We are the information security team at Yahoo. People call us the Paranoids, and this is our podcast.
Paranoids Engineering: Supply Chain Security
In this episode of the Paranoids podcast, our hosts — Shawn and Steven — explore their colleagues’ work to secure the software supply chain.
Starting with the one question you’re all asking: What does that even mean in a world of open-source software?!
Join us in conversation to hear discussion on:
Defining Supply Chain Security (2:36) The Prolific Nature of Open Source (4:38)Improving The Developer Experience (6:36)Explaining Common Supply Chain Security Attacks (7:30) The Different Pieces of Software Supply Chain Security (11:40)Working Within the Paranoids (18:10)What’s Next?! (26:28)Hosts: Shawn Thomas (FIRE Chief) and Steven Asifo (Technical Security Sr. Manager, Governance, Risk, and Compliance)
Guests: Nate Burton (Sr. Principal Technical Security Engineer), Hemil Kadakia (Principal Software Engineer), Yonghe Zhao (Software Engineer)
Becoming (a) Paranoid: Our Summer Internship Program!
Summer is one of our favorite times of the year — and not just because of the beach days. Every year, we host (and learn from) interns from colleges and universities worldwide.
In this episode of the podcast, former intern — and current Paranoid — Alden Schmidt and GRC Security analyst Chris Faulkner, who leads the internship program, talk about:
Defining the Program (2:20) Alden’s Internship Presentation (7:44) Discovering the Program, Applying (10:40) Last Summer’s Projects, High Lights (13:10) Exposing Interns to the Breadth of Security (17:16) Recommendations and Advice (19:46)Hosts: Shawn Thomas (FIRE Chief) and Steven Asifo (Technical Security Manager, Governance, Risk, and Compliance)
Guests: Alden Schmidt (Forensics and Incident Response Engineer) and Chris Faulkner (Sr. Technical Security Engineer & Paranoids Internship Coordinator)
WFH: Leading Through Mission, Not Proximity
The nature of leadership has changed as we’ve all moved from our offices to our living rooms. For the Paranoids, that means adjusting how we all grow together.
Join this conversation to hear about:
Our Approach (2:18)Squads, Organizing and Leading Remote Teams (6:12)Tea Time, Fostering Relationships (11:11)Defcon, Getting Together (13:30)Remote Culture Requires an All-In Approach (18:47)Host: Steven Asifo (Technical Security Manager, Governance, Risk, and Compliance)
Guests: Will Chilcutt (Manager, Community Driven Security), Jeff Larson (Sr. Manager, Behavioral Engineering), Josh Schwartz (Sr. Director, Proactive Engineering)
A ‘Master Class’ in Bug Bounty: Jason Haddix on the Paranoids’ Program
The podcast welcomes its first outside guest: Jason Haddix, a bug bounty veteran who has participated in hundreds of programs over his career.
He joins the Paranoids’ team — Arjun Govindaraju and Jonathon Robin — who run our program’s strategy and operations.
Over the course of roughly 45 minutes or so, they discuss:
‘What makes the Paranoids’ program COOL?!’ (3:43)The Importance of Scope (5:50)Live Hacking Events (15:27)The Art of Recon (24:04)The Bug Bounty Lifecycle (32:20)Advice for Security Researchers (39:00)Hosts: Shawn Thomas (FIRE Chief) and Steven Asifo (Technical Security Manager, Governance, Risk, and Compliance)
Guests: Jason Haddix, Arjun Govindaraju (Bug Bounty Program Lead), and Jonathon Robin (Bug Bounty Operations Lead)
Are you looking to get in touch because of something you found on
Yahoo properties? Reach out to us using the contact information you find here: https://www.yahoo.com/.well-known/security.txt
The CTO Perspective: Log4Shell
Addressing cyber risk within the business is a challenging task for any security team to manage on their own.
This places a premium on the Paranoids' relationship with engineering teams. An especially necessary one when conducting an expedited patch across the organization for an internet-wide weakness.
In this episode of the podcast, join Yahoo CTO Aengus McClean and Chief Paranoid Sean Zadig in conversation about:
The Working Relationship (1:00) Security Culture (3:10)Communicating Priorities: Log4Shell (12:00)"Slow is Smooth and Smooth is Fast" (20:20)Building Security Into the Process (26:27)Hosts: Shawn Thomas (FIRE Chief) and Steven Asifo (Technical Security Manager, Governance, Risk, and Compliance)
Guests: Aengus McClean (Chief Technology Officer) and Sean Zadig (Chief Information Security Officer)
This is our final episode in a series about Log4Shell. You can find episodes One and Two on the Paranoids' landing page.
Handling a NewVuln: Log4Shell
In our second podcast covering the Paranoids’ approach to remediating the Log4Shell vulnerability, Steven Asifo talks to Sadiah Choudhry and Lisa Hulen — who work inside Yahoo’s Vulnerability Management team responsible for handling newly disclosed security vulnerabilities.
The Elements of Vulnerability Management (2:46)Defining a NewVuln (4:40)What’s an S-Bug?! (12:15)Responding to an Unprecedented Event (15:31)A Companywide Culture of Collaboration (19:03)Big Takeaways (26:28)Host: Steven Asifo (Technical Security Manager, Governance, Risk, and Compliance)
Guests: Sadiah Choudhry (Technical Security Manager, Vulnerability and Control Operations Team) and Lisa Hulen (Vulnerability Management Lead)