Episode Summary

CTFs are fun, but do they actually make developers write more secure code? In this episode of Secured, Cole Cornford is joined by Pedram Hayati (Founder of SecDim & SecTalks) to explore why most developer security training fails, and how SecDim’s “Fix the Flag” approach is changing the game.

From contrived WebGoat-style examples to frameworks that quietly eradicate entire bug classes, Cole and Pedram dive deep into the intersection of AppSec and software engineering. They unpack why developer experience is non-negotiable, why security needs to borrow design patterns from engineering, and how real-world incidents (like GitHub’s mass assignment bug or the Optus breach) make concepts stick far better than acronyms like “XSS” or “SSTI.”

This is a technical, opinionated episode for anyone who’s ever struggled to get developers engaged with security.

Timestamps

01:10 – Why Pedram built SecDim, the problem with pen test reports, and why CTFs don’t train developers

04:42 – From “Capture the Flag” to “Fix the Flag”: making training realistic and Git-first

06:30 – Training inside developer workflows and why contrived examples fail

10:28 – Using modern stacks, AI-tailored labs, and real-world incidents to make concepts stick

12:35 – Why security names suck (XSS vs. “content injection”) and the Optus hack as a teaching moment

17:37 – Secure design patterns vs. vague slogans, and why secure defaults beat secure by design

21:15 – Frameworks like React, Rails, and Angular that kill entire bug classes

23:23 – Engineering by-products: reproducibility, immutability, and orthogonality in secure coding

30:36 – PHP’s bad reputation, language quirks, and what’s actually most popular in security training today

33:41 – Why AppSec pros need to build and deploy apps (not just know vulnerability classes)

37:44 – Getting started with SecDim and hands-on secure coding

Mentioned in this episode:

Call for Feedback

This podcast uses the following third-party services for analysis:

Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode Summary

The Australian Information Security Manual (ISM) just got a major update, and not everyone’s thrilled. In this special episode of Secured, Cole Cornford is joined by Toby Amodio (Head of Professional Services, Fujitsu Cyber) to break down what’s changed, what’s missing, and what it all means for CISOs, AppSec teams and public sector security leads.

From the new cybersecurity principles (and why they feel like yak shaving) to the long-overdue expansion of software security controls, Cole and Toby navigate the mess of frameworks, missing maturity models, and babushka-doll-style mappings that have left many teams overwhelmed. They also reflect on what “secure-by-default” really means in a world of legacy codebases, overstretched resources, and one-person AppSec teams.

Timestamps

01:02 – Why ISM Updates Matter (Even If They’re Late)

02:32 – New Principles: Nice Idea, Hard to Implement

04:08 – Yak Shaving and the Complexity Cascade

07:48 – Mapping Mayhem: PSPF, E8 and Governance Overload

10:25 – Losing the Maturity Model: Who Does That Help?

13:46 – Secure-by-Default and the Problem with OWASP-as-a-Proxy

18:13 – Integration, Incentives, and Cyber vs. Business Silos

20:34 – The Talent Gap and Why Code Reviews Still Matter

22:58 – Galah Cyber, Capability Building & Doing AppSec Right

23:57 – Why Buying Tools Isn’t the Same as Building Capability

25:21 – What Red, Amber, Green Tools Really Miss

26:01 – One ISM to Rule Them All… If You Can Implement It

26:52 – Final Thoughts (and a Funding Stick for CISOs)

Mentioned in this episode:

Call for Feedback

This podcast uses the following third-party services for analysis:

Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode Summary

With a career that spans mainframes, integration platforms, and developer experience, M Brennan brings a unique lens to the world of application security. In this episode, M joins Cole Cornford to unpack why integration is often the riskiest layer in software systems, how context is everything when choosing security controls, and what it really takes to build security into developer workflows without adding friction.

They dive into stories from government and enterprise environments, the overlap between security and resilience, and how thinking in terms of energy and empathy, not just tools, can lead to better outcomes for everyone. Plus, a surprisingly effective stereo-selling strategy, some well-earned AI scepticism, and a jam-jar analogy you’ll never forget.

