Secured by Galah Cyber with Cole Cornford

Galah Cyber
  • 0.0 (0)
  • TECHNOLOGY
  • UPDATED BIWEEKLY

Secured is the podcast for software security enthusiasts. Host Cole Cornford sits down with Australia's top software security experts to uncover their unconventional career paths and the challenges they faced along the way. Listen in as they share their insights on the diverse approaches to AppSec, company by company, and how each organisation's security needs are distinct and require personalised solutions. Gain insider access to the masterminds behind some of Australia's most successful Software security teams on Secured by Galah Cyber. This podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

  1. How AI Pen Testing Actually Works (and Where It Breaks)

    1D AGO

    How AI Pen Testing Actually Works (and Where It Breaks)

    Episode SummaryAI is starting to change penetration testing, but most people are asking the wrong question. In this episode of Secured, Cole Cornford sits down with Brendan Dolan-Gavitt, AI researcher at XBOW and former NYU professor, to unpack what autonomous pen testing really is, what it can reliably do today, and what still needs humans. They explore why AI agents are great at scaling the boring parts of testing, like authenticated workflows and broad vulnerability coverage across huge attack surfaces, and why that does not automatically translate to deep, context-aware exploitation. The conversation also gets into the messy parts: AI systems overclaiming “serious” findings, business logic flaws that are hard to verify, audit expectations, and why scope control needs real guardrails, not vibes. From agent traces and validation models to cost curves and creative exfiltration tricks, this episode is a grounded look at where AI helps AppSec and where it can still cause damage if you trust it too much. Timestamps00:00 – Intro 03:10 – From academia to building autonomous security tools 05:00 – Human pen testers vs AI agents: what is actually different 06:40 – Where AI helps most: boring tasks and low hanging fruit 08:30 – Scale: a thousand targets vs hiring a thousand testers 10:20 – Accessibility, economics, and Jevons paradox 12:30 – Accountability: audit evidence, traces, and “who signs off” 14:40 – Scope control: avoiding prod and preventing out-of-scope actions 16:20 – Safety checkers, overseer agents, and persuasion resistance 18:40 – The cost question: VC money, inference pricing, and efficiency 21:20 – When AI wastes money and why prioritisation matters 23:50 – Failure mode: overclaiming business “vulnerabilities” 26:10 – Validation agents and adversarial peer review 28:40 – The scary clever stuff: exfiltrating files as images 31:00 – What AI finds well: XSS, SQLi, file traversal, hard proof bugs 33:10 – What AI struggles with: business logic and contextual judgement 35:20 – Hype vs skepticism and why nobody has a crystal ball 🐙 Secured is grateful to be sponsored and supported by Chainguard. Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk. Download your free CVE Reduction Report at https://dayone.fm/chainguard This podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

    42 min
  2. AI, Hiring, and Trust: Why Shortcuts Break Interviews

    FEB 4

    AI, Hiring, and Trust: Why Shortcuts Break Interviews

    Episode SummaryHiring is still a human process, no matter how much AI gets injected into it. In this episode of Secured, Cole Cornford sits down with Kim Acosta, Managing Director at UCentric and former Amazon talent acquisition leader, to unpack how AI is actually changing recruitment and where it is quietly breaking trust. They explore how candidates are using AI in applications and technical assessments, why misuse often damages long term employability more than failing an interview, and why recruiters and hiring managers are responding with stricter controls, in person assessments, and AI detection. Kim shares what she is seeing across data, analytics, and AI roles, where demand is growing, and why human judgment, rapport, and credibility still matter far more than perfect answers. The conversation also covers embedded recruitment and RPO models, why soft skills matter more as teams get smaller, and what the next hiring cycle is likely to look like as big tech contracts while smaller companies continue to grow. For candidates, hiring managers, and founders alike, this episode is a grounded look at why shortcuts rarely pay off and why trust is still the real signal. Timestamps00:00 – Intro 01:24 – Meet Kim Acosta and UCentric 02:06 – From Amazon to starting a recruitment consultancy 04:19 – Data engineering demand vs AI hype 05:31 – What data engineering roles actually look like 07:27 – Adapting business models to real market needs 10:04 – Where AI genuinely helps recruiters 11:09 – Custom GPTs and interview preparation 13:43 – One way interviews and candidate slop 15:09 – Technical assessments and AI misuse 17:19 – Trust, failure, and reapplying the right way 18:29 – Spotting AI generated answers in interviews 20:19 – Rapport, eye contact, and human signals 22:19 – Hiring for values and team fit 23:52 – Agency vs internal vs embedded recruiters 27:59 – RPO models and cost tradeoffs 28:47 – Layoffs, market shifts, and salary reality 30:57 – Where hiring is still strong 33:10 – Why hiring and podcasts still need humans 🐙 Secured is grateful to be sponsored and supported by Chainguard. Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk. Download your free CVE Reduction Report at https://dayone.fm/chainguard This podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

