Podcasts about Supply chain security

Cybersecurity assurance was supposed to give boards, regulators, customers, and partners a clear answer to one question: can the security of the organizations they depend on actually be trusted? In 2026, that answer is harder than ever to come by. Supply chains are sprawling, attackers are pivoting through third parties, and too many assurance reports still rely on questionnaires, self-attestations, and frameworks that have not kept pace with the threat landscape. The 2026 HITRUST Trust Report calls that gap what it is: a Trust Crisis. In this Brand Spotlight, Vincent Bennekers, VP of Quality at HITRUST, walks through what four years of performance data across thousands of certified environments now show: 99.62% of HITRUST-certified environments remained breach-free in 2025. That stands in stark contrast to industry surveys reporting that more than 40% of organizations have experienced a breach. Vincent Bennekers is direct on why the numbers hold up: prescriptive controls, a centralized quality review, and an assurance methodology built for measurable outcomes rather than checkbox compliance. Healthcare makes the point even sharper. HITRUST examined the top fifty breaches on the HHS OCR breach portal, the public listing some in the industry refer to as the wall of shame. None of them occurred in a HITRUST-certified environment. For an industry that consistently ranks as the most breached and the most expensive to breach, that is a signal worth pausing on. Quality of the report itself matters as much as the framework behind it. Vincent Bennekers describes a layered review model with automated and manual checks, independent reviewers, and centralized HITRUST quality assurance prior to issuance. Every certification HITRUST issues goes through that same review. Stakeholders consuming any other assurance report should be asking exactly how its integrity is being ensured, and what is actually behind the stamp. Supply chain risk is the throughline. The 2025 Verizon Data Breach Investigations Report found third-party-involved breaches doubled, climbing from 15% to 30%. HITRUST requires service provider coverage, mandatory in the r2 assessment and optional but heavily adopted in the e1 and i1, where over 80% of organizations are choosing to address service provider controls thanks to a streamlined inheritance model. The report closes with a five-step roadmap for stakeholders: shift from flexible compliance to threat-intelligent assurance, verify assurance report integrity, reduce supply chain exposure, secure AI implementations through prescriptive controls, and reassess the definition of good information security assurance. Vincent Bennekers is clear that AI belongs in this conversation now, with HITRUST offering AI certification to address risks across data protection, model integrity, and automated decision-making. This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight GUEST Vincent Bennekers, VP of Quality at HITRUST LinkedIn: https://www.linkedin.com/in/vincent-bennekers-a0b3201/ RESOURCES Learn more about HITRUST: https://hitrustalliance.net/ Download the 2026 HITRUST Trust Report: https://hitrustalliance.net/trust-report Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Vincent Bennekers, HITRUST, Sean Martin, brand story, brand marketing, marketing podcast, brand spotlight, 2026 HITRUST Trust Report, trust crisis, cybersecurity assurance, third-party risk, supply chain security, healthcare cybersecurity, HHS OCR breach portal, HITRUST certification, r2 certification, e1 certification, i1 certification, threat-intelligent assurance, AI security certification, information risk management Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

⬥EPISODE NOTES⬥ The most dangerous sentence in cybersecurity disclosure right now is "no evidence of unauthorized access to our network." It is technically true. It is also operationally hollow. The customer whose data is on a leak site does not care which network it left from. The plaintiff in Bexar County does not care. The regulator about to receive a federal incident report under a 72-hour clock that starts at suspicion, not confirmation, will not care. In April 2026, two U.S. banks disclosed an incident at the same unnamed third-party vendor. Six class action lawsuits followed in two weeks. The vendor still has not been publicly named. The plaintiffs sued the banks anyway. In a separate situation, an alleged Adobe breach surfaced through a threat actor's claims about a third-party business process outsourcing firm -- and as of the coverage reviewed for this analysis, no public confirmation or denial from Adobe had surfaced. This is the Common Point of Failure pattern, and it is arriving with enough frequency that it deserves to be named clearly.

⬥EPISODE NOTES⬥ The most dangerous sentence in cybersecurity disclosure right now is "no evidence of unauthorized access to our network." It is technically true. It is also operationally hollow. The customer whose data is on a leak site does not care which network it left from. The plaintiff in Bexar County does not care. The regulator about to receive a federal incident report under a 72-hour clock that starts at suspicion, not confirmation, will not care. In April 2026, two U.S. banks disclosed an incident at the same unnamed third-party vendor. Six class action lawsuits followed in two weeks. The vendor still has not been publicly named. The plaintiffs sued the banks anyway. In a separate situation, an alleged Adobe breach surfaced through a threat actor's claims about a third-party business process outsourcing firm -- and as of the coverage reviewed for this analysis, no public confirmation or denial from Adobe had surfaced. This is the Common Point of Failure pattern, and it is arriving with enough frequency that it deserves to be named clearly.

In this episode, Danny Ramon from Overhaul brings another insightful conversation about staying ahead of rapidly evolving strategic cargo theft and fraudulent double-brokering schemes in a global market! Danny shares how bad actors are moving from traditional smash-and-grab tactics to complex fictitious pickups and identity theft, essentially running their criminal enterprises with the efficiency of a direct-to-consumer business, the critical need for carrier verification, the impact of broker liability, and why simply having cargo insurance isn't enough when the true cost of a loss is three to seven times the value of the freight. From the lack of a DOT equivalent in the EU to the implementation of biometric security at the dock, we're covering the high-tech hurdles and the boots-on-the-ground prevention strategies you need to protect your margins!   About Danny Ramon Danny Ramon has been working in Supply Chain Security for over 15 years and specializing in Supply Chain Intelligence for the last 13. Danny studies both cargo theft and any factor that can affect the flow of cargo through the supply chain to identify how variables might interfere with the flow of global logistics. In his role as Director of Intelligence and Response at Overhaul, Danny not only presents these findings to the security and logistics teams at the world's largest technology and pharmaceutical companies, but also leads the recovery and investigations team that works closely with law enforcement and private resources across the globe to recover stolen cargo and apprehend the criminals involved. Danny spreads awareness of cargo theft and promotes supply chain visibility as a subject matter expert. He is quoted or published in several leading industry publications, including Transport Topics, Supply Chain Brain, Fleet Owner, FreightWaves, and CCJDigital and he has presented for Inland Marine Underwriters Association (IMUA), the International Supply Chain Protection Organization (ISCPO), the Transportation and Logistics Council (TLC), Miami-Dade Police Department (MDPD), Ocean Carrier Equipment Management Association (OCEMA), National Motor Freight Traffic Association (NMFTA), and the Transported Asset Protection Association (TAPA).   Connect with Danny Website: https://over-haul.com/  LinkedIn: https://www.linkedin.com/in/danny-ramon-97472855/  

Guest: Dan Lorenc, Founder / CEO, Chainguard Topics: We just saw a security tool (Trivy) get used to pop an AI infrastructure tool (LiteLLM) to eventually pop end users. Have we reached the point where our security tooling is actually our largest unmanaged attack surface?  Why now? Software supply chain security had the perennial vibe of "not top concern" for most organizations, right? TeamPCP pushed malicious code to existing GitHub tags. We've been screaming about pinning versions to SHAs for years, but clearly, nobody is listening. Is it time to admit that 'convenience' is the primary enemy of supply chain security? The Axios incident showed a victim compromised in under two minutes. In a world of auto-updating dependencies, is the concept of a human-in-the-loop for software updates officially dead, or do we need to look very hard at version pinning and such? With XZ Utils case, we saw a long-game social engineering attack. Beyond just 'watching npm closely,' what are the realistic architectural safeguards for an org that knows they can't audit every line of an update? We've spent the last three years talking about SBOMs (Software Bill of Materials) like they were a pill for supply chain health. But if the scanner producing the SBOM is the one that's compromised, isn't the SBOM just a signed receipt for your own house being on fire?  What is the one practical thing they can do to ensure their CI/CD isn't a credential-exfiltration-as-a-service platform? Resources: Video version North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack EP100 2022 Accelerate State of DevOps Report and Software Supply Chain Security EP116 SBOMs: A Step Towards a More Secure Software Supply Chain EP226 AI Supply Chain Security: Old Lessons, New Poisons, and Agentic Dreams EP24 Linking Up The Pieces: Software Supply Chain Security at Google and Beyond Matt Levine blog

“We're witnessing what I would consider the most structurally disruptive pharmaceutical moment I've seen in my career—and it's being driven by consumers.”Ryan Kelly, Interim CEO and Senior Director of Supply Chain Security and Brand Protection at Rx-360, has seen pharma's direct-to-consumer transformation from multiple angles—building pharmacy operations at Amazon during the PillPack acquisition, scaling the largest cash pharmacy in the U.S. at Chewy, and now leading supply chain security for a 130-member industry consortium. His verdict: the infrastructure isn't keeping up.In the latest PharmaSource podcast episode, Ryan explains why GLP-1 demand and the rise of direct-to-consumer platforms such as TrumpRX have become the stress test pharma's supply chain never prepared for—and what manufacturers need to do before the system breaks.

Ken Johnson and Seth Law reflect on the 2026 RSA Conference and BSidesSF, noting an industry-wide "awakening" regarding the high costs and engineering complexities of operationalizing AI security tools. A major focus is the recent "supply chain attack hell," specifically the compromise of the Axios HTTP client through dual-account breaches that allowed attackers to bypass legitimate OIDC deploy setups via a misconfigured NPM CLI. The malware used was particularly evasive, deleting itself and replacing its package.json with a clean version post-execution. The hosts also discuss the emergence of the "Agentic Development Lifecycle" (ADLC), where engineering teams are increasingly "committing on time" rather than features, creating a volume of code that traditional security gates cannot manage. They debate Thomas Ptacek's thesis that AI agents will soon "supplant" human vulnerability research for common bug classes, shifting the human role toward high-level governance and "context infusion". Economically, they highlight how Anthropic's security announcements contributed to nearly half a trillion dollars in market value loss for traditional security firms, as investors increasingly bet on frontier models to consume established security domains.

Supply Chain Security deixou de ser teoria e virou problema real. Neste episódio, destrinchamos os casos recentes envolvendo ferramentas amplamente utilizadas como Trivy, KICS e a biblioteca Axios e o que eles expõem sobre a fragilidade da cadeia de dependências.Falamos sobre o risco invisível que roda dentro do seu pipeline, como ataques em ferramentas “confiáveis” mudam completamente o jogo e por que confiar cegamente em scanners e bibliotecas populares pode ser um erro caro. Não é só sobre vulnerabilidades conhecidas, é sobre confiança quebrada. Você vai sair com uma visão prática de como esses incidentes acontecem, onde estão os pontos cegos no seu processo e o que precisa mudar agora para não virar o próximo case.Become a supporter of this podcast: https://www.spreaker.com/podcast/devsecops-podcast--4179006/support.Apoio: Nova8, Snyk, Conviso, Gold Security, Digitalwolk e PurpleBird Security.

