10 episodes

Named one of the world's top information security podcasts, The Security Ledger Podcast offers in-depth interviews with the top minds in information (cyber) security. Hosted by Paul Roberts, Editor in Chief of The Security Ledger, each podcast is a conversation about the cyber security stories making headlines and about the most important trends in the information security space including security and the Internet of Things, the latest cyber threats facing organizations and new paradigms for securing data and devices. A must listen if "cyber" is your thing!

The Security Ledger Podcasts The Security Ledger

    • Technology
    • 4.3 • 9 Ratings

Named one of the world's top information security podcasts, The Security Ledger Podcast offers in-depth interviews with the top minds in information (cyber) security. Hosted by Paul Roberts, Editor in Chief of The Security Ledger, each podcast is a conversation about the cyber security stories making headlines and about the most important trends in the information security space including security and the Internet of Things, the latest cyber threats facing organizations and new paradigms for securing data and devices. A must listen if "cyber" is your thing!

    Episode 257: Securing Software on Wheels with Dennis Kengo Oka of Synopsys

    Episode 257: Securing Software on Wheels with Dennis Kengo Oka of Synopsys

    In this episode of The Security Ledger Podcast (#257) Paul speaks with Dennis Kengo Oka, a senior principal automotive security strategist at the firm Synopsys about the growing cyber risks to automobiles as connected vehicle features proliferate in the absence of strong cybersecurity protections.







    [Video Podcast] | [MP3] | [Transcript]















    Almost from the get-go, automobiles symbolized a kind of dynamic and restless American identity. The auto industry epitomized U.S.’s vibrant and innovative economy. With the help of some serious federal dollars, they also became indispensable parts of 20th century American life. By the 1950s, accepted wisdom was that automobiles and the automotive industry were inextricably linked to the well being of the U.S. – what’s good for GM is good for the United States, and vice versa – as the saying went.







    Dennis Kengo Oka is a senior principal automotive security strategist.





    But all that romanticizing of cars and the cheerleading of the powerful and influential auto industry forestalled much-needed oversight of vehicles. The auto industry fought calls for federal auto safety rules and requirements for decades, arguing that driver error and unsafe roads were responsible for accidents, not their vehicles.







    A four decade delay in vehicle safety regulation







    It wasn’t until the mid 1960s that Congress got around to passing the National Traffic and Motor Vehicle Safety Act in the wake of the publication of Ralph Nader’s Unsafe at Any Speed – an expose of how the auto industry prioritized style and features over safety. By that time, automobile accidents were responsible for 49,000 deaths, 1.8 million minor injuries, and $8.5 billion in damages, lost wages, and medical expenses annually. (By comparison, 46,980 people died in auto accidents in the U.S. in 2021, despite the fact that the number of registered vehicles on the roads has more than tripled in the intervening years, from around 90 million vehicles in 1965 to more than 280 million in 2021.)







    Since then, the auto industry’s tune on vehicle safety has done a 180 degree turn. Safety features -like airbags and collision avoidance – and vehicle safety ratings are, today, a key selling point for cars. But that focus on safety doesn’t extend to the software that increasingly runs our vehicles.







    Vehicle safety? Critical! Vehicle software safety…umm….







    As with the advent of the automobile in the first decades of the 20th century, the arrival of the “smart car” in the first decades of the 21st century has transpired as an industry-led initiative transpiring in a vacuum of government oversight, regulation and guidance. The result: exploitable cyber-physical software flaws were documented starting as early as 2011, with a dramatic display of the potential to use software...

    • 34 min
    Episode 256: Recursive Pollution? Data Feudalism? Gary McGraw On LLM Insecurity

    Episode 256: Recursive Pollution? Data Feudalism? Gary McGraw On LLM Insecurity

    In this episode of The Security Ledger Podcast (#256) Paul speaks with Gary McGraw of the Berryville Institute of Machine Learning (BIML), about that group’s latest report: an Architectural Risk Analysis of Large Language Models. Gary and Paul talk about the many security and integrity risks facing large language model machine learning and artificial intelligence, and how organizations looking to leverage artificial intelligence and LLMs can insulate themselves from those risks.







    [Video Podcast] | [MP3] | [Transcript]















    Four years ago, I sat down with Gary McGraw in the Security Ledger studio to talk about a report released by his new project, The Berryville Institute of Machine learning. That report, An Architectural Risk Analysis of Machine Learning Systems, included a top 10 list of machine learning security risks, as well as some security principles to guide the development of machine learning technology.