    34 min
  3. PSPF Changes Explained for Security Leaders

    JAN 21

    PSPF Changes Explained for Security Leaders

    Episode SummaryThe Protective Security Policy Framework is meant to guide how government manages security risk, but constant updates make it harder to implement than to understand. In this episode of Secured, Cole Cornford is joined by Toby Amodio, Practice Lead at Fujitsu Cybersecurity Services and former senior cybersecurity leader across Australian government, to break down what actually changed in the latest PSPF update and why it matters in practice. They examine the growing focus on personnel security and foreign interference risk, the inclusion of AI guidance that adds little beyond basic risk assessment, and the long overdue recognition of Secure Service Edge and SASE as compliant gateways. The conversation also explores why deny lists and centralised risk sharing sound sensible on paper but are far harder to enforce in reality, and why most security failures still come down to behaviour, accountability, and how technology is actually used rather than what policy says. Timestamps00:00 – Intro 01:18 – What the PSPF is and why it exists 02:49 – Annual updates, directives, and policy advisories 04:19 – What actually changed in the 2025 PSPF update 05:36 – AI in the PSPF and why it adds little value 08:14 – Tool hype vs implementation risk 10:32 – The AI policy advisory and trusted vendors 14:25 – Directive 3 and clearance disclosure risks 17:21 – Personnel security and enforcement reality 19:41 – Secure Service Edge and SASE recognition 23:39 – Commonwealth Technology Management directive 25:28 – Deny lists, transparency, and security through obscurity 28:05 – Centralised risk sharing and assessment overload 29:52 – Policy wonk or policy gronk 31:12 – Final takeaways and closing 🐙 Secured is grateful to be sponsored and supported by Chainguard. Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk. Download your free CVE Reduction Report at https://dayone.fm/chainguard Mentioned in this episode: Download your free CVE Reduction Assessment Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk. December 2025 - Chainguard Call for Feedback This podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

    33 min
  4. The Architect’s Dilemma: Why Security Design Keeps Failing (and How to Fix It)

    JAN 7

    The Architect’s Dilemma: Why Security Design Keeps Failing (and How to Fix It)

    Episode SummaryMost security architects are not actually doing architecture. They are doing assurance work, following checklists, and hoping standards will save them. But as systems get more complex and attackers get faster, that approach is no longer good enough. In this episode of Secured, Cole sits down with Ken Fitzpatrick, founder of Patterned Security and creator of securitypatterns.io, a resource built during the lockdown years that has since grown into one of the clearest frameworks for designing meaningful, context-aware security architecture. Ken shares why so many architects fall into the trap of compliance thinking, how security design becomes a tick box exercise, and why threat modeling without understanding context is pointless. They unpack the four foundational steps every architect should follow, why traceability matters more than ever, and how modern teams can stop copying best practice and start solving the real problems in front of them. The conversation also digs into secure by design in different industries, why the term has lost its meaning, and how modern defensible architecture is resetting expectations for what good looks like. Cole and Ken also dive into AI and its impact on the architecture function, separating hype from reality and exploring which roles are at risk as AI improves. If you work in engineering, architecture, AppSec, risk, or are building a product and want a practical way to think about secure design, this is an episode you should not miss. Timestamps00:00 – Intro 00:48 – Chainguard Ad 01:20 – Meet Ken Fitzpatrick and Patterned Security 02:19 – How a cancelled Canada trip sparked securitypatterns.io 04:08 – Why architecture needs practical guidance, not more frameworks 05:18 – The four step method for real security architecture 07:23 – Moving beyond box ticking and why engineering experience matters 09:39 – Teaching architecture fundamentals and selecting the right controls 11:37 – Traceability and making defensible design decisions 13:14 – Architecture vs assurance and who securitypatterns.io is for 16:31 – Embedding secure by design into PMO processes and scale up use cases 19:58 – What secure by design means across different industries 23:05 – Inconsistent definitions in security and the need for clarity 23:50 – Modern defensible architecture and Zero Trust guidance 24:44 – AI’s role in architecture and which tasks get replaced 28:25 – AI in AppSec and reducing false positives with context 30:24 – AI sales bots, hype cycles, and the loss of human reciprocity 33:28 – Ken’s call for collaboration on repeatable architecture patterns 34:28 – Closing and how to connect with Galah Cyber 🐙 Secured is grateful to be sponsored and supported by Chainguard. Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk. Download your free CVE Reduction Report at https://dayone.fm/chainguard Mentioned in this episode: Chainguard is the trusted source for open source. Get hardened, secure, production-ready builds so your team can ship faster, stay compliant, and reduce risk. Download your free CVE Reduction Report now! December 2025 - Chainguard This podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