What if one of the most critical components in modern technology — from fighter jets to smartphones — is also one of the most overlooked? In this episode of The China Desk Podcast, host Steve Yates sits down with David Schild, Executive Director of the Printed Circuit Board Association of America (PCBAA), to break down the strategic importance of printed circuit boards (PCBs) and why they have become a major vulnerability in the U.S.–China competition. Schild explains that while policymakers have focused heavily on semiconductors and rare earths, the United States has largely ignored the “middle layer” of the electronics stack — printed circuit boards — which connect and enable every advanced system in modern life. From defense systems and AI data centers to power grids and consumer electronics, virtually everything relies on PCBs. The conversation details how China came to dominate global PCB production through long-term industrial policy, subsidies, and strategic investment, while U.S. production collapsed from roughly 30% of global supply to just 4% today. This shift has created serious national security concerns, including supply chain dependence, risks to trusted and secure systems, and the loss of domestic research and development. The discussion also explores: • Why PCB dependency poses risks to defense systems and critical infrastructure • How “dual-use” and commercial off-the-shelf components create loopholes in defense procurement • What happens to U.S. supply chains in a Taiwan crisis or major disruption in Asia • The lack of surge manufacturing capacity in the United States • Policy solutions including the PCBS Act, tax incentives, and Buy America requirements • The role of tariffs, industrial policy, and strategic investment in rebuilding domestic production • Why industrial policy and national security are now inseparable Schild argues that rebuilding U.S. PCB manufacturing is not just an economic issue — it is essential to maintaining technological leadership, securing supply chains, and ensuring that the United States can compete in an era of great power competition. Watch Full-Length Interviews: https://www.youtube.com/@ChinaDeskFNW

Tony Anscombe has attended RSA Conference since 1998 -- back when it was held at the Fairmont Hotel. That long view informs everything about how ESET approaches threat intelligence. It is not about volume. It is about accuracy, speed, and putting the right signal in front of the right team at the right moment. The ESET eCrime Ecosystem Report comes in two forms: a business-facing summary outlining current risks for leadership, and a long-form technical report for analysts -- complete with IOCs, coding examples, and structured intelligence feeds covering ransomware, crypto scams, malicious email attachments, and infostealer data. These feeds are built to plug directly into SOC workflows and firewall rules, not to create more work for already stretched teams. Tony Anscombe is direct about the quality problem in threat intelligence. Open-source feeds sound appealing -- until you factor in the analyst hours required to clean out the noise. By then, the intelligence is stale. Attacks circle the globe in hours. Near-real-time, verified intelligence is not a premium -- it is the baseline requirement. The threat detection conversation has also moved well past malware. Anscombe walks through how modern attackers often skip the payload entirely -- credential theft gets them in, then slow lateral movement and data exfiltration follow, with ransomware as the final act rather than the first signal. ESET's platform focuses on behavioral anomaly detection across the full environment, with on-site, cloud, and managed deployment options for organizations that cannot or will not go all-in on cloud architecture. At RSAC Conference 2026, ESET will be at booth 5253 in Moscone North. Anscombe has two sessions on the Wednesday agenda: one on supply chain blind spots -- urging security teams to engage directly with the business side to map third-party risk fully -- and a community rant session tackling four things that need to change in cybersecurity, including the cryptocurrency regulation debate. On AI, his message is measured: the real conversation at the show is not about using AI -- it is about securing it. This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight GUEST Tony Anscombe, Chief Security Evangelist, ESET LinkedIn: https://www.linkedin.com/in/tonyanscombe/ RESOURCES ESET website: https://www.eset.com ESET threat research blog (WeLiveSecurity): https://www.welivesecurity.com ESET at RSAC Conference 2026 -- Booth 5253, Moscone North Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Tony Anscombe, ESET, Sean Martin, RSAC Conference 2026, eCrime, threat intelligence, eCrime Ecosystem Report, cybersecurity, endpoint protection, MDR, threat detection, supply chain security, AI security, ransomware, infostealer, brand spotlight, brand marketing, marketing podcast, brand story Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

Third-party-related breaches have doubled in the last 12 months. Ryan Patrick, Executive Vice President of TPRM Customer Solutions at HITRUST, is not surprised. As organizations outsource more to stay focused on core competencies, the vendor attack surface grows -- and malicious actors are exploiting it through a pattern Patrick calls "island hopping": land on a smaller vendor, secure a foothold, then move laterally toward the real target. The Stryker attack, which unfolded in real time during HIMSS 2026, made the stakes concrete. What began as a nation-state operation quickly became a supply chain crisis. Hospitals relying on Stryker products scrambled -- not because their own environments were breached, but because a critical supplier went down. Patrick argues that availability of services deserves equal weight to confidentiality, especially when a supplier outage directly impacts patient care and revenue. AI adds a new layer of urgency to vendor risk. Vendors are quietly adding AI capabilities to existing products -- sometimes without notifying customers. An EHR platform might add a clinical decision support model as a routine feature update. The health system consuming it may lack the leverage to audit what that model does with patient data. In agentic AI scenarios, where decisions happen without a human in the loop, the consequences are clinical, not just operational. Patrick's advice for managing AI risk: stop treating it as a fundamentally different category. Layer it into existing security programs, policies, and governance frameworks. The uniqueness lies in how you assess AI risk -- not in abandoning what already works. The industry, he observes, is finally moving past the wait-and-see phase. The data on HITRUST certification outcomes is compelling. One organization has gone seven to eight years without a security incident by requiring all vendors to achieve HITRUST certification. External vulnerability platforms like SecurityScorecard and RiskRecon independently confirm the pattern: HITRUST-certified vendors score measurably higher. Certified vendors mature over time. Non-certified vendors plateau. This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight GUEST Ryan Patrick, Executive Vice President, TPRM Customer Solutions, HITRUSThttps://www.linkedin.com/in/ryan-patrick-3699117a/ RESOURCES HITRUST: https://hitrustalliance.net HIMSS 2026 Coverage: https://www.itspmagazine.com/cybersecurity-technology-society-events/himss-global-health-conference-amp-exhibition-2026 Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Ryan Patrick, HITRUST, Sean Martin, third-party risk management, TPRM, supply chain security, healthcare cybersecurity, HIMSS 2026, AI security, EHR security, vendor risk, HIPAA compliance, CIA triad, supply chain resilience, agentic AI, healthcare data security, brand spotlight, brand marketing, marketing podcast, brand spotlight Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

Freight fraud has moved way past the old stereotype of random cargo theft.Barry Conlon, CEO of Overhaul, joins Blythe from Manifest to break down what's actually happening in the market: more sophisticated criminal networks, more pressure on shippers to own the problem, and a growing gap between how fast freight moves and how well it gets verified. He argues that prevention matters more than recovery, because by the time you're chasing freight down, the damage is already done. A few standout points from the conversation:Barry says the last 24 to 36 months have brought a level of volume and sophistication he has never seen before. He ties part of the shift back to post-COVID buyer behavior and the ease of moving stolen goods back into gray markets. He says Overhaul protects about $1.4 trillion in cargo value on its platform and focuses on identifying non-compliance before it becomes a loss. He explains how fraud varies by geography, with North American fraud tactics spreading abroad while markets like Mexico and Brazil often involve more overt hijacking risk. He makes the case that cargo risk is now a boardroom issue because lost product often cannot be replaced fast enough, which turns a theft problem into a market share problem.Links from the show: Overhaul's latest insight on cargo crimeConnect with Barry on LinkedInWatch this episode on YouTubeFeedback? Ideas for a future episode? Shoot us a text here to let us know. -----------------------------------------THANK YOU TO OUR SPONSORS! SPI Logistics has been a Day 1 supporter of this podcast which is why we're proud to promote them in every episode. During that time, we've gotten to know the team and their agents to confidently say they are the best home for freight agents in North America for 40 years and counting. Listen to past episodes to hear why. CargoRex is the search engine for the logistics industry—connecting LSPs with the right tools, services, events, and creators to explore, discover, and evolve. Digital Dispatch maximizes and manages your #1 sales tool with a website that establishes trust and builds rock-solid relationships with your leads and customers.

Interview with Anna Pham Breaking in with ClickFix: Anatomy of a modern endpoint attack Cybersecurity company Huntress just published a report on a new ClickFix variant they've discovered, which they've dubbed CrashFix. This technique was developed by KongTuke to serve as the primary lure within a new custom malicious browser extension also created by the group. In short, the team observed the threat actors using KongTuke's malicious browser extension to display a fake security warning, claiming the browser had “stopped abnormally” and prompting users to run a “scan” to remediate the threats. Upon “running the scan,” the user is presented with a fake “Security issues detected” alert and instructed to manually “fix” the issue by opening the Windows Run dialog, pasting from their clipboard, and pressing Enter. The malicious extension silently copies a PowerShell command to the clipboard, disguised as a legitimate repair command. From there, they execute the malicious command. Segment Resources: BLOG - Dissecting CrashFix: KongTuke's New Toy Interview with David Zendzian Continuous compliance and real security lifecycle management Supply chain attacks are not just on the rise; attackers are learning from the past, making these attacks even more effective and dangerous than before. It was just over a month ago when the Shai-Hulud attack first impacted NPM packages, forcing enterprises around the world into lockdown. While only 187 packages were compromised in that initial incident, it served as a wake-up call for many: an accurate inventory of systems is good, but a clear, real-time Software Bill of Materials (SBOM) for applications is non-negotiable. In this world of manifest based infrastructure and container based applications with (real) "devsecops", the dream of continuous upgrades of OS/Runtime/Stack/App and App Dependencies is very mature and there are solid examples of companies and federal entities managing this at scale without thousands of teams and people. Segment Resources: BLOG - Supply Chain Security: How accurate SBOMs can deliver proactive threat mitigation Interview with Jacob Horne CMMC Phase 1 Enforcement — What the November 10 Deadline Means for the Defense Supply Chain With the upcoming CMMC Phase 1 enforcement on November 10, cybersecurity teams across the defense and federal supply chain are facing new compliance requirements that directly affect contract eligibility and data-protection standards. Jacob Horne, Chief Cybersecurity Evangelist at Summit 7, can break down what this milestone means for enterprise security leaders, MSPs/MSSPs, and contractors preparing for audits. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-449

Interview with Anna Pham Breaking in with ClickFix: Anatomy of a modern endpoint attack Cybersecurity company Huntress just published a report on a new ClickFix variant they've discovered, which they've dubbed CrashFix. This technique was developed by KongTuke to serve as the primary lure within a new custom malicious browser extension also created by the group. In short, the team observed the threat actors using KongTuke's malicious browser extension to display a fake security warning, claiming the browser had "stopped abnormally" and prompting users to run a "scan" to remediate the threats. Upon "running the scan," the user is presented with a fake "Security issues detected" alert and instructed to manually "fix" the issue by opening the Windows Run dialog, pasting from their clipboard, and pressing Enter. The malicious extension silently copies a PowerShell command to the clipboard, disguised as a legitimate repair command. From there, they execute the malicious command. Segment Resources: BLOG - Dissecting CrashFix: KongTuke's New Toy Interview with David Zendzian Continuous compliance and real security lifecycle management Supply chain attacks are not just on the rise; attackers are learning from the past, making these attacks even more effective and dangerous than before. It was just over a month ago when the Shai-Hulud attack first impacted NPM packages, forcing enterprises around the world into lockdown. While only 187 packages were compromised in that initial incident, it served as a wake-up call for many: an accurate inventory of systems is good, but a clear, real-time Software Bill of Materials (SBOM) for applications is non-negotiable. In this world of manifest based infrastructure and container based applications with (real) "devsecops", the dream of continuous upgrades of OS/Runtime/Stack/App and App Dependencies is very mature and there are solid examples of companies and federal entities managing this at scale without thousands of teams and people. Segment Resources: BLOG - Supply Chain Security: How accurate SBOMs can deliver proactive threat mitigation Interview with Jacob Horne CMMC Phase 1 Enforcement — What the November 10 Deadline Means for the Defense Supply Chain With the upcoming CMMC Phase 1 enforcement on November 10, cybersecurity teams across the defense and federal supply chain are facing new compliance requirements that directly affect contract eligibility and data-protection standards. Jacob Horne, Chief Cybersecurity Evangelist at Summit 7, can break down what this milestone means for enterprise security leaders, MSPs/MSSPs, and contractors preparing for audits. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-449

