Security Bros

Security Bros

John and Rocky Giglio, brothers from the same mother share insights from their combined 50+ years of experience in the trenches of cyber, infrastructure, and consulting.

Episodes

  1. 2 days ago

    62% of Cloud Breaches Are From Bugs You Already Know About (Here's the Fix)

    62% of cloud security incidents come from vulnerabilities your team already knew about. The problem isn't visibility. It's remediation. AI is changing that -- fast. This week, Rocky and John sit down with Snir Ben Shimol, CEO of Zest Security, to break down why cloud vulnerability remediation is still one of the biggest unsolved problems in security and how autonomous AI agents are finally making it solvable. We cover the 30-to-90-day remediation window, why only 1-2% of vulnerabilities are actually exploitable in your environment, and how Zest's platform shrinks a backlog of 100,000 vulnerabilities by 70% in the first week -- without a single human in the loop. If you're running a CSPM, drowning in vulnerability backlogs, or wondering what practical AI in security actually looks like (not just marketing slides), this episode is for you. Chapters 00:00 - Introduction and recording setup 02:00 - The 62%: cloud incidents from known, unfixed vulnerabilities 03:32 - Snir's background: Israeli intelligence, Cybereason CISO, acquisition by Palo Alto 03:41 - Setting the stage: CSPM, Wiz, Orca, Tenable, Qualys 04:23 - Visibility is solved. Remediation is the new bottleneck. 06:49 - The math doesn't work: 30-90 days to remediate vs. 24 hours to exploit 07:23 - SANS and CSA call for a VulnOps practice (end of 2024) 08:34 - What Zest's Cloud Risk Exposure Impact Report actually found 11:25 - Why remediation takes so long: CABs, testing cycles, approvals 13:05 - Is this a process problem, a tooling problem, or an architecture problem? 15:28 - Only 1-2% of vulnerabilities are actually exploitable in your environment 16:36 - Mythos, AI-powered zero-day discovery, and the changing threat landscape 19:08 - Will AI make the exploitable percentage grow? 21:53 - How Zest uses AI agents to attack the remediation gap 23:16 - Shrinking a 100,000-vulnerability backlog by 70% in one week 24:37 - Remediation simulation with digital twin technology 26:41 - 15 fixes to close 80-90% of your critical exposure 29:49 - Mitigating controls: what to do when you can't patch right now 35:24 - Real story: a supply chain attack (Aqua/Trivy) contained in under 6 hours 37:40 - Autonomous agents: what Zest announced at RSA 41:47 - The future: zero humans in the loop, self-healing production environments 45:43 - Measuring what matters: mean time to remediation, not mean time to ticket 46:02 - Where to find Zest Security and request a demoLinks and Resources Zest Security (request a demo): https://zestsecurity.io Snir Ben Shimol on LinkedIn: https://www.linkedin.com/in/snirsbs/ Zest Cloud Risk Exposure Impact Report (the source of the 62% stat): https://zestsecurity.io Verizon Data Breach Investigations Report 2025: https://www.verizon.com/business/resources/reports/dbir/ Mandiant M-Trends 2025 Report: https://cloud.google.com/security/resources/m-trends SANS/CSA VulnOps guidance: https://www.sans.org Subscribe for new episodes every month covering cloud security, AI, and the tools actually being used in the field.

