Kubelist Podcast

Play Episode Listen Later Dec 23, 2025 64:59


On episode 48 of The Kubelist Podcast, Marc Campbell and Benjie De Groot sit down with Justin Cappos, professor at NYU and a pioneer in software supply chain security. They explore the origins of modern package manager security, the real-world limits of SBOMs, and why systems should be designed assuming compromise. The conversation spans CNCF governance, in-toto, TUF, Git security, and the emerging role of AI in securing software.

Heavybit Podcast Network: Master Feed
Ep. #48, Unpacking Software Supply Chain Security with Justin Cappos

Heavybit Podcast Network: Master Feed

Play Episode Listen Later Dec 23, 2025 64:59


On episode 48 of The Kubelist Podcast, Marc Campbell and Benjie De Groot sit down with Justin Cappos, professor at NYU and a pioneer in software supply chain security. They explore the origins of modern package manager security, the real-world limits of SBOMs, and why systems should be designed assuming compromise. The conversation spans CNCF governance, in-toto, TUF, Git security, and the emerging role of AI in securing software.

Python Bytes
#463 2025 is @wrapped

Python Bytes

Play Episode Listen Later Dec 22, 2025 43:19 Transcription Available


Topics covered in this episode: Has the cost of building software just dropped 90%? More on Deprecation Warnings How FOSS Won and Why It Matters Should I be looking for a GitHub alternative? Extras Joke Watch on YouTube About the show Sponsored by us! Support our work through: Our courses at Talk Python Training The Complete pytest Course Patreon Supporters Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. HEADS UP: We are taking next week off, happy holiday everyone. Michael #1: Has the cost of building software just dropped 90%? by Martin Alderson Agentic coding tools are collapsing “implementation time,” so the cost curve of shipping software may be shifting sharply Recent programming advancements haven't been that great of a true benefit: Cloud, TDD, microservices, complex frontends, Kubernetes, etc. Agentic AI's big savings are not just code generation, but coordination overhead reduction (fewer handoffs, fewer meetings, fewer blocks). Thinking, product clarity, and domain decisions stay hard, while typing and scaffolding get cheap. Is it the end of software dev? Not really, see Jevons paradox: when production gets cheaper, total demand can rise rather than spending simply falling. (Historically: the efficiency of coal use led to the increased consumption of coal) Pushes back on “only good for greenfield” by arguing agents also help with legacy code comprehension and bug-fixing. I 100% agree. #Legacy code for the win. Brian #2: More on Deprecation Warnings How are people ignoring them? yep, it's right in the Python docs: -W ignore::DeprecationWarning Don't do that! Perhaps the docs should give the example of emitting them only once -W once::::DeprecationWarning See also -X dev mode , which sets -W default and some other runtime checks Don't use warn, use the @warnings.deprecated decorator instead Thanks John Hagen for pointing this out Emits a warning It's understood by type checkers, so editors visually warn you You can pass in your own custom UserWarning with category mypy also has a command line option and setting for this --enable-error-code deprecated or in [tool.mypy] enable_error_code = ["deprecated"] My recommendation Use @deprecated with your own custom warning and test with pytest -W error Michael #3: How FOSS Won and Why It Matters by Thomas Depierre Companies are not cheap, companies optimize cost control. They do this by making purchasing slow and painful. FOSS is/was a major unlock hack to skip procurement, legal, etc. Example is months to start using a paid “Add to calendar” widget! It “works both ways”: the same bypass lowers the barrier for maintainers too, no need for a legal entity, lawyers, liability insurance, or sales motion. Proposals that “fix FOSS” by reintroducing supply-chain style controls (he name-checks SBOMs and mandated processes) risk being rejected or gamed, because they restore the very friction FOSS sidesteps. Brian #4: Should I be looking for a GitHub alternative? Pricing changes for GitHub Actions The self-hosted runner pricing change caused a kerfuffle. It's has been postponed But… if you were to look around, maybe pay attention to These 4 GitHub alternatives are just as good—or better Codeburg, BitBucket, GitLab, Gitea And a new-ish entry, Tangled Extras Brian: End of year sale for The Complete pytest Course Use code XMAS2025 for 50% off before Dec 31 Writing work on Lean TDD book on hold for holidays Will pick up again in January Michael: PyCharm has better Ruff support now out of the box, via Daniel Molnar This is from the release notes of 2025.3: "PyCharm 2025.3 expands its LSP integration with support for Ruff, ty, Pyright, and Pyrefly.” If you check out the LSP section it will land you on this page and you can go to Ruff. The Ruff doc site was also updated. Previously it was only available external tools and a third party plugin, this feels like a big step. Fun quote I saw on ExTwitter: May your bug tracker be forever empty. Joke: Try/Catch/Stack Overflow Create a super annoying linkedin profile - From Tim Kellogg, submitted by archtoad

@BEERISAC: CPS/ICS Security Podcast Playlist
When Open Source Gets You Into Hot Water: Copyleft Risk in Embedded Systems

@BEERISAC: CPS/ICS Security Podcast Playlist

Play Episode Listen Later Dec 15, 2025 29:30


Podcast: Exploited: The Cyber Truth Episode: When Open Source Gets You Into Hot Water: Copyleft Risk in Embedded SystemsPub date: 2025-12-11Get Podcast Transcript →powered by Listen411 - fast audio-to-text and summarizationOpen source accelerates development in embedded systems, but hidden license obligations can quickly create legal and operational risk. In this episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by RunSafe Security Founder and CEO Joseph M. Saunders and Salim Blume, Director of Security Applications, for a look at how copyleft risk emerges and why compliance in embedded products is more challenging than many teams expect. Salim breaks down how restrictive licenses, such as GPL and AGPL, can force the disclosure of proprietary code, interrupt product shipments, or create exposure long after devices are deployed in the field. Joe shares why accurate SBOMs, automated license checks, and enforcing policy at build time are critical to preventing surprises in downstream products. The discussion also touches on the ongoing Vizio case, where the TV manufacturer faces litigation that could compel public release of source code under the GPL, highlighting how open source obligations can surface years after products hit the market. Together, Paul, Joe, and Salim explore: How copyleft obligations can require source-code disclosureWhy embedded environments complicate license complianceReal-world cases where unnoticed GPL dependencies caused major issues, such as Vizio's GPL lawsuit and Cisco's WRT54G router familyThe growing implications of AGPL for SaaS and connected servicesHow build-time SBOMs and automated controls reduce long-term risk Whether you're building connected devices, managing software supply chain compliance, or protecting proprietary IP, this episode offers practical guidance to reduce copyleft risk before it becomes a costly problem.The podcast and artwork embedded on this page are from RunSafe Security, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Embedded
515: Script Boomers