Interview with Anna Pham Breaking in with ClickFix: Anatomy of a modern endpoint attack Cybersecurity company Huntress just published a report on a new ClickFix variant they've discovered, which they've dubbed CrashFix. This technique was developed by KongTuke to serve as the primary lure within a new custom malicious browser extension also created by the group. In short, the team observed the threat actors using KongTuke's malicious browser extension to display a fake security warning, claiming the browser had "stopped abnormally" and prompting users to run a "scan" to remediate the threats. Upon "running the scan," the user is presented with a fake "Security issues detected" alert and instructed to manually "fix" the issue by opening the Windows Run dialog, pasting from their clipboard, and pressing Enter. The malicious extension silently copies a PowerShell command to the clipboard, disguised as a legitimate repair command. From there, they execute the malicious command. Segment Resources: BLOG - Dissecting CrashFix: KongTuke's New Toy Interview with David Zendzian Continuous compliance and real security lifecycle management Supply chain attacks are not just on the rise; attackers are learning from the past, making these attacks even more effective and dangerous than before. It was just over a month ago when the Shai-Hulud attack first impacted NPM packages, forcing enterprises around the world into lockdown. While only 187 packages were compromised in that initial incident, it served as a wake-up call for many: an accurate inventory of systems is good, but a clear, real-time Software Bill of Materials (SBOM) for applications is non-negotiable. In this world of manifest based infrastructure and container based applications with (real) "devsecops", the dream of continuous upgrades of OS/Runtime/Stack/App and App Dependencies is very mature and there are solid examples of companies and federal entities managing this at scale without thousands of teams and people. Segment Resources: BLOG - Supply Chain Security: How accurate SBOMs can deliver proactive threat mitigation Interview with Jacob Horne CMMC Phase 1 Enforcement — What the November 10 Deadline Means for the Defense Supply Chain With the upcoming CMMC Phase 1 enforcement on November 10, cybersecurity teams across the defense and federal supply chain are facing new compliance requirements that directly affect contract eligibility and data-protection standards. Jacob Horne, Chief Cybersecurity Evangelist at Summit 7, can break down what this milestone means for enterprise security leaders, MSPs/MSSPs, and contractors preparing for audits. Show Notes: https://securityweekly.com/esw-449

Interview with Anna Pham Breaking in with ClickFix: Anatomy of a modern endpoint attack Cybersecurity company Huntress just published a report on a new ClickFix variant they've discovered, which they've dubbed CrashFix. This technique was developed by KongTuke to serve as the primary lure within a new custom malicious browser extension also created by the group. In short, the team observed the threat actors using KongTuke's malicious browser extension to display a fake security warning, claiming the browser had "stopped abnormally" and prompting users to run a "scan" to remediate the threats. Upon "running the scan," the user is presented with a fake "Security issues detected" alert and instructed to manually "fix" the issue by opening the Windows Run dialog, pasting from their clipboard, and pressing Enter. The malicious extension silently copies a PowerShell command to the clipboard, disguised as a legitimate repair command. From there, they execute the malicious command. Segment Resources: BLOG - Dissecting CrashFix: KongTuke's New Toy Interview with David Zendzian Continuous compliance and real security lifecycle management Supply chain attacks are not just on the rise; attackers are learning from the past, making these attacks even more effective and dangerous than before. It was just over a month ago when the Shai-Hulud attack first impacted NPM packages, forcing enterprises around the world into lockdown. While only 187 packages were compromised in that initial incident, it served as a wake-up call for many: an accurate inventory of systems is good, but a clear, real-time Software Bill of Materials (SBOM) for applications is non-negotiable. In this world of manifest based infrastructure and container based applications with (real) "devsecops", the dream of continuous upgrades of OS/Runtime/Stack/App and App Dependencies is very mature and there are solid examples of companies and federal entities managing this at scale without thousands of teams and people. Segment Resources: BLOG - Supply Chain Security: How accurate SBOMs can deliver proactive threat mitigation Interview with Jacob Horne CMMC Phase 1 Enforcement — What the November 10 Deadline Means for the Defense Supply Chain With the upcoming CMMC Phase 1 enforcement on November 10, cybersecurity teams across the defense and federal supply chain are facing new compliance requirements that directly affect contract eligibility and data-protection standards. Jacob Horne, Chief Cybersecurity Evangelist at Summit 7, can break down what this milestone means for enterprise security leaders, MSPs/MSSPs, and contractors preparing for audits. Show Notes: https://securityweekly.com/esw-449

Is China competing—or executing a long-term strategy to dominate global industry? In this episode of The China Desk, legendary CEO advisor Ram Charan joins Steve Yates to break down his book China's 90% Model: China Has America by the Throat — Here's How to Fight Back and Win. Charan argues that China's strategy is deliberate: build capacity to meet 90% of global demand, sell below marginal cost, subsidize exports, and destroy competitors across entire industries. Drawing on six decades advising global executives—including more than 50 Chinese companies—Charan explains how this model has hollowed out American manufacturing in sectors like solar, pharmaceuticals, chemicals, and advanced materials. He describes why many CEOs understand the threat privately but hesitate to speak publicly, and why investors may be underestimating long-term risk. The conversation explores: How industrial dominance becomes national security leverage Why excess capacity and currency policy matter The strategic risk of supply chain choke points like magnets and critical inputs The need for a cabinet-level Department of Manufacturing and Technology Why economic security and national security are now inseparable Charan argues that America and its allies still possess overwhelming economic strength—but only if they coordinate industrial policy, rebuild manufacturing capacity, and communicate the stakes clearly to the public and business leaders alike. This is a high-level strategic conversation about economic warfare, industrial capacity, and what the next seven years could determine for the global balance of power. 00:00 — Introduction and Ram Charan's background 02:40 — What is China's 90% Model? 04:19 — Industrial dominance and strategic execution 05:18 — The origins of China's long-term strategy 08:19 — How to measure industry capture and market share 12:06 — Why CEOs stay silent and investor blind spots 14:11 — The October wake-up moment 16:22 — When companies must exit China 18:26 — Building an allied industrial coalition 21:44 — Economic security equals national security 23:17 — War-time leverage and supply chain choke points 25:21 — Proposal: Department of Manufacturing and Technology 27:35 — Seven-year strategy and public awareness 30:27 — Where to find the book and follow Ram Charan Watch Full-Length Interviews: https://www.youtube.com/@ChinaDeskFNW

In this episode of the Crazy Wisdom Podcast, host Stewart Alsop sits down with Jake Hamilton, founder of Groundwire and Nockbox, to explore zero-knowledge proofs, Bitcoin identity systems, and the intersection of privacy-preserving cryptography with AI and blockchain technology. They discuss how ZK proofs could offer an alternative to invasive identity verification systems being rolled out by governments worldwide, the potential for continual learning AI models to shift the balance between centralized and open-source development, and why building secure, auditable computing infrastructure on platforms like Urbit matters more than ever as we face an explosion of AI agents and automated systems. Jake also explains Nockchain's approach to creating a global repository of cryptographically verified facts that can power trustless programmable systems, and how these technologies might converge to solve problems around supply chain security, personal data sovereignty, and resistance to censorship.Timestamps00:00 Introduction to Groundwire and Knockbox02:48 Understanding Zero-Knowledge Proofs06:04 Government Adoption of ZK Proofs08:55 The Future of Identity Verification11:52 AI and ZK Proofs: A New Era14:54 The Role of Urbit in Technology18:03 The Impact of COVID on Trust20:51 The Evolution of AI and Data Privacy23:47 The Future of AI Models26:54 The Need for Local AI Solutions29:51 Interoperability of Knockchain and BitcoinKey Insights1. Zero-Knowledge Proofs Enable Privacy-Preserving Verification: Jake explains that ZK proofs allow you to prove computational outcomes without revealing the underlying data. For example, you could prove you're over 18 without exposing your full identity or driver's license information. The proof demonstrates that a specific program ran through certain steps and reached a particular conclusion, and validating this proof is fast and compact. This technology has profound implications for age verification, identity systems, and protecting privacy while maintaining necessary compliance, potentially offering a middle path between surveillance states and complete anonymity.2. Government Adoption of Privacy Technology Remains Uncertain: There are three competing motivations driving government identity verification systems: genuine surveillance desires, bureaucratic efficiency seeking, and legitimate child protection concerns. Jake believes these groups can be separated, with some officials potentially supporting ZK-based solutions if positioned correctly. He notes the EU is exploring ZK identity verification, and UK officials have shown interest. The key is framing privacy-preserving technology as protection against "the swamp" rather than just abstract privacy benefits, which could resonate with certain political constituencies.3. The COVID Era Destroyed Institutional Trust at Unprecedented Scale: The conversation identifies COVID as potentially the largest institutional trust-burning event in human history, with numerous institutions simultaneously losing credibility with large portions of the population. This represents a dramatic shift from the boomer generation's default trust in authority figures and mainstream media. This collapse is compounded by the incoming AI revolution, creating a perfect storm where established bureaucracies cannot adapt quickly enough to manage rapidly evolving technology, leaving society in fundamentally unmanageable territory.4. Centralized AI Models Create Dangerous Dependencies: Both speakers acknowledge growing dependence on centralized AI services like Claude, with some users spending thousands monthly on tokens. This dependency creates vulnerability to price increases and service disruptions. Jake advocates for local AI deployment using models like DeepSeek R1, running on personal hardware to maintain control and privacy. The shift toward continuous learning models will fundamentally change the AI landscape, making personal data harvesting even more valuable and raising urgent questions about compensation and consent for training data contribution.5. High-Quality Training Data Is Becoming the Primary AI Bottleneck: Stewart argues that AI development is now limited more by high-quality training data than by compute power. The industry has exhausted easily accessible internet data and body-shop-style data labeling. Companies are now using specialized boutique services with techniques like head-mounted cameras for live-streaming world model training. This scarcity is subtly driving price increases across AI services and will fundamentally reshape the economics of AI development, with implications for who controls these increasingly powerful systems.6. Urbit Offers a Foundation for Trustworthy Computing: Jake positions Urbit as essential infrastructure for the AI age because its 30,000-line codebase (versus Unix's three million lines) can be understood by individual humans. Its deterministic, purely functional, and strictly typed design aims for eventual ossification—software that doesn't require constant security patches. This "tiny and diamond perfect" approach addresses the fundamental insecurity of systems requiring monthly vulnerability patches. In an era of AI agents and potential prompt injection attacks, having verifiable, comprehensible computing infrastructure becomes existentially important rather than merely desirable.7. Nockchain Creates a Global Repository of Provable Truth: Jake's vision for Nockchain combines ZK proofs with blockchain technology to create a globally available "truth repository" where verified facts can be programmatically accessed together. This enables smart contracts or programs gated on combinations of proven facts—such as temperature readings from secure devices, supply chain events, and payment confirmations. By using Nock's abstract, simple design optimized for ZK proof generation, the system can validate complex real-world conditions without exposing underlying data, creating infrastructure for coordinating action based on verifiable private information at global scale.

