Journalists put a lot of effort into collecting information and protecting their sources, but everyone can benefit from having a digital environment that's more secure and more privacy protecting. Runa Sandvik shares her experience working with journalists and targeted groups to craft plans for how they use their devices and manage their information. And she also makes the point that the burden of security should not be just for users -- platforms and software providers should be evaluating secure defaults and secure designs that improve protections for everyone.

Resources

• https://techcrunch.com/2025/03/13/apples-lockdown-mode-is-good-for-security-but-its-notifications-are-baffling/
• https://www.glitchcat.xyz/p/lessons-learned-from-the-2021-arrest
• https://gijn.org/resource/introduction-investigative-journalism-digital-security/
• https://cpj.org/

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-371

Bringing intelligence to assets

You’ve been through 6 CMDB projects in the last decade. None of them came close to the original goals, the CMDB was already out-of-date long before the project had any hopes of completing. Is building an asset inventory just too ambitious a project for most organizations, or is there a better way?

Tim Morris shares a different approach with us today. It might require some convincing and some courage, but it seems much more likely to succeed than any of your past CMDB efforts…

Segment Resources

• Trusted automation: Building autonomous IT with confidence

This segment is sponsored by Tanium. Visit https://securityweekly.com/tanium to learn more about them!

In this segment, we explore some early details about the White House's new, but yet unreleased cybersecurity strategy. It appears that drafts have been shared (or leaked) to the press, so there's plenty to discuss here!

Finally, in the enterprise security news,

1. Massive amounts of funding and acquisitions as we get close to RSA
2. Open source registries need help
3. Microsoft Copilot reads email marked as DO NOT READ
4. Don’t use an LLM to generate passwords
5. is prompt injection a vulnerability
6. defining risks
7. AI changes the build versus buy equation
8. the scammer’s perspective

All that and more, on this episode of Enterprise Security Weekly.

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw-447

The Code of Hammurabi, Rockyou, MimicRat, Google, Trustconnect, Introsort, AI, Josh Marpet, and More on this episode of the Security Weekly News.

Visit https://www.securityweekly.com/swn for all the latest episodes!

Show Notes: https://securityweekly.com/swn-557

AI says that this is the show where we turn coffee into threat intelligence and cigar smoke into packet captures. This week:

• a firmware backdoor living its best life inside Android tablets
• a fresh BeyondTrust RCE that already has scanners circling like seagulls over a french fry.
• Lenovo Vantage reminds us that “preinstalled convenience” is just another way to spell “attack surface.”
• Texas is taking a swing at TP-Link
• supercomputers with a 20-year-old Munge bug that still has teeth.
• Your AI coding assistant might be quietly squirreling away secrets
• macOS gets a visit from an infostealer delivered as helpful add-ons
• Chrome extensions allegedly spy on millions
• open source maintainers drowning in AI-generated nonsense
• Windows flirting with smartphone-style permission prompts.

Put your passwords in a vault, not in a repo, and stay tuned for Paul's Security Weekly!

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-914

The Security Weekly 25 index and the NASDAQ diverge. Funding and acquisitions continue shift to AI. Are security stocks out of favor? Netskope enters the index, but does not replace CyberArk, as Thoma Bravo buys Verint. We’ll dig into all of this and more!

The index is now made up of the following 25 stocks:

SAIL Sailpoint Inc PANW Palo Alto Networks Inc CHKP Check Point Software Technologies Ltd RBRK Rubrik Inc GEN Gen Digital Inc FTNT Fortinet Inc AKAM Akamai Technologies Inc FFIV F5 Inc ZS Zscaler Inc OSPN Onespan Inc LDOS Leidos Holdings Inc QLYS Qualys Inc NTSK Netskope Inc CYBR Cyberark Software Ltd TENB Tenable Holdings Inc OKTA Okta Inc S SentinelOne Inc NET Cloudflare Inc CRWD Crowdstrike Holdings Inc NTCT NetScout Systems Inc VRNS Varonis Systems Inc RPD Rapid7 Inc FSLY Fastly Inc RDWR Radware Ltd ATEN A10 Networks Inc

Visit https://www.securityweekly.com/bsw for all the latest episodes!

Show Notes: https://securityweekly.com/bsw-435

Meatbags, AI Soul Harvest, DNS, LastPass, GS7, OpenClaw, MYSQL, Aaran Leyland, and More on the Security Weekly News.

Visit https://www.securityweekly.com/swn for all the latest episodes!

Show Notes: https://securityweekly.com/swn-556

A major premise of appsec is figuring out effective ways to answer the question, "What security flaws are in this code?" The nature of the question doesn't really change depending on who or what wrote the code. In other words, LLMs writing code really just means there's mode code to secure. So, what about using LLMs to find security flaws? Just how effective and efficient are they?

We talk with Adrian Sanabria and John Kinsella about the latest appsec articles that show a range of results from finding memory corruption bugs in open source software to spending an inordinate amount of manual effort validating persuasive, but ultimately incorrect, security findings from an LLM.

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-370

What if you had enterprise-grade network security protections traveling with your users' laptops? What if it could be built into the laptop, but still stay safe even if the laptop OS and firmware were entirely compromised?

Mathias and his company, Byos have built such a thing, and BOY do we have some questions for him.

Addressing the nuanced, nefarious threats of AI

Sure, we need to worry about AI prompt injection and AI data leakage, but what about the threats to our BRAINS? Seriously, as we start to have daily conversations with this technology, how are they going to shape how we think? What inherent biases in the training, fine tuning, guardrails, or lack of guardrails are going to affect our decisions or how we work?

Wolfgang is concerned about this, so he performed a human/AI experiment. With almost 1000 people partaking in the experiment, the results are sure to be intriguing.

Finally, in the enterprise security news,

1. survey results on how folks are feeling about openclaw
2. some hidden drama discovered in KEV updates
3. some new KEV tools
4. is AI replacing traditional code scanning tools?
5. remote code execution in notepad
6. no, not notepad++, NOTEPAD.EXE
7. you know, the one that ships preinstalled on Windows
8. the RSAC innovation sandbox finalists
9. dealing with legacy vulnerabilities
10. Don't accept OpenClaw Mac Minis from strangers!

All that and more, on this episode of Enterprise Security Weekly.

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw-446

Cams, Gelbwurst, Chrome, SCCM, CVES, SSHStalker, RAM, TikTok, Josh Marpet, and More on this episode of the Security Weekly News.

Visit https://www.securityweekly.com/swn for all the latest episodes!

Show Notes: https://securityweekly.com/swn-555

In the security news:

• Viral AI prompts
• Things to do in your home security lab
• I can open your garage door
• They call me DKnife
• Beyondtrust RCE
• Cool AI device
• Robots need your body
• Meta is just full of scams, phishing, and malware
• Claude Opus 4.6 found more than 500 high-severity vulnerabilities
• Arista next gen firewalls and command injection
• Secure Boot updates
• The RCE AMD won't fix and why the article went away
• End of support means get it off the network
• Accidentally giving away $44 billion of Bitcoin

Visit https://www.securityweekly.com/psw for all the latest episodes!

Show Notes: https://securityweekly.com/psw-913