Embedded

Play Episode Listen Later Nov 27, 2025 70:23


Nick Kartsioukas joined us to talk about security in embedded systems.  Common Vulnerabilities and Exposures (CVE) is the primary database to check your software libraries, tools, and OSs: cve.org. Open Worldwide Application Security Project (OWASP, owasp.org) has information on how to improve security in all kinds of applications, including embedded application security. There are also cheatsheets, Nick particularly recommends Software Supply Chain Security - OWASP Cheat Sheet.  Wait, what is supply chain security? Nick suggested a nice article on github.com: it is about your code and tools including firmware update, a common weak point in embedded device security. Want to try out some security work? There are capture the flag (CTF) challenges including the Microcorruption CTF (microcorruption.com) which is embedded security related. We also talked about the SANS Holiday Hack Challenge (also see Prior SANS Holiday Hack Challenges). This episode is brought to you by  RunSafe Security. Working with C or C++ in your embedded projects? RunSafe Security helps you build safer, more resilient devices with build-time SBOM generation, vulnerability identification, and patented code hardening. Their Load-time Function Randomization stops the exploit of memory-based attacks, something we all know is much needed. Learn more at RunSafeSecurity.com/embeddedfm. Some other sites that have good information embedded security: This World Of Ours by James Mickens is an easy read about threat modelling Cybersecurity and Infrastructure Security Agency (CISA) is at cisa.gov and, among other things, they describe SBOMs in great detail National Institute of Standards and Technology (NIST) also provides guidance: Internet of Things (IoT) | NIST  NIST Cybersecurity for IoT Program  NIST SP800-213 IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements There is a group of universities and organizations doing research into embedded security: National Science Foundation Center for Hardware and Embedded Systems Security and Trust (CHEST). Descriptive overview and the site is nsfchest.org European Telecommunications Standards Institute (ETSI) - Consumer IoT Security Camera Ubiquiti configuration issue (what not to do) Finally, Nick mentioned Stop The Bleed which provides training on how you can control bleeding, a leading cause of death. They even have a podcast (and we know you like those). Elecia followed up with Community Emergency Response Teams (CERT). Call your local fire department and ask about training near you! Transcript

Packet Pushers - Full Podcast Feed
PP087: Why SBOMs Are Cooler and More Useful Than You Think

Packet Pushers - Full Podcast Feed

Play Episode Listen Later Nov 18, 2025 46:08


Just what’s inside that commercial software you bought? Does it contain open-source components, NPM packages, or other third-party code? How could you find out? The answer is a Software Bill of Materials, or SBOM, a machine-readable inventory of a finished piece of software. Why should you care about SBOMs? Our guest, Natalie Somersall, is here... Read more »

Packet Pushers - Fat Pipe
PP087: Why SBOMs Are Cooler and More Useful Than You Think

Packet Pushers - Fat Pipe

Play Episode Listen Later Nov 18, 2025 46:08


Just what’s inside that commercial software you bought? Does it contain open-source components, NPM packages, or other third-party code? How could you find out? The answer is a Software Bill of Materials, or SBOM, a machine-readable inventory of a finished piece of software. Why should you care about SBOMs? Our guest, Natalie Somersall, is here... Read more »

Software Engineering Institute (SEI) Podcast Series
Getting Your Software Supply Chain Intune with SBOM Harmonization

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Oct 23, 2025 23:14


Software bills of materials or SBOMs are critical to software security and supply chain risk management. Ideally, regardless of the SBOM tool, the output should be consistent for a given piece of software. But that is not always the case. The divergence of results can undermine confidence in software quality and security. In our latest podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Jessie Jamieson, a senior cyber risk engineer in the SEI's CERT Division, sits down with Matt technical director of Risk and Resilience in CERT, to talk about how to achieve more accuracy in SBOMs and present and future SEI research on this front.  

Open Source Security Podcast
Eclipse Foundation SBOMs with Mikael Barbero

Open Source Security Podcast

Play Episode Listen Later Oct 20, 2025 31:15


In this conversation, Josh speaks with Mikael Barbero, head of security at the Eclipse Foundation. They discuss the foundation's role in enhancing the security posture of open source projects, the importance of Software Bill of Materials (SBOMs), and the various security services provided to projects. Mikael explains the challenges and strategies involved in implementing security best practices across a diverse range of projects, as well as the foundation's proactive approach to navigating security regulations and compliance. This is some great security work happening for open source projects. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-10-eclipse-sbom-mikael-barbero/

mikael barbero sboms eclipse foundation
CHAOSScast
Episode 121: Package Metadata Working Group with Andrew Nesbitt and Damián Vicino