Timestamps

03:45 From COBOL to Developer Experience in Security

06:37 Choosing the Right Security Control for the Right Risk

10:00 Reducing Developer Friction with Secure Defaults

14:10 How Threat Modelling Creates Real Value

17:57 Fixing Access and Provisioning for Devs and Security

20:09 Virtual Dev Environments and Automating the Boring Stuff

24:04 Smarter Security Adoption and the Jam Jar Effect

28:48 AI, Developer Toil and the Problem with Overpromising

31:03 Using AI to Kickstart Threat Modelling and Resilience

33:56 Why Some Tech Trends Aren’t Worth the Hype

36:09 The Risk of Letting Chatbots Handle Security Promises

37:16 Final Takeaways on Empathy, Context and Collaboration

Mentioned in this episode:

Call for Feedback

This podcast uses the following third-party services for analysis:

Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode Summary

Scott Contini has a PhD in cryptography with more than a dozen research publications, and has spent the last 15 years focused on solving real-world security problems. After switching from academia to industry in 2008, Scott has identified hundreds of cryptographic implementation flaws across the world, written widely read blogs on common coding mistakes, and contributed significantly to the 2021 OWASP Top 10 topic of Cryptographic Failures. He joins Cole Cornford to discuss how cryptography often goes wrong in practice, why secure-by-default APIs are reshaping security today, and the importance of clear communication and community-building in advancing the field. Scott also shares stories from working alongside legendary figures in cryptography, and offers advice for anyone looking to build a sustainable and impactful security career.

Timestamps

00:20 - Scott’s background in cryptography and transition to AppSec

02:00 - Moving from theory to real-world security challenges

05:00 - Common cryptography mistakes in the industry

07:50 - Why using the wrong encryption modes leads to vulnerabilities

10:10 - How Java’s cryptography design led to widespread issues

14:40 - The rise of secure-by-default APIs in cryptography

17:00 - Stories from working with cryptographic legends

22:00 - Improving advice in the OWASP community

27:50 - The value of writing and public speaking in AppSec careers

33:00 - Advice for newcomers in security: think like an attacker and keep learning

Mentioned in this episode:

Call for Feedback

This podcast uses the following third-party services for analysis:

Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode Summary

Jon-Anthoney de Boer is the Product Security Lead at Transmax, overseeing security for critical infrastructure that manages traffic flow across Australia. Coming from a strong software engineering background, Jon-Anthoney shares his experience transitioning from traditional engineering into product and application security. He highlights the importance of aligning software engineering and security teams, building trust into the software development lifecycle, and fostering a security culture based on practical strategy rather than superficial metrics. Jon-Anthoney also discusses how behavioural change, organisational alignment, and operational excellence are key to achieving effective, sustainable security outcomes.

Timestamps

00:32 - Jon-Anthoney’s journey from electrical engineering to product security

05:08 - Transitioning from software craftsmanship to cybersecurity

09:30 - Why aligned incentives between engineering and security teams matter

12:22 - Goodhart's Law: pitfalls of security metrics

18:21 - Rethinking cybersecurity strategies beyond tools and compliance

25:12 - Building observability into the secure software development lifecycle

32:35 - Why executive support is crucial for security initiatives

38:34 - Operational excellence: removing waste from security processes

Mentioned in this episode:

Call for Feedback

This podcast uses the following third-party services for analysis:

Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode Summary

In this episode of Secured, host Cole Cornford chats with Laura O'Neill from Fujitsu Cyber. Laura shares her journey from a pure maths and cryptography background through management consulting into the world of cybersecurity. She explains how she helped grow MF&A from a small team into a 70-person company before its acquisition by Fujitsu. Cole and Laura discuss the challenges of scaling a cyber practice, the importance of professionalising sales and board-level communications, and how embracing diverse, non-traditional talent can transform the industry. Their conversation offers valuable insights into shifting from a compliance-based mindset to a risk-based strategy that truly supports business objectives.

Timestamps

00:10 - Introduction to Laura O'Neill and her role at Fujitsu Cyber

02:27 - Laura recounts her journey from pure maths and cryptography to cybersecurity

05:31 - Discussing the rapid growth of MF&A from a small team to 70 staff

07:30 - Overcoming scaling challenges through improved processes and support

11:23 - Professionalising sales and board-level communications in cyber

15:30 - Moving from a compliance-driven approach to a risk-based strategy

26:16 - Embracing diversity and non-traditional hiring in cybersecurity

31:20 - The value of diverse backgrounds and soft skills in solving security challenges

40:43 - The importance of empathy and listening in leadership

42:16 - Closing thoughts on security as an enabling function for business success

Mentioned in this episode:

Call for Feedback

This podcast uses the following third-party services for analysis:

Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode Summary

Cole Cornford speaks with Kat McCrabb, founder of Flame Tree Cyber, about navigating cybersecurity compliance and risk, particularly within education, government, and mission-driven organisations. Kat shares insights from her experience in federal government and as CISO at Brisbane Catholic Education, highlighting the strengths and weaknesses of compliance frameworks like Australia's Essential Eight and MITRE ATT&CK. The conversation covers how to effectively communicate cyber risks to stakeholders, align security with organisational priorities, and why prevention beats incident response every time. Kat also discusses strategies for meaningful conversations around funding and shares her perspective on the evolving landscape of security in the age of SaaS and cloud technologies.