    Gary McGraw is the co-founder of the Berryville Institute of Machine Learning







    The concept of cyber risks linked to machine learning and AI – back then – were mostly hypothetical. Artificial Intelligence was clearly advancing rapidly, but – with the exception of cutting edge industries like high tech and finance – its actual applications in everyday life (and business) were still matters of conjecture.







    An update on AI risk







    Four years later, A LOT has changed. With the launch of OpenAI’s ChatGPT-4 large language model (LLM) artificial intelligence in March, 2023, the use- and applications of AI have exploded. Today, there is hardly any industry that isn’t looking hard at how to apply AI and machine learning technology to enhance efficiency, improve output and reduce costs. In the process, the issue of AI and ML risks and vulnerabilities -from “hallucinations” and “deep fakes” to copyright infringement have also moved to the front burner.







    Back in 2020, BIML’s message was one of cautious optimism: while threats to the integrity of LLMs were real, there were things that the users of LLMs could do to manage those risks. For example, scrutinizing critical LLM components like data set assembly (where the data set that trained the LLM came from); the actual data sets themselves as well as the learning algorithms used and the evaluation criteria that determine whether or not the machine learning system that was built is good enough to release.







    AI security: tucked away in a black box







    By controlling for those factors, organizations that wanted to leverage machine learning and AI systems could limit their risks. Fast forward to 2024, however, and all those components are tucked away inside what McGraw and BIML describe as a “black box.”









    So in 2020 we said. There’s a bunch of things you can do around these four components to make stuff better and to under...

    • 32 min
    Episode 255: EDM, Meet CDM – Cyber Dance Music with Niels Provos

    Episode 255: EDM, Meet CDM – Cyber Dance Music with Niels Provos

    In this episode of The Security Ledger Podcast (#255) Paul speaks with Niels Provos – a cybersecurity luminary who helped build Google’s security team from the ground up. Paul and Niels talk about his latest project: the Cyberhouse-Collective, which hopes to inspire new generations of cybersecurity professionals by fusing infosec themes with Electronic Dance Music (EDM), and we check out some of his own music, released under the moniker Activ8te







    [Video Podcast] | [MP3] | [Transcript]















    One of the biggest cybersecurity challenges we face is the problem of awareness. Software is now central to the operation of our economy – as digital transformation washes over every industry. And yet, the awareness of cyber security risks – from phishing and social engineering attacks to software supply chain compromises – remains low.







    Nobody knows that better than our guest this week. Niels Provos has a storied, two decade career on the forefront of cybersecurity, starting in the late 1990s with his work as a graduate student on phenomena like steganography and honeypots. That work landed him a place as a founding member of Google’s security team, where he worked for 15 years, rising to the position of Distinguished Engineer and helping to develop protections for everything from denial of service attacks to safe browsing features to defenses against nation-state actors following the infamous 2009 Operation Aurora attack on Google by hackers linked to China’s People’s Liberation Army (PLA).









    Niels Provos, Head of Security Efficacy at Lacework

















    Niels’ subsequent work included a stint as the Head of Security at payments startup Stripe. He’s now at Lacework, a cloud security firm, where he serves as the Head of Security Efficacy. His work taught him plenty about cybersecurity – but also gave him a sobering appreciation of the difficulty organizations have in actually changing outcomes.







    “I’ve been working on this now for 25 years and I just don’t feel it’s getting better,” Niels told me.







    A pandemic epiphany







    And then the COVID pandemic happened. With Niels – as with so many of us – the pandemic prompted big changes to his day-to-day reality, as well as a reconsideration of where he’d been, and where he was going. In Niels’ case, that meant leaning into a budding interest in making music. He signed up to take some virtual classes in electronic music production at Boston’s Berkeley College of Music. His growing interest in producing electronic music soon fused with his interest in cybersecurity – prompting questions about how one might help the other.









    “One of the things that I’ve been bemoaning is the poor state of security in the world. And then you read about the scarcity of talent. And then I was like maybe I can combine all of this. And I decided to produce cyber security themed EDM tracks, where each track covers some security topics in the hope of, being fun to listen to and what people would feel like would like to dance to this.”