CHAOSScast

Play Episode Listen Later Oct 16, 2025 41:07


Thank you to the folks at Sustain (https://sustainoss.org/) for providing the hosting account for CHAOSSCast! CHAOSScast – Episode 121 In this episode of the CHAOSScast, host Alice Sowerby sits down with Andrew Nesbitt and Damián Vicino to discuss the formation and objectives of the new Package Metadata Working Group within the CHAOSS community. They discuss the complex issues surrounding package manager metadata, its interoperability challenges, and how the working group aims to address these through mapping and standardization efforts. They also touch upon the importance of these efforts for various stakeholders, including developers, researchers, and tool builders. The conversation highlights both the immediate and long-term goals of the group and provides information on how interested individuals can get involved. Hit download now to hear more! [00:00:26] Introductions from Alice, Andrew, and Damián. [00:02:36] Damián explains how the Package Metadata Working Group started. [00:04:33] Andrew shares his experience building mappings across multiple package registries and how differing field names, schema structures, and metadata definitions complicate consistency. [00:10:21] Alice asks about the group's short and long term objectives and Andrew outlines some immediate goals. [00:14:52] Damián elaborates on challenges in semantics and timelines. He emphasizes that even identically names fields may carry different meanings and shares an example. [00:18:46] Alice summarizes Damián's point saying the group's role is to provide guidance and analysis rather than enforce standards, helping maintainers make informed metadata decisions. [00:19:25] Andrew adds that most package managers evolve independently without referencing past ones. The working group's documentation aims to prevent repeated mistakes and guide new ecosystems toward interoperable designs. [00:23:06] Damián notes that modern software projects often depend on multiple ecosystems, making license tracking and dependency management exponentially harder without interoperability. [00:25:02] Andrew explains how researchers waste time rebuilding metadata mapping from scratch across ecosystems and having unified references would accelerate research and tool development. [00:27:58] Damián discusses how better metadata could support academic credit and funding by enabling easier citation and recognition of open source contributions tied to research projects. [00:29:39] How can you get involved? Damián invites package manager developers and metadata tool builders to join, and Andrew encourages anyone working with SBOMs or package metadata tools to contribute war stories, mapping, or research use cases. [00:33:01] Andrew mentions all the places you can join in on the meetings and to share where you are interested in working on. Value Adds (Picks) of the week: [00:35:25] Alice's pick is apples. [00:36:17] Damián's pick is hockey. [00:37:04] Andrew's pick is puppy training. Panelist: Alice Sowerby Guests: Andrew Nesbitt Damián Vicino Links: CHAOSS (https://chaoss.community/) CHAOSS Project X (https://twitter.com/chaossproj?lang=en) CHAOSScast Podcast (https://podcast.chaoss.community/) CHAOSS YouTube (https://www.youtube.com/@CHAOSStube/videos) podcast@chaoss.community (mailto:podcast@chaoss.community) Alice Sowerby LinkedIn (https://www.linkedin.com/in/alice-sowerby-ba692a13/?originalSubdomain=uk) Andrew Nesbitt Website (https://nesbitt.io/) Andrew Nesbitt GitHub (https://github.com/andrew) Andrew Nesbitt Mastodon (https://mastodon.social/@andrewnez) Damián Vicino LinkedIn (https://www.linkedin.com/in/dvicino/) Damián Vicino GitHub (https://github.com/sdavtaker) CHAOSSWG: Package Metadata (https://github.com/chaoss/wg-package-metadata) CHAOSS Calendar (https://chaoss.community/chaoss-calendar/) CHAOSS Slack (https://chaoss-workspace.slack.com/join/shared_invite/zt-r65szij9-QajX59hkZUct82b0uACA6g#/shared-invite/email) Special Guests: Andrew Nesbitt and Damián Vicino.

Resilient Cyber
Resilient Cyber w/ Mitch Herckis - Securing the Public Sector

Resilient Cyber

Play Episode Listen Later Oct 15, 2025 39:02


In this episode, I sit down with Mitchel Herckis, Global Head of Government Affairs at cloud security leader Wiz. We will be discussing all things public sector and cybersecurity, including the evolution of the FedRAMP program, modernizing vulnerability management, and the future of Continuous ATO (cATO).We covered a lot of ground, including:Mitch's background, both at Wiz and inside Government at roles such as OMBHow Wiz is working with Federal agencies and Defense Industrial Base (DIB) partners on Cloud Security, including the long-needed overhaul of FedRAMP with FedRAMP 20x's efforts.The move towards real Continuous Monitoring (ConMon) with real-time visibility of cloud environments, as well as the need for machine-readable artifacts, automations, and streamlined security control assessments.The modernization of vulnerability management, including factors such as attack paths, reachability, exploitability, known exploitation, and the importance of focusing on real risks versus noise.Moving away from paper-based compliance exercises and bridging the gap between security and compliance.Wiz's role as a CVE Numbering Authority (CNA) and the broader CVE program, including its importance for both the Government and industry when it comes to vulnerability management.To evolving usage of SBOMs and broader supply chain security.Disjointed efforts around the Government at both the Federal at State levels when it comes to Continuous ATO (cATO) and how we can move towards a more cohesive approach to modern system assessment and authorization.The importance of Government Affairs and bridging the divide between industry and Government, including bringing in tech leaders into Government, influencing policy, and improving outcomes for citizens and warfighters alike.The dual-edged sword that is AI adoption in the public sector.

ITSPmagazine | Technology. Cybersecurity. Society
SBOMs in Application Security: From Compliance Trophy to Real Risk Reduction | AppSec Contradictions: 7 Truths We Keep Ignoring — Episode 3 | A Musing On the Future of Cybersecurity with Sean Martin and TAPE9 | Read by TAPE9

ITSPmagazine | Technology. Cybersecurity. Society

Play Episode Listen Later Oct 1, 2025 2:33


SBOMs were supposed to be the ingredient label for software—bringing transparency, faster response, and stronger trust. But reality shows otherwise. Fewer than 1% of GitHub projects have policy-driven SBOMs. Only 15% of developer SBOM questions get answered. And while 86% of EU firms claim supply chain policies, just 47% actually fund them.So why do SBOMs stall as compliance artifacts instead of risk-reduction tools? And what happens when they do work?In this episode of AppSec Contradictions, Sean Martin examines:Why SBOM adoption is laggingThe cost of static SBOMs for developers, AppSec teams, and business leadersReal-world examples where SBOMs deliver measurable valueHow AISBOMs are extending transparency into AI models and dataCatch the full companion article in the Future of Cybersecurity newsletter for deeper analysis and more research.

PurePerformance
Hello BOB - Cloud Native Cybersecurity with Bill of Behaviors with Constanze Roedig

PurePerformance

Play Episode Listen Later Sep 29, 2025 27:05


On September 8 the world saw the npm supply chain attack. Fortunately the community reacted in record time to avert a disaster. In todays episode we have Constanze Roedig, Key Researcher at SBA Research, who introduces us to the new buddy of SBoM (Software Bill of Materials): SBoB (Software Bill of Behaviors) and her thoughts on how that new approach to fingerprinting software can help cyber security teams. What's a BoB? It's a detailed runtime behavior profile of software. It expands on the static validation option through SBOMs as it allows security teams to validate the correct execution behavior of deployed software at deploy time or continuously in production. Thanks to eBPF, a malicious behavior such as opening non expected ports or accessing non expected files can therefore be detected.Listen to Constanze who shares the work she and Vadim Bauer, Owner of 8gear, have done on this topic. You will learn about how software vendors can create their own SBOBs, ship them with their container images and how security teams can get alerted or enforce any detected malicious behavior. Make sure to check out their GitHub repo, star it if you like it and try their hands-on tutorial!Links:Constanze LinkedIn: https://www.linkedin.com/in/croedig/Vadim LinkedIn: https://www.linkedin.com/in/vadim-bauer/OBobCtl GitHub Repo: https://github.com/k8sstormcenter/bobctlCloud Native Summit Munich Talk: https://www.youtube.com/watch?v=XETuwndd_mw&index=11&pp=iAQBnpm supply chain attack: https://www.infosecurity-magazine.com/news/npm-supply-chain-attack-averted/