    47 min

  2. 12 May

    AI Is a Weapon You Might Be Pointing at Yourself | OWASP Top 10 LLMs

    A lawyer submitted six court cases to a federal judge in New York. ChatGPT wrote every single one of them. None of them existed. When opposing counsel said they couldn't find the cases, the lawyer went back to ChatGPT to verify whether the cases were real. ChatGPT said yes. Absolutely. You can find them on Westlaw and LexisNexis. He submitted them anyway — under oath. That's hallucination. That's number nine on the OWASP Top 10 for LLM Applications. And it cost him $5,000, a formal apology to every federal judge whose name appeared in the fake rulings, and probably a lot more in embarrassment. This week on Security Bros, Rocky and John Giglio go deep on the OWASP Top 10 for LLM Applications — the 2025 edition, built by 600+ researchers across 18 countries. If you're building with AI, deploying AI, or just using it every day at work, this list is the closest thing the security world has to a peer-reviewed warning label. They break down all 10 vulnerabilities in plain English, connect each one to real stories, and don't sugarcoat any of it: A world-famous white hat hacker who jailbreaks ChatGPT to write his own attack toolsSamsung engineers who handed proprietary source code to ChatGPT — and how long it took after the ban was lifted for it to happen again (spoiler: 20 days, three incidents)Air Canada's chatbot that gave a grieving customer wrong information about bereavement fares — and the company's legal defense that the chatbot was "a separate legal entity"How DeepSeek may have reverse-engineered Claude's reasoning by querying it at scale — and what Anthropic is doing about itThe invisible text on a webpage that hijacks your AI agent without you ever knowingThe lesson running through all of it: your security policy will never beat convenience without technical controls. You have to make the secure path the easy path. Subscribe so you don't miss the follow-up deep dives on Claude Cowork security, AI-ready DLP, and the excessive agency problem that's about to blow up as agentic AI goes mainstream. Resources mentioned: OWASP Top 10 for LLM Applications: https://owasp.org/www-project-top-10-for-large-language-model-applications/Previous episode: OWASP Top 10 for Web Applicationshttps://youtu.be/oCuYgphY6iY 00:00 The Lawyer Who Asked AI If AI Was Lying to Him 00:33 Meet the Security Bros + What We're Covering Today 01:41 What Is OWASP? (600 Researchers, 18 Countries, One List) 04:38 #1 Prompt Injection — The Attack That's Everywhere Right Now 07:28 #2 Sensitive Information Disclosure — You Think It's Private. It's Not. 08:29 #3 Supply Chain Risk — What's Really Inside That Open Source Model? 10:27 #4 Data & Model Poisoning — The Sleeper Agent Attack 13:31 #5 Output Handling — Nobody Reviews AI Code. Nobody. 14:05 #6 Excessive Agency — When Your AI Has Too Much Power 18:12 #7 System Prompt Leakage — Stop Putting Secrets in the Instructions 20:37 #8 Vector & Embedding Weaknesses — How RAG Gets Poisoned 23:30 #9 Hallucination — AI Makes Things Up. Confidently. 25:58 #10 Unbounded Consumption — How DeepSeek May Have Stolen Claude's Brain 29:59 Real Story: Samsung's 3 Data Leaks in 20 Days 36:03 Real Story: Air Canada's "Separate Legal Entity" Defense 40:30 Real Story: The $5K Fine & Apology Letters to Federal Judges 45:09 Key Takeaways — Make the Secure Path the Easy Path

    49 min

  3. 27 Mar

    Why the OWASP Top 10 Moved (And What It Says About Your Security Practice)

    In this conversation, John and Rocky Giglio discuss the recent updates to the OWASP Top 10 list for 2025, exploring the implications of these changes for application security. They delve into the data behind the rankings, the influence of community feedback, and the importance of secure design practices. The discussion highlights the ongoing challenges in cybersecurity, particularly around misconfiguration and identity management, and emphasizes the need for a holistic approach to security that integrates both software and infrastructure considerations. Chapters   00:00 Introduction and Technical Challenges 02:00 Exploring OWASP Top 10 Updates 07:01 Understanding OWASP and Its Data Sources 14:02 Community Influence on OWASP Rankings 17:07 Movement in OWASP Top 10: Insights and Implications 20:30 The Challenge of Keeping Up with Technology 21:37 The State of Vulnerability Management 22:44 Cloud Native vs. Traditional Organizations 24:11 Understanding the OWASP Top 10 26:14 Trends in Identification and Authentication 27:12 The Importance of Security Logging and Monitoring 28:55 Balancing Application and Infrastructure Security 30:19 The Role of Secure Design in Security 32:02 The Future of Security Practices 34:38 Understanding Weaknesses vs. Vulnerabilities 36:58 The Importance of Cloud Security Practices 39:45 Shifting Left in Security Practices 41:46 The Need for Continuous Assessment

    40 min

  4. 27 Feb

    You have too many identities

    In this episode of Security Bros, hosts Rocky and John Giglio delve into the complexities of identity management in the cybersecurity landscape, particularly in the cloud era. They discuss the challenges of identity sprawl, the importance of managing permissions, and the balance between security and business needs. The conversation emphasizes the necessity of building relationships across departments to effectively manage identity and security practices. Chapters 00:00 Introduction to Cybersecurity and Identity Management 01:28 Challenges of Identity Management in the Cloud Era 06:13 The Importance of Permissions and Access Control 11:15 Balancing Security and Business Needs 19:01 Building Relationships for Effective Security Management