    — Niels Provos (Activ8te), Head of Security Efficacy at Lacework







    Meet Activ8te







    The result was the birth of Activ8te,

    • 29 min
    Episode 254: Dennis Giese’s Revolutionary Robot Vacuum Liberation Movement

    Episode 254: Dennis Giese’s Revolutionary Robot Vacuum Liberation Movement

    In this Security Ledger Podcast (#254), I speak with Dennis Giese, an independent security researcher and world-renowned IoT device hacker. Dennis is famous for his investigations into the workings of robot vacuum cleaners made by firms like iRobot, Roborock, Dreame and Shark. In this conversation, Dennis and I talk about the evolution of vacuums into smart, autonomous robots bristling with cameras and microphones and capable of collecting reams of data about you and your surroundings. He also talks about his mission to liberate robot vacuums from the control of their manufacturers, letting owners tinker with their own devices and – importantly – hold on to the data they collect.







    [Video Podcast] | [MP3] | [Transcript]















    In this week’s episode, we’re speaking with the independent security researcher and IoT hacker Dennis Giese. Dennis is one of the foremost researchers exploring the security of connected devices- in particular: robot vacuum cleaners. In fact, he spoke at this year’s DEF CON conference in August about his work on Vacuum Robot Security and Privacy – and how to prevent your robot from sucking your personal data away. 







    Forget the IoT. Meet the IoZ: our Internet of Zombie things







    Dennis Giese is a Ph.D student at Northeastern University in Boston.





    I reached out to Dennis this fall after I realized that he was in Boston, where he’s been pursuing his PhD at Northeastern University. We met for coffee in Harvard Square, Cambridge, soon after, and I asked him to come on the show – an invitation he graciously accepted. 







    Wanted: Smart Device Liberation







    I really wanted to talk to Dennis because one of the things that I’m really interested in and focused on these days is the intersection between security research and what I consider the larger project of smart device “liberation.”(See my August podcast with Colin O’Flynn about his work reprogramming a wonky electric oven.)







    Episode 241: If Its Smart, Its Vulnerable a Conversation with Mikko Hyppönen







    As software worms its way onto pretty much every type of modern appliance, consumers have benefitted from amazing features. But software and always-on Internet connectivity have also enabled abusive practices, such as mass, commercial surveillance of consumers and de-facto monopolies on things like service and repair. Today, your Internet connected car is collecting gigabytes of data every hour of operation about your movements, driving behaviors, associations and even – possibly – your conversations. It’s sending that data off to cloud-based systems owned and operated by automakers, which use that data to…well…nobody really knows.

    • 36 min
    Spotlight Podcast: Chris Petersen CEO Of RADICL On Protecting Defense Industry SMBs Spotlight Podcast: RADICL Is Coming To The Rescue Of Defense SMBs

    Spotlight Podcast: Chris Petersen CEO Of RADICL On Protecting Defense Industry SMBs Spotlight Podcast: RADICL Is Coming To The Rescue Of Defense SMBs

    In this Spotlight episode of the Security Ledger podcast, I interview Chris Petersen, the CEO and founder of RADICL, about his company’s mission to protect small and midsized businesses serving the defense industrial base, which are increasingly in the cross-hairs of sophisticated, nation-state actors. 

    [MP3] [Video] [Transcript]



    The companies that serve the U.S. and other militaries have always been at the top of the target list for so-called “advanced persistent threat” cyber adversaries. In fact, the term “advanced persistent threat” (or APT) was concocted by U.S. Air Force personnel way back in 2005 as a way to talk about the kinds of enduring cyber attacks and attempts at data exfiltration they were observing.

    Eighteen years later, the situation hasn’t improved all that much. In October of 2022, for example, CISA joined with the FBI and NSA to warn about forays by multiple APTs onto the networks of a defense industrial base firm – some with long-term access to the environment involving the theft of sensitive data.

    The DIB’s Long Tail: Small Businesses

    As we contemplate attacks on defense industrial base companies, a certain image may come to mind: one of hacks or attempted hacks on giant and wealthy firms like Lockheed Martin, Northrup Grumman, BAE Systems or Raytheon. Without a doubt: sophisticated, nation-state cyber actors target those firms. But the reality of the defense sector – as with so many other sectors of our economy – is that it is small and midsized businesses (SMBs) that make up the bulk of the defense industrial base (DIB). In fact, there are an astounding 220,000 firms that make up the DIB, with many of them having fewer than 500 employees.

    And those firms are under attack. According to a 2022 report by the firm ConnectWise (PDF), in fact, more than three quarters of small to medium-sized businesses within the defense ecosystem (76%) reported suffering at least one cyber-attack. Given their small sizes and limited resources, however, these firms often struggle to stay on top of cyber risks including the forays of Russian, Chinese, and Iranian nation-state actors, ransomware gangs, and other cyber criminal groups on the hunt for sensitive data and intellectual property.