CHAOSScast
Episode 119: Guest Episode - Sustain asks how Ecosyste.ms maps open source dependencies

CHAOSScast

Play Episode Listen Later Sep 18, 2025 45:44


Thank you to the folks at Sustain (https://sustainoss.org/) for providing the hosting account for CHAOSSCast! CHAOSScast – Episode 119 In this episode of CHAOSScast, we have a special episode from our friends at Sustain. Host Richard Littauer from Sustain is joined by guests Ben Nickolls and Andrew Nesbitt to discuss the ecosyste.ms project. They explore how ecosyste.ms collects and analyzes metadata from various open-source projects to create a comprehensive database that can help improve funding allocation. The discussion covers the importance of funding the most critical open-source projects, the existing gaps in funding, and the partnership between ecosyste.ms and Open Source Collective to create funding algorithms that support entire ecosystems. They also talk about the challenges of maintaining data, reaching out to project maintainers, and the broader implications for the open-source community. Hit the download button now! [00:03:16] Andrew and Ben explain ecosyste.ms, what it does, and how it compares to Libraries.io. [00:06:17] Ecosyste.ms tracks metadata, not the packages themselves, and enriches data via dependency graphs, committers, issues, SBOMs, and more. [00:08:12] Andrew talks about finding 1,890 Git hosts and how many critical projects live outside GitHub. [00:09:55] There's a conversation on metadata uses and SBOM parsing. [00:14:07] Richard inquires about the ecosystem.ms funds on their website which Andrew explains it's a collaboration between Open Collective and ecosyste.ms. that algorithmically distributes funds to the most used, not most popular packages. [00:17:03] Ben shares how this is different from previous projects and brings up a past project, “Back Your Stack” and explains how ecosyste.ms is doing two things differently. [00:20:17] Ben explains how it supports payouts to other platforms and encourages maintainers to adopt funding YAML files for automation. Andrew touches on efficient outreach, payout management, and API usage (GraphQL). [00:26:54] Ben elaborates on how companies can fund ecosyste.ms (like Django) instead of curating their own lists and being inspired by Sentry's work with the Open Source Pledge. [00:30:50] Andrew speaks about scaling and developer engagement and emphasizes their focus is on high-impact sustainability. [00:34:06] Richard asks, “Why does it matter?” Ben explains that most current funding goes to popular, not most used projects and ecosyste.ms aims to fix the gap with data backed funding, and he suggests use of open standards like 360Giving and Open Contracting Data. [00:37:04] Andrew shares his thoughts on funding the right projects by improving 1% of OSS, you uplift the quality of millions of dependent projects with healthier infrastructure, faster security updates, and more resilient software. [00:39:53] Find out where you can follow ecosyste.ms and the blog on the web. Quotes: [00:12:36] “I call them interesting forks. If a fork is referenced by a package, it'll get indexed.” [00:23:25] We've built a service that now moves like $25 million a year between OSS maintainers on OSC.” [00:34:41] “We don't have enough information to make collective decisions about which projects, communities, maintainers, should receive more funding.” [00:35:41] “The NSF POSE Program has distributed hundreds of millions of dollars of funding to open source communities alone.” [00:37:05] “If you have ten, twenty thousand really critical open source projects, that actually isn't unachievable to make those projects sustainable.” Spotlight: [00:40:53] Ben's spotlight is Jellyfin. [00:41:38]** **Andrew's spotlight is zizmor. [00:43:39] Richard's spotlight is The LaTeX Project. Panelist: Richard Littauer Guests: Ben Nickolls Andrew Nesbitt Links: CHAOSS (https://chaoss.community/) CHAOSS Project Twitter (https://twitter.com/chaossproj?lang=en) CHAOSScast Podcast (https://podcast.chaoss.community/) podcast@chaoss.community (mailto:podcast@chaoss.community) Alice Sowerby LinkedIn (https://www.linkedin.com/in/alice-sowerby-ba692a13/?originalSubdomain=uk) SustainOSS (https://sustainoss.org/) podcast@sustainoss.org (mailto:podcast@sustainoss.org) richard@sustainoss.org (mailto:richard@sustainoss.org) SustainOSS Discourse (https://discourse.sustainoss.org/) SustainOSS Mastodon (https://mastodon.social/tags/sustainoss) SustainOSS Bluesky (https://bsky.app/profile/sustainoss.bsky.social) SustainOSS LinkedIn (https://www.linkedin.com/company/sustainoss/) Open Collective-SustainOSS (Contribute) (https://opencollective.com/sustainoss) Richard Littauer Socials (https://www.burntfen.com/2023-05-30/socials) Ben Nickolls LinkedIn (https://www.linkedin.com/in/benjamuk/) Andrew Nesbitt Website (https://nesbitt.io/) Andrew Nesbitt Mastodon (https://mastodon.social/@andrewnez) Octobox (https://github.com/octobox) ecosyste.ms (https://ecosyste.ms/) ecosyste.ms Blog (https://blog.ecosyste.ms/) Open Source Collective (https://oscollective.org/) Open Source Collective Updates (https://opencollective.com/opensource/updates) Open Source Collective Contributions (https://opencollective.com/opensource) Open Source Collective Contributors (https://opencollective.com/open-source) Open Collective (https://opencollective.com/) 24 Pull Requests (https://24pullrequests.com/) Libraries.io (https://libraries.io/) The penumbra of open source (EPJ Data Science) (https://epjdatascience.springeropen.com/articles/10.1140/epjds/s13688-022-00345-7) FOSDEM '25- Open source funding: you're doing it wrong (Andrew and Ben) (https://fosdem.org/2025/schedule/event/fosdem-2025-5576-open-source-funding-you-re-doing-it-wrong/) Vue.js (https://vuejs.org/) thanks.dev (https://thanks.dev/home) StackAid (https://www.stackaid.us/) Back Your Stack (https://backyourstack.com/) NSF POSE (https://www.nsf.gov/funding/initiatives/pathways-enable-open-source-ecosystems) Django (https://www.djangoproject.com/) GitHub Sponsors (https://github.com/sponsors) Sustain Podcast-Episode 80: Emma Irwin and the Foss Fund Program (https://podcast.sustainoss.org/80) Sustain Podcast- 3 Episodes featuring Chad Whitacre (https://podcast.sustainoss.org/guests/chad-whitacre) Sustain Podcast- Episode 218: Karthik Ram & James Howison on Research Software Visibility Infrastructure Priorities (https://podcast.sustainoss.org/218) Sustain Podcast-Episode 247: Chad Whitacre on the Open Source Pledge (https://podcast.sustainoss.org/247) Invest in Open Infrastructure (https://investinopen.org/) 360Giving (https://www.360giving.org/) Open Contracting Data Standard (https://standard.open-contracting.org/latest/en/) Jellyfin (https://opencollective.com/jellyfin) zizmor (https://github.com/zizmorcore/zizmor) The LaTeX Project (https://www.latex-project.org/) Special Guests: Andrew Nesbitt, Benjamin Nickolls, and Richard Littauer.