    25 min

  5. 16 Jan

    CrowdStrike Proved Patch Management is Broken

    In this episode the Security Brothers, Rocky and John Giglio delve into the complexities of patch management and vulnerability management in the tech industry. They discuss the ongoing challenges faced by security practitioners, the implications of recent incidents like the CrowdStrike outage, and the evolving role of AI in enhancing security measures. The conversation emphasizes the need for comprehensive testing, strategic planning, and prioritization in managing vulnerabilities, while also exploring the importance of adapting to new technologies and methodologies in cybersecurity. Takeaways Handling old tech and patch management is a significant issue. Vulnerability management is overwhelming but necessary. Prioritization is key in dealing with numerous vulnerabilities. Automated systems can help reduce the burden of patch management. Testing is crucial before rolling out updates. AI can assist in writing tests and improving deployment processes. A comprehensive security strategy includes monitoring and logging. Continuous learning from incidents is essential for improvement. Collaboration with business leaders is vital for effective security management. The landscape of vulnerabilities is constantly evolving, requiring adaptive strategies. Chapters 00:00 Introduction to Security Challenges 02:49 The Importance of Patch Management 06:03 Navigating Vulnerabilities in Modern Tech 08:53 Lessons from the CrowdStrike Incident 11:45 Testing and Deployment Strategies 14:49 The Role of AI in Security Management 17:43 Building a Comprehensive Security Strategy 20:53 Final Thoughts and Future Directions

    28 min

  6. 31/12/2025

    Security Bros - Episode 2 - North Korea Fakers

    In this episode the brothers discuss the alarming tactics used by North Korea in cyber infiltration, particularly through fake job interviews and identity fraud. They emphasize the critical need for robust identity verification processes to combat these threats. The discussion also highlights the growing concern of insider threats within organizations and the necessity of implementing layered security strategies to protect sensitive data. The episode concludes with a reminder of the importance of mastering basic security practices to effectively mitigate risks. Takeaways North Korea is using fake identities to infiltrate companies. The money collected is used for developing nuclear weapons.Identity verification is crucial in hiring processes. Insider threats are often overlooked in security measures.Ransomware attacks can be a consequence of data theft.Layered security is essential; no single solution suffices.Understanding user behavior is key to detecting anomalies. Regular assessments of security strategies are necessary.Basic security practices are often neglected. Investing in security must be balanced with operational needs. Chapters 00:00 Introduction to Cybersecurity Challenges 02:41 North Korea's Infiltration Tactics 05:22 Identity Verification and Its Importance 08:31 Understanding Insider Threats 11:35 Ransomware and Data Protection 14:14 The Need for Multi-layered Security 17:00 Final Thoughts

    19 min

  7. 16/12/2025

    Security Bros - Episode 1 - The Misconfiguration Crisis in Cloud Security

    John and Rocky Giglio kick of the Security Bros podcast with a special guest, Justin O'Connor founder of Onward Platforms. Want to see it live with your own eyes? Jump into the webinar Dec 19th, 12pm EST: https://bit.ly/sb-infracode Subscribe to catch every episode and stay up-to-date with security trends and the latest security tech. Summary In this inaugural episode of the Security Bros podcast, hosts Rocky and John Giglio welcome Justin O'Connor, an industry leader in cloud and AI, to discuss the current state of cloud security, the challenges posed by misconfiguration, and the impact of AI on coding practices. Justin introduces Infracodebase, a tool designed to enhance security in infrastructure as code, and demonstrates its features by building a secure API management landing zone. The conversation highlights the importance of integrating security from the outset and the need for organizations to adapt to the evolving landscape of cloud technology. Takeaways Cloud adoption is primarily hybrid or multi-cloud.85-90% of organizations report an increase in cloud security incidents.Misconfiguration is a leading cause of cloud security failures.AI can generate code quickly, but often lacks context.Security posture varies significantly between startups and enterprises.InfraCodebase helps enforce security standards across teams.The tool allows for easy integration with existing security tools.Automated security checks can improve compliance and reduce risks.Creating a secure infrastructure requires ongoing monitoring and adjustments.The future of cloud engineering lies in simplifying infrastructure management. Sound bites "AI slop is a real problem." "This is the future of cloud engineering." "We need to layer in security from day zero." Chapters 00:00 Introduction to Security Bros Podcast 02:42 Current State of Cloud Security 04:39 The Impact of AI on Security 07:43 Understanding Security Posture 09:32 Infracodebase Product Overview 12:33 Creating Secure API Management 17:21 Governance and Control in Security 19:13 Terraform Configuration and Security Best Practices 24:19 Understanding Infrastructure Architecture and Security Checks 28:48 MCP Server Integration and Security Considerations 34:33 The Future of Cloud Engineering and Security 37:55 Enterprise Scale Infrastructure as Code Check out Infracodebase at https://bit.ly/4iZM2LH This is not sponsored, we just like Justin and his team.

    39 min
  • 7 Episodes

About

John and Rocky Giglio, brothers from the same mother share insights from their combined 50+ years of experience in the trenches of cyber, infrastructure, and consulting.

Information

  • Creator
    Security Bros
  • Years Active
    2025 - 2026
  • Episodes
    7
  • Rating
    Clean
  • Copyright
    © 2025 Security Bros