Timestamps

00:59 - Kat’s background and founding Flame Tree Cyber

03:10 - Defining mission-driven organisations

04:29 - Challenges of prescriptive compliance frameworks (ISM, Essential Eight, DISP)

05:41 - Compliance vs meaningful security improvement

06:51 - How threat modelling with MITRE ATT&CK helps allocate resources

07:35 - Balancing foundational cybersecurity and advanced threat intelligence

08:52 - Incident response and the value of understanding threat actors

11:46 - Allocating budget and demonstrating security value to executives

16:31 - How to effectively request security funding from the board

20:00 - Relevance of Essential Eight in modern SaaS environments

29:21 - Kat’s role with AISA and building the cybersecurity community in Queensland

Mentioned in this episode:

Call for Feedback

This podcast uses the following third-party services for analysis:

Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode Summary

Kiera Farrell, Cyber Analyst at David Jones, shares her journey from studying a Bachelor of Cybersecurity to landing a role in cybersecurity operations. She reflects on the challenges of breaking into the industry, the lessons learned from risk management, and the importance of networking in career growth. Kiera and Cole discuss the value of stepping outside your comfort zone, the evolving landscape of cybersecurity degrees, and what hiring managers can do to attract and retain young talent. If you're an aspiring cybersecurity professional or a leader looking to support early-career hires, this episode is packed with insights.

Timestamps

2:00 – Kiera’s journey: From Bachelor of Cybersecurity to David Jones

5:00 – What studying cybersecurity is really like

8:10 – The surprising importance of risk management

12:00 – Ethical hacking & the role of security education

16:30 – The grad job hunt: what works, what doesn’t

19:45 – The power of stepping out of your comfort zone

21:30 – Building a strong professional network

23:50 – What makes an employer attractive for graduates?

26:40 – How mentorship accelerates career growth

30:35 – Advice for students and early-career professionals

Mentioned in this episode:

Call for Feedback

This podcast uses the following third-party services for analysis:

Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode Summary

In this special solo episode, host Cole Cornford reflects on the journey of the Secured podcast over the past two years. He shares behind-the-scenes insights, from the unexpected challenges of cicada season disrupting recordings to the podcast’s growth, hitting 45 episodes and over 7,000 downloads. Cole discusses listener feedback, format changes, and his plans to expand the show, including moving to weekly episodes, introducing video content, and diversifying guest profiles. He also highlights listener engagement stats, the importance of audience reviews, and the future direction of Secured with a focus on delivering more valuable and dynamic cybersecurity content.

Timestamps

00:20 – The impact of cicada season on recording and production

01:10 – Hitting 45 episodes: reflections on the podcast’s growth

01:54 – Asking for listener feedback and reviews to support the show

02:51 – Plans to move to weekly episodes and potential sponsorships

03:51 – The possibility of introducing video content and its challenges

04:35 – Listener engagement stats: unique listeners, downloads, and demographics

08:05 – Most downloaded and highest engagement episodes revealed

10:55 – Diversity in guests and topics: striving for representation

13:48 – Changes in podcast format: cutting certain segments for better engagement

17:03 – The shift towards professional development-focused content

19:50 – Future goals: more international guests and sharper conversations

Mentioned in this episode:

Call for Feedback

This podcast uses the following third-party services for analysis:

Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Episode Summary

Madhuri Nandi is the Head of Security at Till Payments and a trailblazer in the Australian cybersecurity industry. As co-chair of the Australian Women’s Security Network, she brings decades of experience to the table, breaking barriers for women in tech and redefining what leadership looks like in cybersecurity. Madhuri shares how a love for gaming and cheat codes sparked her journey into application security and the cultural challenges she overcame to thrive in a male-dominated industry. They explore the realities of leading security functions in scaling FinTechs, why compliance doesn’t equate to security, and the critical role of aligning cybersecurity strategies with business objectives.

Timestamps

01:13 Cheat Codes Ignite a Cybersecurity Path

02:26 From Database Admin to Security Professional

05:09 Lessons from Gaming & Early Misperceptions

07:29 The Jump into Executive Leadership

10:53 Compliance vs. True Risk Management

18:45 Overcoming Cultural & Workplace Hurdles

31:55 Diversity, Women in Tech & Final Reflection

Mentioned in this episode:

Call for Feedback

This podcast uses the following third-party services for analysis:

Podtrac - https://analytics.podtrac.com/privacy-policy-gdrp
Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/