The Security Strategist

• How to Build a Secure Development Workflow in an Era of AI?

  "What we're seeing as a response to coding agents is one of the biggest risks in security vulnerabilities to date,” said Jaime Jorge, Founder and CEO of Codacy. “It's almost like a game to see how fast we can exploit vulnerabilities in some of these applications that are created so quickly."In this episode of The Security Strategist Podcast, Richard Stiennon, Chief Research Analyst at IT-Harvest, speaks with Jaime Jorge, the Founder and CEO of Codacy, about secure software development in the age of AI. The speakers talk about how quickly coding is evolving due to AI tools, the rise of autonomous coding agents, and the major security issues that come from this faster development. Jorge emphasised the importance of maintaining security practices and highlighted Codacy's role in providing thorough security analysis to ensure that AI-generated code is safe and reliable. The discussion also looks at the future of AI in software development and what IT leaders need to do to manage these changes.Software Development in an Era of AIThe world of software development is changing dramatically, the Codacy founder conveyed on the podcast. With AI tools like GitHub Copilot and Cursor becoming mainstream, developers are writing code faster than ever. Host Stiennon refers to this new era as "vibe coding," meaning the ability to create code at an incredible speed.However, this speed can bring serious and risky consequences. Data has shown that AI-generated code often has vulnerabilities. Some studies have found that these vulnerabilities can reach as high as 30-50 per cent. A Front Big Data study reported that 40% of the code suggested by Copilot had vulnerabilities. “Yet research also shows that users trust AI-generated code more than their own.”This trend is widening the gap between quick development and secure, enterprise-grade software.How to Keep up With Autonomous Coding Agents?“Without a doubt, one of the most significant trends that we're seeing is coding agents,” the CEO of Codacy told Stiennon. “Autonomous coding agents are becoming extremely skilled at taking a prompt and creating full-fledged products, getting even to the intentions that users have.”However, the challenges of autonomous agents cannot be denied. Jorge believes this is more than just a technical issue. It reflects a basic misunderstanding of how to use these powerful new technologies.He pointed out that it's dangerous to assume we can completely hand over decisions about the code generated by AI. Important software development practices, such as building security into the design and having human code reviews, shouldn't be overlooked. The convenience of using AI to quickly generate code for a project means we have a greater responsibility to review the code ourselves, to evaluate it, or to ensure that other people approve it.Jorge’s key message to CISOs, CTOs and IT decision-makers is that AI is here to stay and that their teams are already likely using it. This wave is hard to ,ride but “you have a choice in how to ride it.”"AI-generated code can secure our tools, and our agents are empowered with security capabilities. You can move fast if you have the right guardrails."The best practices Codacy developed over decades, such as...

  --------  

  15:10

  --------

  15:10
• How Do You Stop an Encrypted DDoS Attack? How to Overcome HTTPS Challenges

  "When you're encrypting the traffic and giving the keys only to the owner of the traffic, it provides a specific door for attackers to walk right in,” stated Eva Abergel, the Senior Solution Expert at Radware.In this episode of The Security Strategist Podcast, Richard Stiennon, the Chief Research Analyst at IT-Harvest, an author and a trusted cybersecurity advisor, speaks with Abergel about how Hypertext Transfer Protocol Secure (HTTPS) encryption is creating new challenges for cybersecurity professionals. They also talked about how DDoS attacks have changed to take advantage of new weaknesses that are hidden in plain sight within encrypted traffic. They discussed what organisations need to do to improve their defences.HTTPS Encryption Creating Challenges for DefendersHypertext Transfer Protocol Secure (HTTPS) encryption is known to have made the internet safer, especially from DDoS attacks. However, it has also created new opportunities for attackers. Threat actors in the modern day are leveraging encrypted traffic to camouflage malicious activity. Unfortunately, traditional cybersecurity tools have been unsuccessful at spotting and blocking these hidden attacks. This is simply because they cannot decrypt the data of such modern-day cyber breaches.Abergel says that unless an organisation can decrypt the traffic, it cannot see what's inside, allowing sophisticated DDoS attacks to go undetected. This presents a dilemma for IT decision-makers, as they are understandably reluctant to surrender the "keys to their castle" by allowing a third party to decrypt their protection walls.Especially, with the rise of “tsunami attacks”, in other words, DDoS attacks, the network layer becomes more vulnerable. Attackers deliberately target the application layer of a protected network to overwhelm the application, not the entire network. Essentially, hackers take advantage of a grey area in cybersecurity, explains Abergel. "WAFs are not equipped to deal with sophisticated web DDoS attacks. And network layer mechanisms and defences for DDoS attacks cannot recognise a DDoS attack on the application layer only by looking at the network layer."This means attackers found a comfortable and effective spot to launch their campaigns, often without severe consequences.Also Watch: From Prompt Injection to Agentic AI: The New Frontier of Cyber ThreatsHow to Protect Your Business Without Compromising Your KeysWhat is the solution when an organisation can't share their encryption keys? This is a major concern, especially for regulated industries that are legally prohibited from sharing this sensitive information to even the most trusted cybersecurity firms. To learn more about the solution, and how Radware can help you defend against modern cybersecurity threats, watch the podcast on EM360tech.com. You can watch the video version on our YouTube channel, @EM360Tech, or listen to the audio version on EM360Tech’s Spotify series, The Security Strategist podcast.TakeawaysDDoS attacks have evolved significantly since their...