Blythe and Grace Sharkey (Orderful; formerly FreightWaves) break down what everyone's been talking about coming out of Manifest: agentic AI moving into real workflows, drones/computer vision becoming more practical, freight fraud getting more coordinated, and why “end-to-end visibility” still isn't end-to-end (spoiler: carrier adoption and execution still run the show).The gist (what we cover):Agentic AI: not just demos—people are pushing it into rate negotiation and booking workflowsThe uncomfortable question: what happens to brokerage models when humans aren't the bottleneck?Drones + computer vision: still early, but moving from “cool tech” to real use casesFreight fraud: it's coordinated—and most companies still fail at the basicsVisibility: we keep selling the dream, but execution (and carrier adoption) keeps punching it in the faceQuick time-capsule: what 2016 taught us, what 2026 is repeating, and why insurance keeps winningTimestamps / chapters (approx):00:00 – Intro + Grace joins04:35 – Agentic AI: what's real vs what's marketing10:10 – What this changes for brokers and carriers15:25 – Drones + computer vision17:30 – Fraud: why basic controls still matter25:40 – Visibility + ocean integrity31:40 – 2016 vs 2026: the industry memory test39:50 – Wrap-up + Manifest Europe noteWatch this episode on YouTubeFeedback? Ideas for a future episode? Shoot us a text here to let us know. -----------------------------------------THANK YOU TO OUR SPONSORS! SPI Logistics has been a Day 1 supporter of this podcast which is why we're proud to promote them in every episode. During that time, we've gotten to know the team and their agents to confidently say they are the best home for freight agents in North America for 40 years and counting. Listen to past episodes to hear why. CargoRex is the search engine for the logistics industry—connecting LSPs with the right tools, services, events, and creators to explore, discover, and evolve. Digital Dispatch maximizes and manages your #1 sales tool with a website that establishes trust and builds rock-solid relationships with your leads and customers.

Rob Hughes — CISO at RSA and Champion of a Passwordless FutureNo Password Required Season 7:  Episode 1 - Rob HughesRob Hughes, the CISO at RSA, has more than 25 years of experience leading security and cloud infrastructure teams. In this episode, he reflects on his unconventional career path, from co-founding the original Geek.com and serving as its Chief Technologist during the early days of the internet, to leading security and systems design at Philips Home Monitoring.Jack Clabby of Carlton Fields, P.A. and Kayley Melton welcome Rob for a wide-ranging conversation on identity, leadership, and the realities of modern cybersecurity. Rob currently leads RSA's Security and Risk Office, overseeing cybersecurity, information security governance, and risk across both RSA's products and corporate environment.Rob explains his dream for a passwordless future. He unpacks why passwords remain one of the largest sources of cyber risk, how real-world incidents and password-spraying attacks have accelerated change, and why phishing-resistant technologies like passkeys may finally be reaching a tipping point.  The episode wraps with the Lifestyle Polygraph, where Rob lightens the conversation with stories about gaming with his kids, underrated horror films, and classic cars.Follow Rob on LinkedIn: https://www.linkedin.com/in/robert-hughes-816067a4/Chapters: 00:00 Introduction to No Password Required01:43 Meet Rob Hughes, CISO at RSA02:05 The Role of a CISO in a Security Company05:09 Transitioning to the CISO Role08:00 The Early Days of Geek.com12:14 Launching a Startup During the Dot Com Boom14:30 The Push for a Passwordless Future18:21 Tipping Point for Passwordless Adoption20:20 Ongoing Learning in Cybersecurity26:09 Managing Stress in High-Pressure Environments33:46 The Lifestyle Polygraph Begins34:15 Career Insights in Cybersecurity36:08 Dream Cars and Personal Preferences39:58 Underrated Horror Films41:19 Creating a Cybersecurity Monster

Don't miss out on this episode with Danny Ramon of Overhaul to know the real threat to your freight, what's really happening online, and how fast cargo theft is evolving! Danny breaks down how cargo theft has become a full-blown, organized industry, blending cyber attacks and coordinated physical moves that let criminals walk away with entire shipments in minutes, why everyday consumer goods are now prime targets, how social media demand is reshaping black-market trends, and why tech alone won't save you if you don't have the human oversight to back it up! No one's immune, so do simple operational changes, smarter vetting practices, nonstop vigilance carriers, brokers, and shippers need to stay ahead of this increasingly sophisticated threat, and keep supporting the show for more conversations like this!   About Danny Ramon Danny Ramon has been working in Supply Chain Security for over 15 years and specializing in Supply Chain Intelligence for the last 13. Danny studies both cargo theft and any factor that can affect the flow of cargo through the supply chain to identify how variables might interfere with the flow of global logistics. In his role as Director of Intelligence and Response at Overhaul, Danny not only presents these findings to the security and logistics teams at the world's largest technology and pharmaceutical companies, but also leads the recovery and investigations team that works closely with law enforcement and private resources across the globe to recover stolen cargo and apprehend the criminals involved. Danny spreads awareness of cargo theft and promotes supply chain visibility as a subject matter expert. He is quoted or published in several leading industry publications, including Transport Topics, Supply Chain Brain, Fleet Owner, FreightWaves, and CCJDigital and he has presented for Inland Marine Underwriters Association (IMUA), the International Supply Chain Protection Organization (ISCPO), the Transportation and Logistics Council (TLC), Miami-Dade Police Department (MDPD), Ocean Carrier Equipment Management Association (OCEMA), National Motor Freight Traffic Association (NMFTA), and the Transported Asset Protection Association (TAPA).   Connect with Danny Website: https://over-haul.com/  LinkedIn: https://www.linkedin.com/in/danny-ramon-97472855/  

Hydrogen infrastructure requires billion-dollar cryogenic systems. That's the conventional wisdom keeping hydrogen grounded. Dr. Jalaal Hayes proved it's wrong—and the implications for expeditionary operations are immediate.Hayes developed Liquid Organic Hydrogen Carriers (LOHC) technology, which stores hydrogen at ambient temperatures using existing fuel infrastructure. No specialized equipment. No cryogenic vulnerability. Combined with biohydrogen production, delivering three times the energy density of JP-8, this isn't an incremental improvement—it's an operational paradigm shift.When you orchestrate complementary technologies instead of betting on single solutions, you eliminate infrastructure dependencies that constrain deployment. For institutions like the DoW, that means hydrogen propulsion without forward-deployed cryogenic facilities.Paradigm Shifts:→ Applied Budgetary Exhaustion: LOHC eliminates billions in cryogenic infrastructure by using existing petroleum systems—the same asymmetric strategy Ukraine uses with $10K drones vs $100M platforms. Attack the cost structure, not the capability.→ Infrastructure Independence: Biohydrogen becomes deployable when paired with ambient-temperature LOHC storage. No cryogenic vulnerability. No specialized tankers. Existing logistics networks carry hydrogen in chemical form—released on demand at the point of use.→ Regional Stack Control = Supply Chain Security: Hayes built his entire prototype with suppliers within driving distance. That's not convenience—it's strategic autonomy. When you control the full stack regionally, you eliminate foreign dependencies and supply chain vulnerabilities.Operational Impact:→ Space-to-Ground Dual-Use: Same hydrogen stack enabling Mars closed-loop life support runs ground ops at forward operating bases. One R&D investment, two critical applications. That's how you maximize constrained budgets.→ Technology Intersection > Selection: Stop forcing teams to pick biohydrogen OR storage OR production. The breakthrough lives where they integrate—each solving the other's deployment constraint. Complementary systems outperform optimized components.→ Compressed Innovation Cycles: Hayes's students solve real commercial prototypes in semesters, not years. Academic-entrepreneurial integration accelerates the transition of capabilities from the lab to the field.Strategic Reframe: Infrastructure dependencies limit operational flexibility. When you orchestrate technologies that leverage existing systems, you eliminate deployment barriers. The question isn't "which hydrogen technology wins?" It's "what combination removes infrastructure constraints from our operational calculus?"Guest: Dr. Jalaal Hayes, CEO & Founder, Evince Inc. | Associate Professor of Chemistry, Lincoln UniversityHost: Dyan Finkhousen, Founder & CEO, Shoshin WorksEcosystemic Futures is the Shoshin Works foresight series with NASA - National Aeronautics and Space Administration heritage.

In this episode we are continuing the theme of cybersecurity to talk about the Federal Acquisition Supply Chain Security Act, or FASCSA. After years of framework development, the government has finally dropped its first FASCSA order. Learn more about The Quill & Sword series of podcasts by visiting our podcast page at https://tjaglcs.army.mil/thequillandsword. The Quill & Sword show includes featured episodes from across the JAGC, plus all episodes from our four separate shows: “Criminal Law Department Presents” (Criminal Law Department), “NSL Unscripted” (National Security Law Department), “The FAR and Beyond” (Contract & Fiscal Law Department) and “Hold My Reg” (Administrative & Civil Law Department). Connect with The Judge Advocate General's Legal Center and School by visiting our website at https://tjaglcs.army.mil/ or on Facebook (tjaglcs), Instagram (tjaglcs), or LinkedIn (school/tjaglcs).

Даже если вы пишете идеальный код, это не значит, что ваш продукт в безопасности. Уязвимости может притащить кто-то другой – начиная от open source библиотек, и заканчивая уязвимостями в компиляторах, CI и VCS системах. Как научиться защищать не только код, вышедший из под ваших рук, но и всю цепочку поставки, нам рассказал Алексей Смирнов, основатель платформы CodeScoring. Партнёр команды Podlodka — наши давние друзья @AvitoTech. Это команда с крутыми процессами, культурой здравого смысла и эксперимента. Узнать про их технологии, подходы и прокачку компетенций в командах можно по ссылкам: — LLM против хаоса: как я автоматизировал ревизию прав доступа в админке Авито https://clc.to/RVjkQw — LLM в кибербезопасности https://clc.to/mvLjSA Реклама. ООО "Авито Тех”, ИНН 9710089440, erid:2SDnjdq5TKm Также ждем вас, ваши лайки, репосты и комменты в мессенджерах и соцсетях!
 Telegram-чат: https://t.me/podlodka Telegram-канал: https://t.me/podlodkanews Страница в Facebook: www.facebook.com/podlodkacast/ Twitter-аккаунт: https://twitter.com/PodcastPodlodka Ведущие в выпуске: Евгений Кателла, Егор Толстой Полезные ссылки: Supply-chain Levels for Software Artifacts, or SLSA https://slsa.dev/ Shai-Hulud npm vulnerability https://www.truesec.com/hub/blog/500-npm-packages-compromised-in-ongoing-supply-chain-attack-shai-hulud Таксономия атак на цепочку поставки ПО https://vkvideo.ru/video-229013285_456239031 AI-Enhanced DevTools & DevOps https://vkvideo.ru/video-22522055_456245659?t=2h34m17s Исследования от Luntry https://luntry.ru/research Исследование уязвимостей GenAI от Veracode https://www.veracode.com/wp-content/uploads/2025_GenAI_Code_Security_Report_Final.pdf О черве Shai-Hulud https://securelist.ru/shai-hulud-worm-infects-500-npm-packages-in-a-supply-chain-attack/113533/ Метод-фреймворк защиты цепочки поставки SLSA https://slsa.dev/ Доклад "Таксономия атак на цепочку поставки ПО" https://vkvideo.ru/video-229013285_456239031 Доклад "Безопасная разработка в эпоху GenAI" https://vkvideo.ru/video-229013285_456239040 Другие доклады про безопасность использования Open Source https://youtube.com/@codescoring https://vkvideo.ru/@codescoring Платформа безопасной разработки CodeScoring https://codescoring.ru/ Книга "Прозрачное программное обеспечение: Безопасность цепочек поставок ПО" https://www.piter.com/product/prozrachnoe-programmnoe-obespechenie-bezopasnost-tsepochek-postavok-po