    35 min
  5. Fix the Flag: Rethinking Secure Code Training with Pedram Hayati

    09/11/2025

    Fix the Flag: Rethinking Secure Code Training with Pedram Hayati

    Episode SummaryCTFs are fun, but do they actually make developers write more secure code? In this episode of Secured, Cole Cornford is joined by Pedram Hayati (Founder of SecDim & SecTalks) to explore why most developer security training fails, and how SecDim’s “Fix the Flag” approach is changing the game. From contrived WebGoat-style examples to frameworks that quietly eradicate entire bug classes, Cole and Pedram dive deep into the intersection of AppSec and software engineering. They unpack why developer experience is non-negotiable, why security needs to borrow design patterns from engineering, and how real-world incidents (like GitHub’s mass assignment bug or the Optus breach) make concepts stick far better than acronyms like “XSS” or “SSTI.” This is a technical, opinionated episode for anyone who’s ever struggled to get developers engaged with security. Timestamps01:10 – Why Pedram built SecDim, the problem with pen test reports, and why CTFs don’t train developers 04:42 – From “Capture the Flag” to “Fix the Flag”: making training realistic and Git-first 06:30 – Training inside developer workflows and why contrived examples fail 10:28 – Using modern stacks, AI-tailored labs, and real-world incidents to make concepts stick 12:35 – Why security names suck (XSS vs. “content injection”) and the Optus hack as a teaching moment 17:37 – Secure design patterns vs. vague slogans, and why secure defaults beat secure by design 21:15 – Frameworks like React, Rails, and Angular that kill entire bug classes 23:23 – Engineering by-products: reproducibility, immutability, and orthogonality in secure coding 30:36 – PHP’s bad reputation, language quirks, and what’s actually most popular in security training today 33:41 – Why AppSec pros need to build and deploy apps (not just know vulnerability classes) 37:44 – Getting started with SecDim and hands-on secure coding Mentioned in this episode: Call for Feedback This podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

    39 min
  6. ISM 2025 Explained: What CISOs, Devs and Security Leads Need to Know - with Toby Amodio

    07/23/2025

    ISM 2025 Explained: What CISOs, Devs and Security Leads Need to Know - with Toby Amodio

    Episode SummaryThe Australian Information Security Manual (ISM) just got a major update, and not everyone’s thrilled. In this special episode of Secured, Cole Cornford is joined by Toby Amodio (Head of Professional Services, Fujitsu Cyber) to break down what’s changed, what’s missing, and what it all means for CISOs, AppSec teams and public sector security leads. From the new cybersecurity principles (and why they feel like yak shaving) to the long-overdue expansion of software security controls, Cole and Toby navigate the mess of frameworks, missing maturity models, and babushka-doll-style mappings that have left many teams overwhelmed. They also reflect on what “secure-by-default” really means in a world of legacy codebases, overstretched resources, and one-person AppSec teams. Timestamps01:02 – Why ISM Updates Matter (Even If They’re Late) 02:32 – New Principles: Nice Idea, Hard to Implement 04:08 – Yak Shaving and the Complexity Cascade 07:48 – Mapping Mayhem: PSPF, E8 and Governance Overload 10:25 – Losing the Maturity Model: Who Does That Help? 13:46 – Secure-by-Default and the Problem with OWASP-as-a-Proxy 18:13 – Integration, Incentives, and Cyber vs. Business Silos 20:34 – The Talent Gap and Why Code Reviews Still Matter 22:58 – Galah Cyber, Capability Building & Doing AppSec Right 23:57 – Why Buying Tools Isn’t the Same as Building Capability 25:21 – What Red, Amber, Green Tools Really Miss 26:01 – One ISM to Rule Them All… If You Can Implement It 26:52 – Final Thoughts (and a Funding Stick for CISOs) Mentioned in this episode: Call for Feedback This podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