The CyberWire
Wheels left spinning after cyber incident.

The CyberWire

Play Episode Listen Later Sep 5, 2025 29:42


A cyberattack disrupts Bridgestone's manufacturing operations. CISA warns of critical vulnerabilities in products used across multiple sectors. Additional cybersecurity firms confirm data exposure in the recent Salesforce–Salesloft Drift attack. A configuration vulnerability in Sitecore products leads to remote code execution. HHS promises stricter enforcement of healthcare information access rules. Texas sues an education software provider over a December 2024 data breach. A federal jury orders Google to pay $425 million over improperly collected user data. Nations unite for global guidance on SBOMs. On our Industry Voices segment, we are joined by Aron Anderson, Enterprise Security Manager of Adobe, on embracing the journey to zero trust. Chess.com gets caught in a tricky gambit. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Industry Voices On our Industry Voices segment we are joined by  Aron Anderson, Enterprise Security Manager of Adobe, as he is talking about embracing the journey to zero trust. If you want to hear the full conversation from Aron, you can check it out here. Selected Reading Tire giant Bridgestone confirms cyberattack impacts manufacturing (Bleeping Computer) CISA issues ICS advisories on hardware flaws in Honeywell, Mitsubishi Electric, Delta Electronics, rail communication protocols (Industrial Cyber) More Cybersecurity Firms Hit by Salesforce-Salesloft Drift Breach (SecurityWeek) Unknown miscreants snooping around Sitecore via sample keys (The Register) HHS Says It's 'Cracking Down' on Health Information Blocking (BankInfo Security) Texas sues PowerSchool over breach exposing 62M students, 880k Texans (Bleeping Computer) Google hit with $425 million verdict in privacy class action suit (The Record) US and 14 Allies Release Joint Guidance on Software Bill of Materials (Infosecurity Magazine) Chess.com says 4,500 people had data stolen during June breach  (The Record) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Cyber Briefing
September 05, 2025 - Cyber Briefing

Cyber Briefing

Play Episode Listen Later Sep 5, 2025 14:28


If you like what you hear, please subscribe, leave us a review and tell a friend!Sap S4hana flaw exploited in the wild, Virustotal detects undetected svg phishing files, Russian Apt28 uses Outlook backdoor, Bridgestone cyberattack disrupts manufacturing, North Korean hackers run fake job interviews, Salesforce Salesloft breach impacts firms, Us and allies push Sboms, Ten million dollar reward for Russian Fsb hackers, Us sues robot toy maker exposing childrens data to Chinese developers.

Paul's Security Weekly
Naughty RBG, Docker, RDP, SBOMS, Kullback-Leibler, Oneflip, Youtube, Josh Marpet... - SWN #506

Paul's Security Weekly

Play Episode Listen Later Aug 26, 2025 33:44


Naughty RBG, Docker, RDP, SBOMS, Kullback-Leibler, Oneflip, Youtube, Josh Marpet, and more on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-506

Paul's Security Weekly TV
Naughty RBG, Docker, RDP, SBOMS, Kullback-Leibler, Oneflip, Youtube, Josh Marpet... - SWN #506

Paul's Security Weekly TV

Play Episode Listen Later Aug 26, 2025 33:43


Naughty RBG, Docker, RDP, SBOMS, Kullback-Leibler, Oneflip, Youtube, Josh Marpet, and more on the Security Weekly News. Show Notes: https://securityweekly.com/swn-506

Hack Naked News (Audio)
Naughty RBG, Docker, RDP, SBOMS, Kullback-Leibler, Oneflip, Youtube, Josh Marpet... - SWN #506

Hack Naked News (Audio)

Play Episode Listen Later Aug 26, 2025 33:44


Naughty RBG, Docker, RDP, SBOMS, Kullback-Leibler, Oneflip, Youtube, Josh Marpet, and more on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-506

ITSPmagazine | Technology. Cybersecurity. Society
Your Business Apps Are Bringing Friends You Didn't Invite | A Brand Story with Saša Zdjelar, Chief Trust Officer at ReversingLabs and Operating Partner at Crosspoint Capital | A Black Hat USA 2025 Conference On Location Brand Story