Everyone Is Protecting My Password, But Who Is Protecting My Toilet Paper? - Interview with Amberley Brady | AISA CyberCon Melbourne 2025 Coverage | On Location with Sean Martin and Marco CiappelliAISA CyberCon Melbourne | October 15-17, 2025Empty shelves trigger something primal in us now. We've lived through the panic, the uncertainty, the realization that our food supply isn't as secure as we thought. Amberley Brady hasn't forgotten that feeling, and she's turned it into action.Speaking with her from Florence to Sydney ahead of AISA CyberCon in Melbourne, I discovered someone who came to cybersecurity through an unexpected path—studying law, working in policy, but driven by a singular passion for food security. When COVID-19 hit Australia in 2019 and grocery store shelves emptied, Amberley couldn't shake the question: what happens if this keeps happening?Her answer was to build realfoodprice.com.au, a platform tracking food pricing transparency across Australia's supply chain. It's based on the Hungarian model, which within three months saved consumers 50 million euros simply by making prices visible from farmer to wholesaler to consumer. The markup disappeared almost overnight when transparency arrived."Once you demonstrate transparency along the supply chain, you see where the markup is," Amberley explained. She gave me an example that hit home: watermelon farmers were getting paid 40 cents per kilo while their production costs ran between $1.00 to $1.50. Meanwhile, consumers paid $2.50 to $2.99 year-round. Someone in the middle was profiting while farmers lost money on every harvest.But this isn't just about fair pricing—it's about critical infrastructure that nobody's protecting. Australia produces food for 70 million people, far more than its own population needs. That food moves through systems, across borders, through supply chains that depend entirely on technology most farmers never think about in cybersecurity terms.The new autonomous tractors collecting soil data? That information goes somewhere. The sensors monitoring crop conditions? Those connect to systems someone else controls. China recognized this vulnerability years ago—with 20% of the world's population but only 7% of arable land, they understood that food security is national security.At CyberCon, Amberley is presenting two sessions that challenge the cybersecurity community to expand their thinking. "Don't Outsource Your Thinking" tackles what she calls "complacency creep"—our growing trust in AI that makes us stop questioning, stop analyzing with our gut instinct. She argues for an Essential Nine in Australia's cybersecurity framework, adding the human firewall to the technical Essential Eight.Her second talk, cheekily titled "Everyone is Protecting My Password, But No One's Protecting My Toilet Paper," addresses food security directly. It's provocative, but that's the point. We saw what happened in Japan recently with the rice crisis—the same panic buying, the same distrust, the same empty shelves that COVID taught us to fear."We will run to the store," Amberley said. "That's going to be human behavior because we've lived through that time." And here's the cybersecurity angle: those panics can be manufactured. A fake image of empty shelves, an AI-generated video, strategic disinformation—all it takes is triggering that collective memory.Amberley describes herself as an early disruptor in the agritech cybersecurity space, and she's right. Most cybersecurity professionals think about hospitals, utilities, financial systems. They don't think about the autonomous vehicles in fields, the sensor networks in soil, the supply chain software moving food across continents.But she's starting the conversation, and CyberCon's audience—increasingly diverse, including people from HR, risk management, and policy—is ready for it. Because at the end of the day, everyone has to eat. And if we don't start thinking about the cyber vulnerabilities in how we grow, move, and price food, we're leaving our most basic need unprotected.AISA CyberCon Melbourne runs October 15-17, 2025 Virtual coverage provided by ITSPmagazineGUEST:Amberley Brady, Food Security & Cybersecurity Advocate, Founder of realfoodprice.com.au | On LinkedIn: https://www.linkedin.com/in/amberley-b-a62022353/HOSTS:Sean Martin, Co-Founder, ITSPmagazine and Studio C60 | Website: https://www.seanmartin.comMarco Ciappelli, Co-Founder, ITSPmagazine and Studio C60 | Website: https://www.marcociappelli.comCatch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to share an Event Briefing as part of our event coverage? Learn More

70% of critical security debt stems from third-party code - what can be done upstream?How real-time threat intelligence and policy enforcement are closing the gapWhy DORA and modern CI/CD pipelines demand pre-emptive visibility and automation Thom Langford, Host, teissTalkhttps://www.linkedin.com/in/thomlangford/Paul Holland, Cyber Capability Manager, Royal Mailhttps://www.linkedin.com/in/paulinfosec/Tiago Rosado, Chief Information Security Officer, Asitehttps://www.linkedin.com/in/tiagorosado/Jean Carlos, Information Security Lead, Trade Republichttps://www.linkedin.com/in/jeanpcarlos/John Smith, CTO of EMEA, Veracodehttps://www.linkedin.com/in/jtsmith123

When even the Department of Defense can't properly vet its software dependencies, what chance do the rest of us have? Steve Gibson reveals how "fast-glob" became a case study in supply chain blindness, explores whether AI can ever truly be controlled after Meta's celebrity chatbot disaster, and celebrates BYTE Magazine's 50th anniversary with a look at how far we've come (and how vulnerable we still are). A look back at issue #1 of BYTE magazine exactly 50 years ago The enforcement of the SHAKEN & STIR Telecom protocols Breaking: Judge rules against forced Google divestitures in monopoly case The inherent danger of consolidating authentication Can AI be controlled? Vivaldi says a big "no" to AI-enhanced web browsers How WhatsApp figured into Apple's recent 0-day attacks Leveraging AI as an attack aid The latest TransUnion data breach Two scummy websites sue the UK over age requirements OpenSSH reminds its users to adopt post-quantum crypto The DOD uses open source maintained by a Russian national Much great feedback from our terrific listeners Sci-Fi news from "The Frontiers Saga" Ryk Brown Show Notes - https://www.grc.com/sn/sn-1041-notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: go.acronis.com/twit threatlocker.com/twit bitwarden.com/twit bigid.com/securitynow joindeleteme.com/twit promo code TWIT

When even the Department of Defense can't properly vet its software dependencies, what chance do the rest of us have? Steve Gibson reveals how "fast-glob" became a case study in supply chain blindness, explores whether AI can ever truly be controlled after Meta's celebrity chatbot disaster, and celebrates BYTE Magazine's 50th anniversary with a look at how far we've come (and how vulnerable we still are). A look back at issue #1 of BYTE magazine exactly 50 years ago The enforcement of the SHAKEN & STIR Telecom protocols Breaking: Judge rules against forced Google divestitures in monopoly case The inherent danger of consolidating authentication Can AI be controlled? Vivaldi says a big "no" to AI-enhanced web browsers How WhatsApp figured into Apple's recent 0-day attacks Leveraging AI as an attack aid The latest TransUnion data breach Two scummy websites sue the UK over age requirements OpenSSH reminds its users to adopt post-quantum crypto The DOD uses open source maintained by a Russian national Much great feedback from our terrific listeners Sci-Fi news from "The Frontiers Saga" Ryk Brown Show Notes - https://www.grc.com/sn/sn-1041-notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: go.acronis.com/twit threatlocker.com/twit bitwarden.com/twit bigid.com/securitynow joindeleteme.com/twit promo code TWIT

When even the Department of Defense can't properly vet its software dependencies, what chance do the rest of us have? Steve Gibson reveals how "fast-glob" became a case study in supply chain blindness, explores whether AI can ever truly be controlled after Meta's celebrity chatbot disaster, and celebrates BYTE Magazine's 50th anniversary with a look at how far we've come (and how vulnerable we still are). A look back at issue #1 of BYTE magazine exactly 50 years ago The enforcement of the SHAKEN & STIR Telecom protocols Breaking: Judge rules against forced Google divestitures in monopoly case The inherent danger of consolidating authentication Can AI be controlled? Vivaldi says a big "no" to AI-enhanced web browsers How WhatsApp figured into Apple's recent 0-day attacks Leveraging AI as an attack aid The latest TransUnion data breach Two scummy websites sue the UK over age requirements OpenSSH reminds its users to adopt post-quantum crypto The DOD uses open source maintained by a Russian national Much great feedback from our terrific listeners Sci-Fi news from "The Frontiers Saga" Ryk Brown Show Notes - https://www.grc.com/sn/sn-1041-notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: go.acronis.com/twit threatlocker.com/twit bitwarden.com/twit bigid.com/securitynow joindeleteme.com/twit promo code TWIT

When even the Department of Defense can't properly vet its software dependencies, what chance do the rest of us have? Steve Gibson reveals how "fast-glob" became a case study in supply chain blindness, explores whether AI can ever truly be controlled after Meta's celebrity chatbot disaster, and celebrates BYTE Magazine's 50th anniversary with a look at how far we've come (and how vulnerable we still are). A look back at issue #1 of BYTE magazine exactly 50 years ago The enforcement of the SHAKEN & STIR Telecom protocols Breaking: Judge rules against forced Google divestitures in monopoly case The inherent danger of consolidating authentication Can AI be controlled? Vivaldi says a big "no" to AI-enhanced web browsers How WhatsApp figured into Apple's recent 0-day attacks Leveraging AI as an attack aid The latest TransUnion data breach Two scummy websites sue the UK over age requirements OpenSSH reminds its users to adopt post-quantum crypto The DOD uses open source maintained by a Russian national Much great feedback from our terrific listeners Sci-Fi news from "The Frontiers Saga" Ryk Brown Show Notes - https://www.grc.com/sn/sn-1041-notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: go.acronis.com/twit threatlocker.com/twit bitwarden.com/twit bigid.com/securitynow joindeleteme.com/twit promo code TWIT

When even the Department of Defense can't properly vet its software dependencies, what chance do the rest of us have? Steve Gibson reveals how "fast-glob" became a case study in supply chain blindness, explores whether AI can ever truly be controlled after Meta's celebrity chatbot disaster, and celebrates BYTE Magazine's 50th anniversary with a look at how far we've come (and how vulnerable we still are). A look back at issue #1 of BYTE magazine exactly 50 years ago The enforcement of the SHAKEN & STIR Telecom protocols Breaking: Judge rules against forced Google divestitures in monopoly case The inherent danger of consolidating authentication Can AI be controlled? Vivaldi says a big "no" to AI-enhanced web browsers How WhatsApp figured into Apple's recent 0-day attacks Leveraging AI as an attack aid The latest TransUnion data breach Two scummy websites sue the UK over age requirements OpenSSH reminds its users to adopt post-quantum crypto The DOD uses open source maintained by a Russian national Much great feedback from our terrific listeners Sci-Fi news from "The Frontiers Saga" Ryk Brown Show Notes - https://www.grc.com/sn/sn-1041-notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: go.acronis.com/twit threatlocker.com/twit bitwarden.com/twit bigid.com/securitynow joindeleteme.com/twit promo code TWIT

When even the Department of Defense can't properly vet its software dependencies, what chance do the rest of us have? Steve Gibson reveals how "fast-glob" became a case study in supply chain blindness, explores whether AI can ever truly be controlled after Meta's celebrity chatbot disaster, and celebrates BYTE Magazine's 50th anniversary with a look at how far we've come (and how vulnerable we still are). A look back at issue #1 of BYTE magazine exactly 50 years ago The enforcement of the SHAKEN & STIR Telecom protocols Breaking: Judge rules against forced Google divestitures in monopoly case The inherent danger of consolidating authentication Can AI be controlled? Vivaldi says a big "no" to AI-enhanced web browsers How WhatsApp figured into Apple's recent 0-day attacks Leveraging AI as an attack aid The latest TransUnion data breach Two scummy websites sue the UK over age requirements OpenSSH reminds its users to adopt post-quantum crypto The DOD uses open source maintained by a Russian national Much great feedback from our terrific listeners Sci-Fi news from "The Frontiers Saga" Ryk Brown Show Notes - https://www.grc.com/sn/sn-1041-notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: go.acronis.com/twit threatlocker.com/twit bitwarden.com/twit bigid.com/securitynow joindeleteme.com/twit promo code TWIT