    That phenomenon, in which security solutions are targeted at larger, wealthier firms at the expense of more common small businesses,  has been described as the “security poverty line.” And its a big problem. (Check out this 2021 podcast featuring Josh Corman and Lisa Young of the COVID task force at CISA who talk about the agency’s work to improve the security of critical sectors of the U.S. economy.)

    RADICL to the rescue of Defense SMBs

    Our guest on this week’s Spotlight Podcast set out to lend a helping hand to SMBs serving the defense sector.  Chris Petersen is the CEO and founder of RADICL, a new company that hopes to extend top tier threat detection, threat hunting and incident response capabilities to small and midsized businesses in the defense industrial base. His company just scored a $9 million funding round, its second, bringing total RADICL funding to $12 million.

    • 27 min
    Episode 253: DevSecOps Worst Practices With Tanya Janca of We Hack Purple

    Episode 253: DevSecOps Worst Practices With Tanya Janca of We Hack Purple

    In this Security Ledger Podcast interview from earlier this year, Tanya Janca of the group We Hack Purple (now SemGrep), talks with Security Ledger host Paul Roberts about the biggest security mistakes that DevSecOps teams make, and application development’s “tragedy of the commons,” as more and more development teams lean on open source code.







    [Video Podcast] | [MP3] | [Transcript]















    Editor’s note: since recording this conversation with Tanya, We Hack Purple was acquired by Semgrep, where Tanya Janca in now the Head of Community and Education.







    One of the thorny problems facing modern development organizations is the gap between their development- and application security teams. In many organizations, application develop happens separately from application security testing including pen testing, red teaming and the like. That can create bad dynamics, with appsec teams playing the role of gate keepers and finger wagging disciplinarians, rather than collaborators.







    Tanya Janca is the founder of We Hack Purple and the ead of Education and Community at Semgrep!





    Hacking Purple to Bridge The Dev-AppSec Divide







    Our guest this week, Tanya Janca, set out to bridge those divides. The founder of the group We Hack Purple (recently acquired by SemGrep), Tanya is a skilled developer and experienced pen tester/red team-er who has always taken it as her mission to not just identify security weaknesses in applications, but also to work constructively with development teams to address those weaknesses and to develop the secure coding skills and habits to stop making the same mistakes time and again. The organization she founded, We Hack Purple, offers courses for developers to learn core application security concepts and skills, and offers discussion groups where developers can seek help from the community around a range of issues. (Tanya also hosts her own podcast, which you can check out here.)







    Attacks on APIs demand a Security Re-Think







    DevSecOps Teams’ Worst Security Fails







    In this conversation, which was recorded ahead of the RSA Conference back in April, I asked Tanya to dig into the details of a talk she was giving on “DevSecOps Worst Practices.” That was based on her experience advising development and DevOps teams – things like failing to tune your testing tools and breaking builds under a tsunami of “false positives.”







    Supply Chain Hackers LofyGang Behind Hundreds of Malicious Packages







    Tanya and I also talk about some of the bigger threats to application security. Among them: threats and attacks on open source software supply chains and a “tragedy of the commons” playing out in the open sour...

    • 32 min

Customer Reviews

4.3 out of 5
9 Ratings

9 Ratings

AnneViola ,

Excellent and informative

My go-to source for security trends and news, with a well-rounded selection of guests. Paul has an affable yet hard-hitting interview style and always gets the best out of his subjects.

LStar-BOS ,

great cyber security podcast!

One of the best and most thoughtful podcasts on the cyber security space. Interviews with hackers, executives, activists and leading policy makers and academics. A 'must-listen' if information security is your thing!

Top Podcasts In Technology

Lex Fridman Podcast
Lex Fridman
All-In with Chamath, Jason, Sacks & Friedberg
All-In Podcast, LLC
No Priors: Artificial Intelligence | Machine Learning | Technology | Startups
Conviction | Pod People
BG2Pod with Brad Gerstner and Bill Gurley
BG2Pod
Acquired
Ben Gilbert and David Rosenthal
Hard Fork
The New York Times

You Might Also Like

Open Source Security Podcast
Josh Bressers & Kurt Seifried
Cyber Security Headlines
CISO Series
Malicious Life
Malicious Life
Hacking Humans
N2K Networks
Darknet Diaries
Jack Rhysider