ITSPmagazine | Technology. Cybersecurity. Society

Play Episode Listen Later Aug 14, 2025 28:03


In an era where organizations depend heavily on commercial applications to run their operations, the integrity of those applications has become a top security concern. Saša Zdjelar, Chief Trust Officer at ReversingLabs and Operating Partner at Crosspoint Capital, shares how protecting the software supply chain now extends far beyond open source risk.Zdjelar outlines how modern applications are built from a mix of first-party, contracted, open source, and proprietary third-party components. By the time software reaches production, its lineage spans geographies, development teams, and sometimes even AI-generated code. Incidents like SolarWinds, Kaseya, and CircleCI demonstrate that trusted vendors are no longer immune to compromise, and commercial software can introduce critical vulnerabilities or malicious payloads deep into enterprise systems.Regulatory drivers are increasing scrutiny. Executive Order 14028, Europe's Cyber Resilience Act, DORA, and U.S. Department of Defense software sourcing restrictions all require greater transparency, such as a Software Bill of Materials (SBOM). However, Zdjelar cautions that SBOMs—while valuable—are like ingredient lists without recipes: they don't reveal if a product is secure, just what's in it.ReversingLabs addresses this gap with a no-compromise analysis engine capable of deconstructing any file, of any size or complexity, to assess its safety. This capability enables organizations to make risk-based decisions, continuously monitor for unexpected changes between software versions, and operationalize controls at points such as procurement, SCCM deployments, or file transfers into critical environments.For CISOs, this represents a true technical control where previously only contractual clauses, questionnaires, or insurance policies existed. By placing analysis at the front of the software lifecycle, organizations can reduce reliance on costly manual testing and sandboxing, improve detection of tampering or hidden behavior, and even influence cyber insurance rates.The takeaway is clear: software supply chain security is a board-level concern, and the focus must expand beyond open source. With the right controls, organizations can avoid becoming the next headline-making breach and maintain trust with customers, partners, and regulators.Learn more about ReversingLabs: https://itspm.ag/reversinglabs-v57bNote: This story contains promotional content. Learn more.Guest: Saša Zdjelar, Chief Trust Officer at ReversingLabs and Operating Partner at Crosspoint Capital | On Linkedin: https://www.linkedin.com/in/sasazdjelar/ResourcesLearn more and catch more stories from ReversingLabs: https://www.itspmagazine.com/directory/reversinglabsLearn more about ITSPmagazine Brand Story Podcasts: https://www.itspmagazine.com/purchase-programsNewsletter Archive: https://www.linkedin.com/newsletters/tune-into-the-latest-podcasts-7109347022809309184/Business Newsletter Signup: https://www.itspmagazine.com/itspmagazine-business-updates-sign-upAre you interested in telling your story?https://www.itspmagazine.com/telling-your-storyKeywords: Black Hat 2025, Black Hat USA, sean martin, saša zdjelar, software supply chain security, commercial software risk, binary analysis, software bill of materials, sbom security, malicious code detection, ciso strategies, third party software risk, software tampering detection, malware analysis tools, devsecops security, application security testing, cybersecurity compliance

RCA Radio
Cybersecurity Challenges in Connected Medical Devices

RCA Radio

Play Episode Listen Later Aug 5, 2025 29:31


In this episode of RCA Radio, host Brandon Miller is joined by cybersecurity experts Jason Tugman of Regulatory Compliance Associates® and Mustanger Ali of BSI to unpack the evolving landscape of cybersecurity in medical devices. Together, they explore the latest FDA and EU guidance, the growing expectations for connected device security, and the top gaps companies face when bringing products to market. From threat modeling and SBOMs to legacy device challenges and global regulatory alignment, this episode offers practical insights for MedTech developers navigating today's complex cybersecurity requirements. Whether you're launching a new device or updating an existing one, this conversation is packed with actionable advice to help you stay secure and compliant. 

CHAOSScast
Episode 115: Trends from UN OSS Week and OSSNA

CHAOSScast

Play Episode Listen Later Jul 24, 2025 72:58


Thank you to the folks at Sustain (https://sustainoss.org/) for providing the hosting account for CHAOSSCast! In this double-length CHAOSScast special episode, hosts Harmony Elendu and George Link along with panelists from the CHAOSS community, come together to reflect on their experiences at two major open source events: CHAOSScon North America (co-located with the Open Source Summit) and the United Nations Open Source Week in New York. The episode is packed with personal insights, highlighted key talks, software updates, themes from the events, memorable community interactions, and thoughtful conversations about the future of open source, digital sovereignty, and sustainability. Press download now! [00:00:19] Harmony and the guests introduce themselves and their roles in CHAOSS and the open source community. [00:02:36] Everyone shares their CHAOSScon talk highlights. [00:10:49] Conference moments and experiences are talked about such as Linux Foundation's puppy therapy booths to reduce stress, knitting as a conversation starter, and spontaneous hallway discussions about software security and SBOMs. [00:17:10] Software updates: Augur now runs easily via Docker Compose, making it accessible to more users. [00:18:59] Elizabeth explains behind the scenes of organizing CHAOSScon with Linux Foundation support, and challenges with speaker curation, CFP management, and logistics. [00:23:17] Harmony invites listeners to CHAOSScon Africa and OSCAFEST'25 happening in August, both in the same week and same location. [00:23:45] Elizabeth, Laura, and Andrew share their CHAOSS booth experiences. [00:28:28] The guests talk about meeting longtime online collaborators in person for the first time. [00:30:16] Cali talks about the Data Science Hackathon, student participation, hands-on project exploration with 8Knot and Auger and the event was hosted by the CHAOSS Data Science Working Group. [00:36:43] Part 2 starts here as host Georg Link takes over with guests Divya, Ruth, and Daniel, who all attended the United Nations Open Source Week in New York. [00:39:45] We hear some key moments from the UN Open Source Week 2025: Governments increasingly adopting OSPOs, sessions on humanitarian tech and open source for crisis response, the energy, engagement, and diversity of thought. [00:50:09] Ruth shares something new she learned going to an Open Source Hardware presentation where they did a demo of DIY microscopes and Georg shares an inspiring story he learned using open hardware. [00:52:12] After being at this conference, Ruth sees open source headed for digital sovereignty and there's a discussion on the trend toward collaborative Digital Public Infrastructure (DPI) and public goods. [00:55:37] There's a conversation on sustainability and open source communities. [01:01:09] Governance and transparency is discussed, Daniel shares an example with Germany's Sovereign Tech Fund supporting critical infrastructure, and Divya shares going to a session that was focused on payments. [01:06:05] We end with Georg highlighting to check out some recordings from the UN Open Source Week 2025 website and to check out the UN Open Source Principles. Value Adds (Picks) of the week: [00:32:03] Harmony's pick is a local coffee. [00:32:26] Cali's pick is being able to road bike for the first time since surgery. [00:33:05] Elizabeth's pick is feeling grateful to be in an industry that provides opportunities to meet with and connect with people from all over the world. [00:34:39] Laura's pick is spending two weeks with open source folks who care far more about people than profits. [00:35:14] Andrew's pick is reconnecting with Elizabeth and first time traveling with the Timeshifter App to help with jet lag. [01:07:32] Ruth's pick is friends. [01:08:00] Daniel's pick is the Digital Resilience Forum. [01:09:27] Divya's pick is tinkering with pottery. [01:11:16] Georg's pick is his herbal garden. Panelists: Harmony Elendu Georg Link Guests: Elizabeth Barron Andrew Nesbitt Cali Dolfi Laura Langdon Divya Mohan Ruth Ikegah Daniel Izquierdo Links: CHAOSS (https://chaoss.community/) CHAOSS Project X (https://twitter.com/chaossproj?lang=en) CHAOSScast Podcast (https://podcast.chaoss.community/) CHAOSS YouTube (https://www.youtube.com/@CHAOSStube/videos) podcast@chaoss.community (mailto:podcast@chaoss.community) Georg Link Website (https://georg.link/) Harmony Elendu X (https://x.com/ogaharmony) Elizabeth Barron X (https://twitter.com/elizabethn) Andrew Nesbitt Mastodon (https://www.timeshifter.com/) Andrew Nesbitt Website (https://nesbitt.io/) Cali Dolfi LinkedIn (https://www.linkedin.com/in/calidolfi/) Cali Dolfi X (https://x.com/calidolphinn?lang=en) Laura Langdon Website (https://www.lauralangdon.io/) Laura Langdon Mastodon (https://hachyderm.io/@LauraLangdon) Ruth Ikegah X (https://twitter.com/IkegahRuth) Ruth Ikegah LinkedIn (https://www.linkedin.com/in/ruth-ikegah/) Divya Mohan Website (https://www.divyamohan.com/) Divya Mohan LinkedIn (https://www.linkedin.com/in/divya-mohan0209/) Daniel Izquierdo LinkedIn (https://www.linkedin.com/in/dicortazar/?original_referer=https%3A%2F%2Fwww%2Egoogle%2Ecom%2F&originalSubdomain=es) CHAOSScon Africa 2025 (https://chaoss.community/chaosscon-africa-2025/) OSCAFEST'25 (https://festival.oscafrica.org/) CHAOSS Data Science Working Group (https://github.com/chaoss/wg-data-science) Timeshifter Apps (https://www.timeshifter.com/) Digital Public Goods Registry (https://www.digitalpublicgoods.net/registry) Sovereign Tech Agency (https://www.sovereign.tech/) United Nations Open Source Week 2025 (https://www.un.org/digital-emerging-technologies/content/open-source-week-2025) United Nations Digital Public Goods (https://www.un.org/digital-emerging-technologies/content/digital-public-goods) United Nations Open Source Principles (https://unite.un.org/news/osi-first-endorse-united-nations-open-source-principles) OpenFlexure Microscope (open hardware project) (https://openflexure.org/projects/microscope/) Digital Resilience Forum (https://digitalresilienceforum.com/) Special Guests: Andrew Nesbitt, Cali Dolfi, Divya Mohan, and Laura Langdon.