When even the Department of Defense can't properly vet its software dependencies, what chance do the rest of us have? Steve Gibson reveals how "fast-glob" became a case study in supply chain blindness, explores whether AI can ever truly be controlled after Meta's celebrity chatbot disaster, and celebrates BYTE Magazine's 50th anniversary with a look at how far we've come (and how vulnerable we still are). A look back at issue #1 of BYTE magazine exactly 50 years ago The enforcement of the SHAKEN & STIR Telecom protocols Breaking: Judge rules against forced Google divestitures in monopoly case The inherent danger of consolidating authentication Can AI be controlled? Vivaldi says a big "no" to AI-enhanced web browsers How WhatsApp figured into Apple's recent 0-day attacks Leveraging AI as an attack aid The latest TransUnion data breach Two scummy websites sue the UK over age requirements OpenSSH reminds its users to adopt post-quantum crypto The DOD uses open source maintained by a Russian national Much great feedback from our terrific listeners Sci-Fi news from "The Frontiers Saga" Ryk Brown Show Notes - https://www.grc.com/sn/sn-1041-notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: go.acronis.com/twit threatlocker.com/twit bitwarden.com/twit bigid.com/securitynow joindeleteme.com/twit promo code TWIT

When even the Department of Defense can't properly vet its software dependencies, what chance do the rest of us have? Steve Gibson reveals how "fast-glob" became a case study in supply chain blindness, explores whether AI can ever truly be controlled after Meta's celebrity chatbot disaster, and celebrates BYTE Magazine's 50th anniversary with a look at how far we've come (and how vulnerable we still are). A look back at issue #1 of BYTE magazine exactly 50 years ago The enforcement of the SHAKEN & STIR Telecom protocols Breaking: Judge rules against forced Google divestitures in monopoly case The inherent danger of consolidating authentication Can AI be controlled? Vivaldi says a big "no" to AI-enhanced web browsers How WhatsApp figured into Apple's recent 0-day attacks Leveraging AI as an attack aid The latest TransUnion data breach Two scummy websites sue the UK over age requirements OpenSSH reminds its users to adopt post-quantum crypto The DOD uses open source maintained by a Russian national Much great feedback from our terrific listeners Sci-Fi news from "The Frontiers Saga" Ryk Brown Show Notes - https://www.grc.com/sn/sn-1041-notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: go.acronis.com/twit threatlocker.com/twit bitwarden.com/twit bigid.com/securitynow joindeleteme.com/twit promo code TWIT

In this episode of the CISO Tradecraft podcast, host G Mark Hardy speaks with Tim Brown, the CISO of SolarWinds, at the Black Hat conference in Las Vegas. They delve into the details of the infamous SolarWinds breach, discussing the timeline of events, the involvement of the Russian SVR, and the immediate and long-term responses by SolarWinds. Tim shares insights on the complexities of supply chain security, the importance of clear communication within an organization, and the evolving regulatory landscape for CISOs. Additionally, they discuss the personal and professional ramifications of dealing with such a high-profile incident, offering valuable lessons for current and future cybersecurity leaders. Chapters  00:00 Introduction and Welcome 00:59 The SolarWinds Incident Unfolds 03:13 Understanding the Attack and Response 04:04 The Role of SVR and Supply Chain Security 10:43 Technical Details of the Attack 14:56 Compliance and Reporting Challenges 19:24 Rebuilding Trust and Personal Impact 22:06 CISO Concerns and Company Support 22:14 Legal Challenges and Company Expenses 23:40 SEC Charges and Legal Proceedings 29:35 Supply Chain Security and Vendor Assurance 35:47 CISO Accountability and Industry Standards 39:41 Final Thoughts and Advice for CISOs

In this episode of the CISO Tradecraft podcast, host G Mark Hardy speaks with Tim Brown, the CISO of SolarWinds, at the Black Hat conference in Las Vegas. They delve into the details of the infamous SolarWinds breach, discussing the timeline of events, the involvement of the Russian SVR, and the immediate and long-term responses by SolarWinds. Tim shares insights on the complexities of supply chain security, the importance of clear communication within an organization, and the evolving regulatory landscape for CISOs. Additionally, they discuss the personal and professional ramifications of dealing with such a high-profile incident, offering valuable lessons for current and future cybersecurity leaders. Chapters 00:00 Introduction and Welcome 00:59 The SolarWinds Incident Unfolds 03:13 Understanding the Attack and Response 04:04 The Role of SVR and Supply Chain Security 10:43 Technical Details of the Attack 14:56 Compliance and Reporting Challenges 19:24 Rebuilding Trust and Personal Impact 22:06 CISO Concerns and Company Support 22:14 Legal Challenges and Company Expenses 23:40 SEC Charges and Legal Proceedings 29:35 Supply Chain Security and Vendor Assurance 35:47 CISO Accountability and Industry Standards 39:41 Final Thoughts and Advice for CISOs

Open source software is a massive contribution that provides everything from foundational frameworks to tiny single-purpose libraries. We walk through the dimensions of trust and provenance in the software supply chain with Janet Worthington. And we discuss how even with new code generated by LLMs and new terms like slopsquatting, a lot of the most effective solutions are old techniques. Resources https://www.forrester.com/blogs/make-no-mistake-software-is-a-supply-chain-and-its-under-attack/ https://www.forrester.com/report/the-future-of-software-supply-chain-security/RES184050 Show Notes: https://securityweekly.com/asw-343

Open source software is a massive contribution that provides everything from foundational frameworks to tiny single-purpose libraries. We walk through the dimensions of trust and provenance in the software supply chain with Janet Worthington. And we discuss how even with new code generated by LLMs and new terms like slopsquatting, a lot of the most effective solutions are old techniques. Resources https://www.forrester.com/blogs/make-no-mistake-software-is-a-supply-chain-and-its-under-attack/ https://www.forrester.com/report/the-future-of-software-supply-chain-security/RES184050 Show Notes: https://securityweekly.com/asw-343

Open source software is a massive contribution that provides everything from foundational frameworks to tiny single-purpose libraries. We walk through the dimensions of trust and provenance in the software supply chain with Janet Worthington. And we discuss how even with new code generated by LLMs and new terms like slopsquatting, a lot of the most effective solutions are old techniques. Resources https://www.forrester.com/blogs/make-no-mistake-software-is-a-supply-chain-and-its-under-attack/ https://www.forrester.com/report/the-future-of-software-supply-chain-security/RES184050 Show Notes: https://securityweekly.com/asw-343

Welcome to another episode of Data Driven, where we delve deep into the crossroads of data, technology, and the ever-shifting world of geopolitics. In this packed episode, hosts Frank La Vigne and Bailey are joined by Christopher Nuland, AI technical marketing manager at Red Hat, for a candid, no-holds-barred discussion on the newly released America's AI Action Plan.Together, they tackle everything from the resurgence of Cold War tensions in the AI arena to the complexities of “AI sovereignty” and what it really means for the US, China, and the rest of the world. Expect spirited debates about EU's place in the global AI race, the real-world implications of chip supply chain disruptions, and the heated rhetoric around workforce security in an era when AI is starting to replace traditional jobs.The conversation weaves through existential questions—can AI ever truly reason, or are we just witnessing the rise of superpowered “spreadsheet goblins?”—and gets hands-on with the very real risks (and opportunities) of rolling out LLMs in everyday workplaces. Plus, the team touches on power-hungry data centers, potential impacts on the job market, and even finds time to swap sci-fi references from The Expanse to Ghost in the Shell to help paint a picture of what our AI-dominated future might look like.Buckle up for a dense, dynamic, and dangerously nerdy journey into the world of AI policy, technology, and what it means for all of us. Let's get into it!Timestamps00:00 AI Geopolitics & America's Action Plan08:14 EU's Role in Tech Hierarchy14:10 "US Focus: Securing AI Workforce"20:40 Supply Chain Security in Software24:24 Politicians' Technical Proficiency Limits27:19 AI Sovereignty and Cultural Values33:52 CHIPS Act: Innovation and Expansion Hopes38:11 "AI Vulnerability: Patch Attacks"47:58 Maryland Power Line Controversy50:09 "AI Impact on Jobs & UBI"55:47 Techno Feudalism Perspective01:04:41 "AI Sovereignty: A Geopolitical Chess Match"

In this episode, I sit down with Daniel Bardenstein, CTO & Co-Founder of Manifest Cyber.We discussed the AI supply chain security, including open source risks, AIBOMs, best practices for CISOs, and regulatory approaches in the U.S. and EU.We dove into:What is the same and different between the risks AI introduces across the enterprise compared to open source software, and where and how the two converge.The rise of an “AIBOM” and why it is becoming a critical part of enterprise risk management in the AI EraThe work Daniel and others are doing as part of a Tiger Team defining “SBOM-for-AI-Use Cases”.Why is it so difficult for organizations to gain visibility into their AI models' internals, especially training data, model provenance, and pipeline dependencies?Where CISOs and security teams can get started when it comes to understanding where and how AI is being used and avoiding some mistakes.Gaps among the current waves of AI security startups and how they contrast with the approach Manifest is taking when managing AI supply chain risks.Real-world insights and examples of how organizations operationalize SBOM for risk reduction.Key differences between the U.S. and EU regarding regulatory approaches to AI and supply chain security risks.

Peter Battaglia, Deputy Director of Mission Assurance at the Defense Logistics Agency (DLA), joins Mike Shanley to discuss DLA's priorities and initiatives in today's evolving defense landscape. The conversation covers logistics surge capacity, securing the supply chain, and the role of NATO's industrial base in supporting global readiness. RESOURCES: GovDiscovery AI Federal Capture Support: https://www.govdiscoveryai.com/ DLA website: https://www.dla.mil/ DLA Strategic Plan (2025-2030): https://www.dla.mil/Portals/104/Documents/Headquarters/StrategicPlan/DLAStrategicPlan2025-2030March2025.pdf BIOGRAPHY: Mr. Peter Battaglia is the DLA Mission Assurance Deputy Director serving as the DLA lead for Mission Assurance, Defense Critical Infrastructure, and Continuity of Operations Planning. He also serves as the Supply Chain Security and Supply Chain Risk Management (SCRM) Program Manager for DLA. In this position he is the expert technical authority responsible for oversight of the design, implementation, execution, and promulgation of DLA's SCS/SCRM Program for worldwide support of OSD, JCS, CCMDs, and Military Services plans and operations. He graduated from the Eisenhower School for National Security and Resource Strategy in 2021. He previously served as the Customer Relations Management Process Owner managing a portfolio of $7M and 800 personnel, including the Customer Interaction Center (helpline) and Customer Support Representatives interfacing with the supported services, combatant commands, and inter-agencies. Mr. Battaglia established and implemented the DLA Agency Synchronization Operations Center (ASOC). The ASOC synchronizes and integrates the Agency's operational mission and business support functions to provide agile, global support to the Warfighter and select Federal Agencies. The ASOC provides Agency leadership and mission partners a shared and standardized view; enables operational support serving as the consensus source of truth among all mission partners; focuses the Agency on output, readiness, effectiveness, and service to standards; and provides the tools and actionable information to conduct root cause analysis, develop solutions and courses of action, and implement senior leader decisions. Mr. Battaglia also served as the Chief of the DLA Logistics Operations (J3) Director's Action Group aligning the strategic efforts and messaging of the J3 and aligned Executive Directors to ensure DLA logistics support. Prior to this assignment, Mr. Battaglia strategically assessed DLA Customer Support by evaluating the DLA personnel laydown and functions resulting in $21M savings across the FYDP. He served as the Medical Materiel Executive Agent (MMEA) Analyst for DLA, orchestrating and synchronizing medical logistics for the complete range of military and whole of government missions such as utilization of non-FDA approved medical materiel and transportation policies allowing commercial narcotic shipments. Mr. Battaglia was born in Honolulu, Hawaii, and hails from Herndon, Virginia. He received his Masters in National Security and Resource Strategy from the Eisenhower School in 2021 and his LOGTECH MBA, Logistics and Technology, from the Kelly School of Business, Indiana University in 2010. He received his undergraduate degree in Chemical Engineering from the University of Virginia in 2000. His wife, two children, and semi-classic BMW hobby serve to keep him busy while not working. Mr. Battaglia has received the DLA Meritorious Civilian Performance Award (2011) and the DLA Superior Civilian Performance Award (2020 and 2005). LEARN MORE: Thank you for tuning into this episode of the GovDiscovery AI Podcast with Mike Shanley. You can learn more about working with the U.S. Government by visiting our homepage: Konektid International and GovDiscovery AI. To connect with our team directly, message the host Mike Shanley on LinkedIn. https://www.govdiscoveryai.com/  https://www.konektid.com/  https://www.linkedin.com/in/gov-market-growth/ 