  --------  

  18:29

  --------

  18:29
• Preemptive Defense with AI-powered Deception: Outsmarting the AI-driven Adversary

  “For a long time, we focused on defending the perimeter and thought that was enough to keep businesses safe,” stated Ram Varadarajan, CEO and Co-founder of Acalvio. “It’s like putting locks on doors. The problem is that more people are finding ways to cross those boundaries and enter your business at an alarming rate.”In the recent episode of The Security Strategist podcast, Chris Steffen, the Vice President of Security Research at Enterprise Management Associates (EMA), sits down with Varadarajan to talk about how deception is changing threat detection in compromised enterprise environments. The CEO of Acalvio, alluding to the main issue in modern cybersecurity, explains that the old security model, which aims to create an impenetrable perimeter, is no longer enough. Attackers, equipped with more advanced tools, are discovering new methods to bypass these defences. The old "fortress mentality" is outdated.Assume Compromise!Both Varadarajan and Steffen agree that modern-day cybersecurity is not a matter of if an attacker will get in, but it's about anticipating when the attacker will get in. This mindset, referred to as "assumed compromise," means that a determined attacker will eventually find a way inside your network, especially with AI in the picture.Varadarajan explains, "The defender has to be right all the time in stopping the attacker at the door, whereas the attacker needs to be only right once to get past the perimeter and get inside the house."This imbalance gives attackers a significant edge. The vast number of entry points—from on-premise systems to cloud services and remote access—makes it impossible to secure each one perfectly. Consequently, the focus should be on what happens after an attacker is inside.So, how are businesses approaching such constantly looming threats?Deception: A Preemptive StrikeThis is where deception technology becomes an effective, proactive defense strategy. Instead of waiting for a breach to happen and then trying to fix the damage, deception actively engages and misleads the attacker."If you're assuming that the attacker is going to be inside, the question is how do you find these attackers and bad actors quickly and precisely so that you can conduct the enterprise's business?,” elucidates Varadarajan.Deception technology creates a web of fake assets, data, and credentials, forming a digital minefield for attackers. When an attacker tries to move laterally through the network or gain higher privileges, they interact with these decoys. This interaction provides an immediate, clear signal that a malicious actor is present, allowing defenders to stop them before they can reach their real target.The old methods of securing a network are no longer enough, agree both Varadarajan and Steffen. The rise of sophisticated, AI-driven attacks requires a new, proactive approach."Preemptive defense based on deception is a very legitimate and well-understood way of solving this problem,” stated Varadarajan.Enterprises are advised to switch strategy from defending the perimeter to actively deceiving and identifying within the network. This would help organisations to regain control. Deception...