Open Source Security Podcast
Package URLs with Philippe Ombredanne

Open Source Security Podcast

Play Episode Listen Later Jun 23, 2025 36:48


I'm joined by Philippe Ombredanne, creator of the Package URL (PURL), to discuss the surprisingly complex and messy problem of simply identifying open source software packages. We dive into how PURLs provide a universal, common-sense standard that is becoming essential for the future of SBOMs and securing the software supply chain. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-06-purl-philippe-ombredanne/

ITSPmagazine | Technology. Cybersecurity. Society
Building Trust Through AI and Software Transparency: The Real Value of SBOMs and AISBOMs | An RSAC Conference 2025 Conversation with Helen Oakley and Dmitry Raidman | On Location Coverage with Sean Martin and Marco Ciappelli

ITSPmagazine | Technology. Cybersecurity. Society

Play Episode Listen Later Apr 30, 2025 19:37


Helen Oakley, Senior Director of Product Security at SAP, and Dmitry Raidman, Co-founder and CTO of Cybeats, joined us live at the RSAC Conference to bring clarity to one of the most urgent topics in cybersecurity: transparency in the software and AI supply chain. Their message is direct—organizations not only need to understand what's in their software, they need to understand the origin, integrity, and impact of those components, especially as artificial intelligence becomes more deeply integrated into business operations.SBOMs Are Not Optional AnymoreSoftware Bills of Materials (SBOMs) have long been a recommended best practice, but they're now reaching a point of necessity. As Dmitry noted, organizations are increasingly requiring SBOMs before making purchase decisions—“If you're not going to give me an SBOM, I'm not going to buy your product.” With regulatory pressure mounting through frameworks like the EU Cyber Resilience Act (CRA), the demand for transparency is being driven not just by compliance, but by real operational value. Companies adopting SBOMs are seeing tangible returns—saving hundreds of hours on risk analysis and response, while also improving internal visibility.Bringing AI into the SBOM FoldBut what happens when the software includes AI models, data pipelines, and autonomous agents? Helen and Dmitry are leading a community-driven initiative to create AI-specific SBOMs—referred to as AI SBOMs or AISBOMs—to capture critical metadata beyond just the code. This includes model architectures, training data, energy consumption, and more. These elements are vital for risk management, especially when organizations may be unknowingly deploying models with embedded vulnerabilities or opaque dependencies.A Tool for the Community, Built by the CommunityIn an important milestone for the industry, Helen and Dmitry also introduced the first open source tool capable of generating CycloneDX-formatted AISBOMs for models hosted on Hugging Face. This practical step bridges the gap between standards and implementation—helping organizations move from theoretical compliance to actionable insight. The community's response has been overwhelmingly positive, signaling a clear demand for tools that turn complexity into clarity.Why Security Leaders Should Pay AttentionThe real value of an SBOM—whether for software or AI—is not just external compliance. It's about knowing what you have, recognizing your crown jewels, and understanding where your risks lie. As AI compounds existing vulnerabilities and introduces new ones, starting with transparency is no longer a suggestion—it's a strategic necessity.Want to see how this all fits together? Hear it directly from Helen and Dmitry in this episode.___________Guests: Helen Oakley, Senior Director of Product Security at SAP | https://www.linkedin.com/in/helen-oakley/Dmitry Raidman, Co-founder and CTO of Cybeats | https://www.linkedin.com/in/draidman/Hosts:Sean Martin, Co-Founder at ITSPmagazine | Website: https://www.seanmartin.comMarco Ciappelli, Co-Founder at ITSPmagazine | Website: https://www.marcociappelli.com___________Episode SponsorsThreatLocker: https://itspm.ag/threatlocker-r974Akamai: https://itspm.ag/akamailbwcBlackCloak: https://itspm.ag/itspbcwebSandboxAQ: https://itspm.ag/sandboxaq-j2enArcher: https://itspm.ag/rsaarchwebDropzone AI: https://itspm.ag/dropzoneai-641ISACA: https://itspm.ag/isaca-96808ObjectFirst: https://itspm.ag/object-first-2gjlEdera: https://itspm.ag/edera-434868___________ResourcesLinkedIn Post with Links: https://www.linkedin.com/posts/helen-oakley_ai-sbom-aisbom-activity-7323123172852015106-TJeaLearn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsa-conference-usa-2025-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage______________________KEYWORDShelen oakley, dmitry raidman, sean martin, rsac 2025, sbom, aisbom, ai security, software supply chain, transparency, open source, event coverage, on location, conference______________________Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More