    29 min
  7. Securing the Gaps: M Brennan on Integration, Context and Developer Experience

    07/09/2025

    Securing the Gaps: M Brennan on Integration, Context and Developer Experience

    Episode SummaryWith a career that spans mainframes, integration platforms, and developer experience, M Brennan brings a unique lens to the world of application security. In this episode, M joins Cole Cornford to unpack why integration is often the riskiest layer in software systems, how context is everything when choosing security controls, and what it really takes to build security into developer workflows without adding friction. They dive into stories from government and enterprise environments, the overlap between security and resilience, and how thinking in terms of energy and empathy, not just tools, can lead to better outcomes for everyone. Plus, a surprisingly effective stereo-selling strategy, some well-earned AI scepticism, and a jam-jar analogy you’ll never forget. Timestamps03:45 From COBOL to Developer Experience in Security 06:37 Choosing the Right Security Control for the Right Risk 10:00 Reducing Developer Friction with Secure Defaults 14:10 How Threat Modelling Creates Real Value 17:57 Fixing Access and Provisioning for Devs and Security 20:09 Virtual Dev Environments and Automating the Boring Stuff 24:04 Smarter Security Adoption and the Jam Jar Effect 28:48 AI, Developer Toil and the Problem with Overpromising 31:03 Using AI to Kickstart Threat Modelling and Resilience 33:56 Why Some Tech Trends Aren’t Worth the Hype 36:09 The Risk of Letting Chatbots Handle Security Promises 37:16 Final Takeaways on Empathy, Context and Collaboration Mentioned in this episode: Call for Feedback This podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

    40 min
  8. From Cryptography to AppSec: Scott Contini on Building Practical Security

    04/30/2025

    From Cryptography to AppSec: Scott Contini on Building Practical Security

    Episode SummaryScott Contini has a PhD in cryptography with more than a dozen research publications, and has spent the last 15 years focused on solving real-world security problems. After switching from academia to industry in 2008, Scott has identified hundreds of cryptographic implementation flaws across the world, written widely read blogs on common coding mistakes, and contributed significantly to the 2021 OWASP Top 10 topic of Cryptographic Failures. He joins Cole Cornford to discuss how cryptography often goes wrong in practice, why secure-by-default APIs are reshaping security today, and the importance of clear communication and community-building in advancing the field. Scott also shares stories from working alongside legendary figures in cryptography, and offers advice for anyone looking to build a sustainable and impactful security career. Timestamps00:20 - Scott’s background in cryptography and transition to AppSec 02:00 - Moving from theory to real-world security challenges 05:00 - Common cryptography mistakes in the industry 07:50 - Why using the wrong encryption modes leads to vulnerabilities 10:10 - How Java’s cryptography design led to widespread issues 14:40 - The rise of secure-by-default APIs in cryptography 17:00 - Stories from working with cryptographic legends 22:00 - Improving advice in the OWASP community 27:50 - The value of writing and public speaking in AppSec careers 33:00 - Advice for newcomers in security: think like an attacker and keep learning Mentioned in this episode: Call for Feedback This podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

    42 min
See All (57)

Trailer

About

Secured is the podcast for software security enthusiasts. Host Cole Cornford sits down with Australia's top software security experts to uncover their unconventional career paths and the challenges they faced along the way. Listen in as they share their insights on the diverse approaches to AppSec, company by company, and how each organisation's security needs are distinct and require personalised solutions. Gain insider access to the masterminds behind some of Australia's most successful Software security teams on Secured by Galah Cyber. This podcast uses the following third-party services for analysis: Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Information