While the U.S., India, and countries in the Persian Gulf are all moving quickly to establish new critical mineral supply chains, the European Union is struggling to follow suit, particularly in Africa. The EU currently lacks a cohesive policy framework that would bolster mining companies, support partner countries, and encourage the development of a mineral processing sector that can lessen Europe's current dependence on China. To do this, the EU should follow China's model in Africa, where it paired extraction with the development of vital infrastructure, according to a new commentary from the European Centre for Development Policy Management (ECDPM). The authors, Poorva Karkare and Karim Karaki, join Eric & Géraud from Brussels to explain why the EU should strive for strategic complementarity rather than competition with China in Africa. SHOW NOTES: ECDPM: The EU's playbook for African minerals amid China's dominance by Poorva Karkare and Karim Karaki AFRICA POLICY RESEARCH INSTITUTE: The tumultuous path toward EU-China-Africa trilateral cooperation on Critical Raw Materials in Africa by C. Géraud Neema JOIN THE DISCUSSION: X: @ChinaGSProject | @eric_olander | @christiangeraud Facebook: www.facebook.com/ChinaAfricaProject YouTube: www.youtube.com/@ChinaGlobalSouth Now on Bluesky! Follow CGSP at @chinagsproject.bsky.social FOLLOW CGSP IN FRENCH AND ARABIC: Français: www.projetafriquechine.com | @AfrikChine Arabic: عربي: www.alsin-alsharqalawsat.com | @SinSharqAwsat JOIN US ON PATREON! Become a CGSP Patreon member and get all sorts of cool stuff, including our Week in Review report, an invitation to join monthly Zoom calls with Eric & Cobus, and even an awesome new CGSP Podcast mug! www.patreon.com/chinaglobalsouth

In this episode of Identity at the Center, hosts Jeff Steadman and Jim McDonald are joined by Jerome Thorstenson, IAM Architect with Salling Group, live from EIC 2025 in Berlin! Jerome shares his insights on B2B identity, the challenges of managing access for a complex supply chain, and the importance of an identity-first approach.Discover how Salling Group, operating major labels like Target and Starbucks, handles identity for thousands of employees and external partners. Jerome dives into the complexities of balancing security, user experience, and the practicalities of implementing IGA and ABAC.From navigating the challenges of data quality and high employee turnover to the nuances of transitioning between IGA systems, this episode offers valuable insights for identity practitioners.Chapter Timestamps:00:00:00 - B2B Identity Challenges00:02:14 - Welcome to Identity at the Center from EIC 202500:04:14 - Jerome's Journey into Identity00:05:19 - Salling Group Overview00:06:57 - Securing B2B - Jerome's Presentation00:10:54 - Controlling Access in B2B00:11:41 - Identity as a Product00:14:51 - The Role of the IAM Practitioner00:16:31 - ABAC as a Game Changer00:21:00 - Language Considerations in a European Context00:22:33 - Employee Turnover Challenges00:25:07 - IGA Implementation Insights00:29:28 - Identity Fabric Discussion00:31:21 - Jerome's Caribbean Background00:34:06 - Wrap-up and Contact InformationConnect with Jerome: https://www.linkedin.com/in/jetdk/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comKeywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, EIC 2025, B2B Identity, Identity First Security, IAM, Identity and Access Management, Supply Chain Security, IGA, ABAC, Attribute-Based Access Control, Role-Based Access Control, Identity Fabric, Digital Identity, Cybersecurity, Data Quality, Employee Turnover, Caribbean

Guest: Christine Sizemore, Cloud Security Architect, Google Cloud  Topics: Can you describe the key components of an AI software supply chain, and how do they compare to those in a traditional software supply chain?  I hope folks listening have heard past episodes where we talked about poisoning training data. What are the other interesting and unexpected security challenges and threats associated with the AI software supply chain?  We like to say that history might not repeat itself but it does rhyme – what are the rhyming patterns in security practices people need to be aware of when it comes to securing their AI supply chains? We've talked a lot about technology and process–what are the organizational pitfalls to avoid when developing AI software? What organizational "smells" are associated with irresponsible AI development?  We are all hearing about agentic security – so can we just ask the AI to secure itself?  Top 3 things to do to secure AI software supply chain for a typical org?   Resources: Video “Securing AI Supply Chain: Like Software, Only Not” blog (and paper) “Securing the AI software supply chain” webcast EP210 Cloud Security Surprises: Real Stories, Real Lessons, Real "Oh No!" Moments Protect AI issue database “Staying on top of AI Developments”  “Office of the CISO 2024 Year in Review: AI Trust and Security” “Your Roadmap to Secure AI: A Recap” (2024) "RSA 2025: AI's Promise vs. Security's Past — A Reality Check" (references our "data as code" presentation)

In this episode of Zero to CEO, I speak with Paula Paul, Founder and Distinguished Engineer at Greyshore, about how companies can drive real value from open source software. With over four decades of experience in tech, Paula shares insights on open source supply chain security, the power of community, and how organizations can adopt cloud-native technologies more efficiently. We also explore the shift from “every company is a tech company” to “every company is a SaaS company,” and Paula reflects on her remarkable journey as a woman in tech since the 1980s. This episode is a must-listen for anyone interested in software innovation, digital transformation, and the future of technology.

While America's eyes are elsewhere, a bombshell Wall Street Journal report reveals China has openly admitted to cyberattacks on critical U.S. infrastructure — water systems, ports, airports, even nuclear plants. In a secret December meeting, Chinese officials confessed to launching the series of attacks known as Volt Typhoon as punishment for U.S. support of Taiwan. The Biden administration's stunned reaction, Trump's shaky response, and the media's silence raise urgent questions: Are we already under digital siege? And can we afford to keep letting our enemy build the tech our lives depend on?