  --------  

  30:35

  --------

  30:35
• Phishing-Resistant Authentication: A Strategic Imperative for CISOs

  Passwords remain one of the weakest links in enterprise security. Despite advances in multi-factor authentication (MFA), recent data breaches show that attackers continue to bypass traditional protections. In this episode of The Security Strategist, host Trisha Pillay speaks with Nic Sarginson, senior solutions engineer at Yubico.Together, they explore the vulnerabilities of passwords and conventional MFA, and why phishing-resistant authentication is no longer optional; it’s a strategic imperative for chief information security officers (CISOs)."Passwords alone just don’t cut it," says Sarginson. Hackers can launch sophisticated attacks in minutes, and traditional MFA often isn’t enough to stop them. Organisations should turn to device-bound passkeys and physical security keys not just as tools, but as a way to rethink enterprise security, stay ahead of compliance pressures, and embrace a passwordless future."Attackers can now launch sophisticated campaigns quickly and cheaply using publicly available data. That’s why breaches today are far more dangerous, and why weak MFA or social engineering is often involved." — Nic Sarginson, Yubico,Why This Matters for CISOsCybersecurity leaders face growing pressure to defend against phishing attacks, navigate evolving compliance demands, and deliver secure experiences for users. Sarginson shares practical strategies, expert insights, and real-world examples to help CISOs and IT leaders build a stronger, passwordless future.TakeawaysPasswords are fundamentally broken and pose a major vulnerability.Recent breaches highlight the inadequacy of traditional MFA.Device-bound passkeys offer stronger protection against phishing.Integration of new security methods is a significant challenge for enterprises.Real-world case studies show measurable improvements with security keys.Regulatory frameworks are increasingly mandating strong MFA.Phishing resistance must become the default in security strategies.The technology for passwordless solutions is now prevalent.Security leaders must advocate for proactive security measures.User education is crucial for the adoption of new security technologies.Chapters00:00 Introduction to Authentication Challenges02:15 The Impact of Recent Data Breaches05:30 The Entrenchment of Passwords and MFA08:22 Exploring Device Bound Passkeys11:20 Integrating Physical Security Keys14:34 Real-World Case Studies and Metrics17:24 Regulatory Pressures and Future Trends20:27 The Path to Passwordless SecurityAbout Nic SarginsonNic Sarginson is a senior solutions engineer for UKI and RSA at

  --------  

  25:45

  --------

  25:45
• Is Your Workforce Ready for AI-Driven Cyber Threats?

  "With every technological wave, technology weaponises very quickly. You can create targeted attacks at an unprecedented scale, a human-centric attack at a scale that's never been before humanly possible,” states Sage Wohns, CEO and Founder of Jericho Security. In this episode of The Security Strategist podcast, host Richard Stiennon, Chief Research Analyst at IT-Harvest, speaks with Wohns about modern-day cybersecurity threats driven by AI. They discuss the need for a strong security culture, innovative training methods, and the importance of adapting to new attack vectors. The founder of Jericho Security, an AI-powered human risk management platform, talks about the shift from traditional rule-based defences to probabilistic approaches. Additionally, Wohns spotlighted the necessity of using AI to counter AI in the fight against cyber threats. Generative AI: A Cause for Concern in Cyber SecurityThe speakers agree that every organisation today has one common and new challenge. It’s the rise of generative AI. This is because gen AI is a tool quickly and widely being used in cyber tech. “We have moved past simple, templated attacks to a new era,” iterated Wohns. Threats have now become more dynamic, personalised, targeted and scalable in ways the world has never witnessed before.For years, cybersecurity training has depended on static, rule-based defences. Consider those generic phishing emails from a "Nigerian Prince" or a fake Google logo. However, as Wohns points out, attackers no longer follow a script. They are using AI to create complex, multi-channel attacks that can take advantage of publicly available information and stolen data to target individuals.This new reality shows that old "checkbox training" is outdated. An attack on a salesperson will differ significantly from an attack on an accountant, and both will be tailored to exploit specific weaknesses. These attacks go beyond emails; they include deepfake voice calls, fake videos, and coordinated messages that blur the line between what is real and what poses a threat.TakeawaysAI is rapidly changing the landscape of cyber threats.A strong security culture is essential for organisations.Traditional training methods are outdated and ineffective.Probabilistic defences are needed to counter dynamic attacks.Creating a positive security culture encourages reporting mistakes.Multi-channel attacks are becoming more sophisticated.Generative AI can be used to simulate realistic attacks.Tailored training can enhance employee engagement and effectiveness.Using real-world data makes training relevant and impactful.AI solutions must evolve to keep pace with attackers.Chapters00:00 Introduction to Cybersecurity and AI Threats03:01 The Evolution of Cyber Threats05:50 Innovative Approaches to Security Training08:55 Probabilistic Defences vs. Rule-Based Systems11:49 Creating a Positive Security Culture15:02 Multi-Channel Attacks and Emerging Threats18:13 Key Takeaways for IT Decision MakersAbout Jericho...

  --------  

  17:50

  --------

  17:50

More Business podcasts

Trending Business podcasts

About The Security Strategist

The Security Strategist: Podcasts in Family