Thinking Elixir Podcast
250: EEF Elections and Security

Thinking Elixir Podcast

Play Episode Listen Later Apr 22, 2025 14:23


News includes EEF board elections with voting beginning May 9th, Gleam v1.10.0 enhancing security with SBoMs and SLSA build provenance, an AshAuthentication vulnerability with mitigation steps, the Elixir Secure Coding Training project finding a permanent home at the EEF, announcements for both ElixirConf US 2025 in Orlando and ElixirConfEU in Krakow with speaker lineup, and more! Show Notes online - http://podcast.thinkingelixir.com/250 (http://podcast.thinkingelixir.com/250) Elixir Community News https://paraxial.io/ (https://paraxial.io/?utm_source=thinkingelixir&utm_medium=shownotes) – Paraxial.io is sponsoring today's show! Sign up for a free trial of Paraxial.io today and mention Thinking Elixir when you schedule a demo for a limited time offer. https://erlef.org/blog/eef/election-2025 (https://erlef.org/blog/eef/election-2025?utm_source=thinkingelixir&utm_medium=shownotes) – EEF board elections announced with important dates - candidacy submissions by May 8th, voting open May 9-16th. https://x.com/TheErlef/status/1911847956308959650 (https://x.com/TheErlef/status/1911847956308959650?utm_source=thinkingelixir&utm_medium=shownotes) – Gleam v1.10.0 will ship with Build SBoMs and SLSA build provenance for all release artifacts and Docker images, improving visibility into dependencies and software supply chain security. https://x.com/theerlef/status/1910348770514006242 (https://x.com/theerlef/status/1910348770514006242?utm_source=thinkingelixir&utm_medium=shownotes) – The "Elixir Secure Coding Training (ESCT)" project has been transferred to the Erlang Ecosystem Foundation for a more permanent home and maintainership. https://bsky.app/profile/davelucia.com/post/3lmcqhzoc7c26 (https://bsky.app/profile/davelucia.com/post/3lmcqhzoc7c26?utm_source=thinkingelixir&utm_medium=shownotes) – Dave Lucia shares information about the ESCT project transfer from Podium to TvLabs and ultimately to the EEF. https://github.com/erlef/elixir-secure-coding (https://github.com/erlef/elixir-secure-coding?utm_source=thinkingelixir&utm_medium=shownotes) – An interactive cybersecurity curriculum designed for enterprise use at software companies using Elixir. https://github.com/phoenixframework/phoenix/pull/6184 (https://github.com/phoenixframework/phoenix/pull/6184?utm_source=thinkingelixir&utm_medium=shownotes) – Fix for Plug.Debugger screen which was showing ANSI codes in HTML. https://github.com/phoenixframework/phoenix/pull/6194 (https://github.com/phoenixframework/phoenix/pull/6194?utm_source=thinkingelixir&utm_medium=shownotes) – Fix for the Phoenix installer's incorrect application of custom variants in tailwind v4. https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-3988-q8q7-p787 (https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-3988-q8q7-p787?utm_source=thinkingelixir&utm_medium=shownotes) – AshAuthentication vulnerability published with mitigation steps - update packages, set requireinteraction to true, and add confirmroute above auth_routes. https://elixirconf.com/ (https://elixirconf.com/?utm_source=thinkingelixir&utm_medium=shownotes) – ElixirConf US 2025 is open for submitting talks and workshops in Orlando. Talk submissions due April 29, workshop submissions due April 15. https://x.com/elixirconf/status/1907843035544826137 (https://x.com/elixirconf/status/1907843035544826137?utm_source=thinkingelixir&utm_medium=shownotes) – Announcement for ElixirConf US 2025 in Orlando with deadlines for talk and workshop submissions. https://x.com/ElixirConfEU/status/1911747531953832323 (https://x.com/ElixirConfEU/status/1911747531953832323?utm_source=thinkingelixir&utm_medium=shownotes) – ElixirConfEU Speakers were announced for the upcoming conference in Krakow, Poland. https://www.elixirconf.eu/#tickets (https://www.elixirconf.eu/#tickets?utm_source=thinkingelixir&utm_medium=shownotes) – Ticket information for ElixirConfEU - 250 Euros for virtual ticket, 600 Euros for in-person ticket. https://www.elixirconf.eu/#keynotes (https://www.elixirconf.eu/#keynotes?utm_source=thinkingelixir&utm_medium=shownotes) – Keynote information for ElixirConfEU in Krakow, Poland, May 14-16 (training on May 14, regular sessions on May 15-16). Do you have some Elixir news to share? Tell us at @ThinkingElixir (https://twitter.com/ThinkingElixir) or email at show@thinkingelixir.com (mailto:show@thinkingelixir.com) Find us online - Message the show - Bluesky (https://bsky.app/profile/thinkingelixir.com) - Message the show - X (https://x.com/ThinkingElixir) - Message the show on Fediverse - @ThinkingElixir@genserver.social (https://genserver.social/ThinkingElixir) - Email the show - show@thinkingelixir.com (mailto:show@thinkingelixir.com) - Mark Ericksen on X - @brainlid (https://x.com/brainlid) - Mark Ericksen on Bluesky - @brainlid.bsky.social (https://bsky.app/profile/brainlid.bsky.social) - Mark Ericksen on Fediverse - @brainlid@genserver.social (https://genserver.social/brainlid) - David Bernheisel on Bluesky - @david.bernheisel.com (https://bsky.app/profile/david.bernheisel.com) - David Bernheisel on Fediverse - @dbern@genserver.social (https://genserver.social/dbern)