News includes a new library called phoenix_sync for real-time sync in Postgres-backed Phoenix applications, Peter Solnica released a Text Parser for extracting structured data from text, a useful tip on finding Hex package versions locally with mix hex.info, Wasmex updated to v0.10 with WebAssembly component support, and Chrome introduces a new browser feature similar to LiveView.JS. We also talked with Alistair Woodman and Jonatan Männchen from the EEF about Jonatan's role as CISO, the Security Working Group, and their work on OpenChain compliance for supply-chain security, Software Bill of Materials (SBoMs), and what these initiatives mean for the Elixir community, and more! Show Notes online - http://podcast.thinkingelixir.com/245 (http://podcast.thinkingelixir.com/245) Elixir Community News https://gigalixir.com/thinking (https://gigalixir.com/thinking?utm_source=thinkingelixir&utm_medium=shownotes) – Gigalixir is sponsoring the show, offering 20% off standard tier prices for a year with promo code "Thinking". https://github.com/electric-sql/phoenix_sync (https://github.com/electric-sql/phoenix_sync?utm_source=thinkingelixir&utm_medium=shownotes) – New library called phoenix_sync providing real-time sync for Postgres-backed Phoenix applications. https://hexdocs.pm/phoenix_sync/readme.html (https://hexdocs.pm/phoenix_sync/readme.html?utm_source=thinkingelixir&utm_medium=shownotes) – Documentation for phoenix_sync, a solution for building modern, real-time apps with local-first/sync in Elixir. https://github.com/josevalim/sync (https://github.com/josevalim/sync?utm_source=thinkingelixir&utm_medium=shownotes) – José Valim's original proof of concept repo that was promptly archived. https://electric-sql.com/ (https://electric-sql.com/?utm_source=thinkingelixir&utm_medium=shownotes) – Electric SQL's platform that syncs subsets of Postgres data into local apps and services, allowing data to be available offline and in-sync. https://solnic.dev/posts/announcing-textparser-for-elixir/ (https://solnic.dev/posts/announcing-textparser-for-elixir/?utm_source=thinkingelixir&utm_medium=shownotes) – Peter Solnica released TextParser, a library for extracting interesting parts of text like hashtags and links. https://hexdocs.pm/text_parser/readme.html (https://hexdocs.pm/text_parser/readme.html?utm_source=thinkingelixir&utm_medium=shownotes) – Documentation for the Text Parser library that helps parse text into structured data. https://www.elixirstreams.com/tips/mix-hex-info (https://www.elixirstreams.com/tips/mix-hex-info?utm_source=thinkingelixir&utm_medium=shownotes) – Elixir stream tip on using mix hex.info to find the latest package version for a Hex package locally, without needing to search on hex.pm or GitHub. https://github.com/phoenixframework/tailwind/blob/main/README.md#updating-from-tailwind-v3-to-v4 (https://github.com/phoenixframework/tailwind/blob/main/README.md#updating-from-tailwind-v3-to-v4?utm_source=thinkingelixir&utm_medium=shownotes) – Guide for upgrading Tailwind to V4 in existing Phoenix applications using Tailwind's automatic upgrade helper. https://gleam.run/news/hello-echo-hello-git/ (https://gleam.run/news/hello-echo-hello-git/?utm_source=thinkingelixir&utm_medium=shownotes) – Gleam 1.9.0 release with searchability on hexdocs, Echo debug printing for improved debugging, and ability to depend on Git-hosted dependencies. https://d-gate.io/blog/everything-i-was-lied-to-about-node-came-true-with-elixir (https://d-gate.io/blog/everything-i-was-lied-to-about-node-came-true-with-elixir?utm_source=thinkingelixir&utm_medium=shownotes) – Blog post discussing how promises made about NodeJS actually came true with Elixir. https://hexdocs.pm/wasmex/Wasmex.Components.html (https://hexdocs.pm/wasmex/Wasmex.Components.html?utm_source=thinkingelixir&utm_medium=shownotes) – Wasmex updated to v0.10 with support for WebAssembly components, enabling applications and components to work together regardless of original programming language. https://ashweekly.substack.com/p/ash-weekly-issue-8 (https://ashweekly.substack.com/p/ash-weekly-issue-8?utm_source=thinkingelixir&utm_medium=shownotes) – AshWeekly Issue 8 covering AshOps with mix task capabilities for CRUD operations and BeaconCMS being included in the Ash HQ installer script. https://developer.chrome.com/blog/command-and-commandfor (https://developer.chrome.com/blog/command-and-commandfor?utm_source=thinkingelixir&utm_medium=shownotes) – Chrome update brings new browser feature with commandfor and command attributes, similar to Phoenix LiveView.JS but native to browsers. https://codebeamstockholm.com/ (https://codebeamstockholm.com/?utm_source=thinkingelixir&utm_medium=shownotes) – Code BEAM Lite announced for Stockholm on June 2, 2025 with keynote speaker Björn Gustavsson, the "B" in BEAM. https://alchemyconf.com/ (https://alchemyconf.com/?utm_source=thinkingelixir&utm_medium=shownotes) – AlchemyConf coming up March 31-April 3 in Braga, Portugal. Use discount code THINKINGELIXIR for 10% off. https://www.gigcityelixir.com/ (https://www.gigcityelixir.com/?utm_source=thinkingelixir&utm_medium=shownotes) – GigCity Elixir and NervesConf on May 8-10, 2025 in Chattanooga, TN, USA. https://www.elixirconf.eu/ (https://www.elixirconf.eu/?utm_source=thinkingelixir&utm_medium=shownotes) – ElixirConf EU on May 15-16, 2025 in Kraków & Virtual. https://goatmire.com/#tickets (https://goatmire.com/#tickets?utm_source=thinkingelixir&utm_medium=shownotes) – Goatmire tickets are on sale now for the conference on September 10-12, 2025 in Varberg, Sweden. Do you have some Elixir news to share? Tell us at @ThinkingElixir (https://twitter.com/ThinkingElixir) or email at show@thinkingelixir.com (mailto:show@thinkingelixir.com) Discussion Resources https://elixir-lang.org/blog/2025/02/26/elixir-openchain-certification/ (https://elixir-lang.org/blog/2025/02/26/elixir-openchain-certification/?utm_source=thinkingelixir&utm_medium=shownotes) https://cna.erlef.org/ (https://cna.erlef.org/?utm_source=thinkingelixir&utm_medium=shownotes) – EEF CVE Numbering Authority https://erlangforums.com/t/security-working-group-minutes/3451/22 (https://erlangforums.com/t/security-working-group-minutes/3451/22?utm_source=thinkingelixir&utm_medium=shownotes) https://podcast.thinkingelixir.com/220 (https://podcast.thinkingelixir.com/220?utm_source=thinkingelixir&utm_medium=shownotes) – previous interview with Alistair https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act (https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act?utm_source=thinkingelixir&utm_medium=shownotes) – CRA - Cyber Resilience Act https://www.cisa.gov/ (https://www.cisa.gov/?utm_source=thinkingelixir&utm_medium=shownotes) – CISA US Government Agency https://www.cisa.gov/sbom (https://www.cisa.gov/sbom?utm_source=thinkingelixir&utm_medium=shownotes) – Software Bill of Materials https://oss-review-toolkit.org/ort/ (https://oss-review-toolkit.org/ort/?utm_source=thinkingelixir&utm_medium=shownotes) – Desire to integrate with tooling outside the Elixir ecosystem like OSS Review Toolkit https://github.com/voltone/rebar3_sbom (https://github.com/voltone/rebar3_sbom?utm_source=thinkingelixir&utm_medium=shownotes) https://cve.mitre.org/ (https://cve.mitre.org/?utm_source=thinkingelixir&utm_medium=shownotes) https://openssf.org/projects/guac/ (https://openssf.org/projects/guac/?utm_source=thinkingelixir&utm_medium=shownotes) https://erlef.github.io/security-wg/securityvulnerabilitydisclosure/ (https://erlef.github.io/security-wg/security_vulnerability_disclosure/?utm_source=thinkingelixir&utm_medium=shownotes) – EEF Security WG Vulnerability Disclosure Guide Guest Information - https://x.com/maennchen_ (https://x.com/maennchen_?utm_source=thinkingelixir&utm_medium=shownotes) – Jonatan on Twitter/X - https://bsky.app/profile/maennchen.dev (https://bsky.app/profile/maennchen.dev?utm_source=thinkingelixir&utm_medium=shownotes) – Jonatan on Bluesky - https://github.com/maennchen/ (https://github.com/maennchen/?utm_source=thinkingelixir&utm_medium=shownotes) – Jonatan on Github - https://maennchen.dev (https://maennchen.dev?utm_source=thinkingelixir&utm_medium=shownotes) – Jonatan's Blog - https://www.linkedin.com/in/alistair-woodman-51934433 (https://www.linkedin.com/in/alistair-woodman-51934433?utm_source=thinkingelixir&utm_medium=shownotes) – Alistair Woodman on LinkedIn - awoodman@erlef.org - https://github.com/ahw59/ (https://github.com/ahw59/?utm_source=thinkingelixir&utm_medium=shownotes) – Alistair on Github - http://erlef.org/ (http://erlef.org/?utm_source=thinkingelixir&utm_medium=shownotes) – Erlang Ecosystem Foundation Website Find us online - Message the show - Bluesky (https://bsky.app/profile/thinkingelixir.com) - Message the show - X (https://x.com/ThinkingElixir) - Message the show on Fediverse - @ThinkingElixir@genserver.social (https://genserver.social/ThinkingElixir) - Email the show - show@thinkingelixir.com (mailto:show@thinkingelixir.com) - Mark Ericksen on X - @brainlid (https://x.com/brainlid) - Mark Ericksen on Bluesky - @brainlid.bsky.social (https://bsky.app/profile/brainlid.bsky.social) - Mark Ericksen on Fediverse - @brainlid@genserver.social (https://genserver.social/brainlid) - David Bernheisel on Bluesky - @david.bernheisel.com (https://bsky.app/profile/david.bernheisel.com) - David Bernheisel on Fediverse - @dbern@genserver.social (https://genserver.social/dbern)

⬥GUEST⬥Sarah Fluchs, CTO at admeritia | CRA Expert Group at EU Commission | On LinkedIn: https://www.linkedin.com/in/sarah-fluchs/⬥HOST⬥Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber] | On ITSPmagazine: https://www.itspmagazine.com/sean-martin⬥EPISODE NOTES⬥The European Commission's Cyber Resilience Act (CRA) introduces a regulatory framework designed to improve the security of digital products sold within the European Union. In a recent episode of Redefining CyberSecurity, host Sean Martin spoke with Sarah Fluchs, Chief Technology Officer at admeritia and a member of the CRA expert group at the EU Commission. Fluchs, who has spent her career in industrial control system cybersecurity, offers critical insights into what the CRA means for manufacturers, retailers, and consumers.A Broad Scope: More Than Just Industrial AutomationUnlike previous security regulations that focused on specific sectors, the CRA applies to virtually all digital products. Fluchs emphasizes that if a device is digital and sold in the EU, it likely falls under the CRA's requirements. From smartwatches and baby monitors to firewalls and industrial control systems, the regulation covers a wide array of consumer and business-facing products.The CRA also extends beyond just hardware—software and services required for product functionality (such as cloud-based components) are also in scope. This broad application is part of what makes the regulation so impactful. Manufacturers now face mandatory cybersecurity requirements that will shape product design, development, and post-sale support.What the CRA RequiresThe CRA introduces mandatory cybersecurity standards across the product lifecycle. Manufacturers will need to:Ensure products are free from known, exploitable vulnerabilities at the time of release.Implement security by design, considering cybersecurity from the earliest stages of product development.Provide security patches for the product's defined lifecycle, with a minimum of five years unless justified otherwise.Maintain a vulnerability disclosure process, ensuring consumers and authorities are informed of security risks.Include cybersecurity documentation, requiring manufacturers to provide detailed security instructions to users.Fluchs notes that these requirements align with established security best practices. For businesses already committed to cybersecurity, the CRA should feel like a structured extension of what they are already doing, rather than a disruptive change.Compliance Challenges: No Detailed Checklist YetOne of the biggest concerns among manufacturers is the lack of detailed compliance guidance. While other EU regulations provide extensive technical specifications, the CRA's security requirements span just one and a half pages. This ambiguity is intentional—it allows flexibility across different industries—but it also creates uncertainty.To address this, the EU will introduce harmonized standards to help manufacturers interpret the CRA. However, with tight deadlines, many of these standards may not be ready before enforcement begins. As a result, companies will need to conduct their own cybersecurity risk assessments and demonstrate due diligence in securing their products.The Impact on Critical Infrastructure and Industrial SystemsWhile the CRA is not specifically a critical infrastructure regulation, it has major implications for industrial environments. Operators of critical systems, such as utilities and manufacturing plants, will benefit from stronger security in the components they rely on.Fluchs highlights that many security gaps in industrial environments stem from weak product security. The CRA aims to fix this by ensuring that manufacturers, rather than operators, bear the responsibility for secure-by-design components. This shift could significantly reduce cybersecurity risks for organizations that rely on complex supply chains.A Security Milestone: Holding Manufacturers AccountableThe CRA represents a fundamental shift in cybersecurity responsibility. For the first time, manufacturers, importers, and retailers must guarantee the security of their products or risk being banned from selling in the EU.Fluchs points out that while the burden of compliance is significant, the benefits for consumers and businesses will be substantial. Security-conscious companies may even gain a competitive advantage, as customers start to prioritize products that meet CRA security standards.For those in the industry wondering how strictly the EU will enforce compliance, Fluchs reassures that the goal is not to punish manufacturers for small mistakes. Instead, the EU Commission aims to improve cybersecurity without unnecessary bureaucracy.The Bottom LineThe Cyber Resilience Act is set to reshape cybersecurity expectations for digital products. While manufacturers face new compliance challenges, consumers and businesses will benefit from stronger security measures, better vulnerability management, and increased transparency.Want to learn more? Listen to the full episode of Redefining CyberSecurity with Sean Martin and Sarah Fluchs to hear more insights into the CRA and what it means for the future of cybersecurity.⬥SPONSORS⬥LevelBlue: https://itspm.ag/attcybersecurity-3jdk3ThreatLocker: https://itspm.ag/threatlocker-r974⬥RESOURCES⬥Inspiring Post: https://www.linkedin.com/posts/sarah-fluchs_aaand-its-official-the-cyber-resilience-activity-7250162223493300224-zECA/Adopted CRA text: https://data.consilium.europa.eu/doc/document/PE-100-2023-INIT/en/pdfA list of Sarah's blog posts to get your CRA knowledge up to speed:1️⃣ Introduction to the CRA, the CE marking, and the regulatory ecosystem around it: https://fluchsfriction.medium.com/eu-cyber-resilience-act-9e092fffbd732️⃣ Explanation how the standards ("harmonised European norms, hEN") are defined that will detail the actual cybersecurity requirements in the CRA (2023): https://fluchsfriction.medium.com/what-cybersecurity-standards-will-products-in-the-eu-soon-have-to-meet-590854ba3c8c3️⃣ Overview of the essential requirements outlined in the CRA (2024): https://fluchsfriction.medium.com/what-the-cyber-resilience-act-requires-from-manufacturers-0ee0b917d2094️⃣ Overview of the global product security regulation landscape and how the CRA fits into it (2024): https://fluchsfriction.medium.com/product-security-regulation-in-2024-93ddc6dd89005️⃣ Good-practice example for the "information and instructions to the user," one of the central documentations that need to be written for CRA compliance and the only one that must be provided to the product's users (2024): https://fluchsfriction.medium.com/how-to-be-cra-compliant-and-make-your-critical-infrastructure-clients-happy-441ecd859f52⬥ADDITIONAL INFORMATION⬥✨ More Redefining CyberSecurity: