In the security news:

• When in doubt, blame DNS, you're almost always correct
• How to Make Windows 11 great, or at least suck less
• CSRF is the least of your problems
• Shady exploits
• Linux security table stakes (not steaks)
• The pill camera
• Give AI access to your UART
• Security products that actually try to be secure?
• Firmware vulnerabilities, lots of them
• Teams is spying on you
• More details on PolarEdge
• VSCode, marketplaces, and developers at risk
• Cisco SNMP flaw used to deploy malware
• The 90's called, they want their exploits back

This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them!

Show Notes: https://securityweekly.com/psw-897

As the Verizon Data Breach Investigations Report has stated year after year, most breaches start with human error. We've invested a lot in Security Awareness and Training and Phishing solutions, but yet human error is still the top risk. How do we actually reduce human risk?

Rinki Sethi, CSO at Upwind Security, and Nicole Jiang, CEO of Fable Security, share why human risk management is the next frontier for security—and how platforms like Fable Security deliver personalized nudges that help employees build safer habits and stay ahead of threats. Solving human risk starts by changing human behavior. Learn how advancements in Artificial Intelligence (AI) and the application of adtech principles (targeted, personalized, A/B-tested messages delivered when they’re most relevant) are delivering faster, more effective behavior change that lasts.

Segment Resources: Five must-haves of modern human risk management: https://fablesecurity.com/ebook-five-must-haves/ Starter RFP for modern human risk management: https://fablesecurity.com/starter-rfp-for-modern-hrm/

This segment is sponsored by Fable Security. Visit https://securityweekly.com/fable to learn more about them!

In the leadership and communications segment, Inside the CISO Mind: How Security Leaders Choose Solutions, 2026 Leadership Strategy: Mastering Agility and Anticipation for Better Decisions, The Most Human, Strategic, Sought-After Tool in Leadership, and more!

Show Notes: https://securityweekly.com/bsw-418

The Afterlife, AWS, ClickFix, Agentic AI Galore, Robot Lumberjacks, Robocalls, Aaran Leyland, and more on the Security Weekly News.

Show Notes: https://securityweekly.com/swn-522

This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them!

Ransomware attacks typically don't care about memory safety and dependency scanning, they often target old, unpatched vulns and too often they succeed. Rob Allen shares some of the biggest cases he's seen, what they have in common, and what appsec teams could do better to help them. Too much software still requires custom configuration to make it more secure. And too few software makers are embracing secure by default, let alone secure by design.

In the news, passively monitoring geosynchronous satellite communications on the cheap, successful LLM poisoning of any size model with a single size dose, security engineering lessons from Signal's post-quantum crypto work, improving security for JavaScript in the browser, and more!

This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more!

Show Notes: https://securityweekly.com/asw-353

David Brauchler says AI red teaming has proven that eliminating prompt injection is a lost cause. And many developers inadvertently introduce serious threat vectors into their applications – risks they must later eliminate before they become ingrained across application stacks.

NCC Group’s AI security team has surveyed dozens of AI applications, exploited their most common risks, and discovered a set of practical architectural patterns and input validation strategies that completely mitigate natural language injection attacks. David's talk aimed at helping security pros and developers understand how to design/test complex agentic systems and how to model trust flows in agentic environments. He also provided information about what architectural decisions can mitigate prompt injection and other model manipulation risks, even when AI systems are exposed to untrusted sources of data.

More about David's Black Hat talk:

• Video of the talk and accompanying slides: https://www.nccgroup.com/research-blog/when-guardrails-arent-enough-reinventing-agentic-ai-security-with-architectural-controls/
• Talk abstract: https://www.blackhat.com/us-25/briefings/schedule/#when-guardrails-arent-enough-reinventing-agentic-ai-security-with-architectural-controls-46112
• Slide presentation only: https://i.blackhat.com/BH-USA-25/Presentations/USA-25-Brauchler-When-Guardrails-Arent-Enough.pdf

Additional blogs by David about AI security:

• Analyzing Secure AI Architectures: https://www.nccgroup.com/research-blog/analyzing-secure-ai-architectures/
• Analyzing Secure AI Design Principles: https://www.nccgroup.com/research-blog/analyzing-secure-ai-design-principles/
• Analyzing AI Application Threat Models: https://www.nccgroup.com/research-blog/analyzing-ai-application-threat-models/
• Building Security‑First AI Applications: A Best Practices Guide for CISOs: https://www.nccgroup.com/building-security-first-ai-applications-a-best-practices-guide-for-cisos/
• Building Trust by Design for Secure AI Applications: Tips for CISOs: https://www.nccgroup.com/building-trust-by-design-for-secure-ai-applications-tips-for-cisos/
• AI and Cyber Security: New Vulnerabilities CISOs Must Address: https://www.nccgroup.com/ai-and-cyber-security-new-vulnerabilities-cisos-must-address/

An op-ed on CSO Online made us think - should we consider the CIA triad 'dead' and replace it? We discuss the value and longevity of security frameworks, as well as the author's proposed replacement.

Finally, in the enterprise security news,

1. Slow week for funding, older companies raising via debt financing
2. A useful AI framework from the Cloud Security Alliance
3. two interesting essays, one of which is wrong
4. Folks are out here blasting unencrypted data to and from Satellites, while anyone can sniff and capture it
5. getting hacked during a job interview
6. LLM poisoning is far easier than previously thought
7. F5 got breached
8. Be careful when patching your Jeep (’s software)

All that and more, on this episode of Enterprise Security Weekly.

Show Notes: https://securityweekly.com/esw-429

Erotic Chats, UEFI, F5, Cisco, Doug Sings, Insiders, Lastpass, Sora, Aaran Leyland, and More on this edition of the Security Weekly News.

Show Notes: https://securityweekly.com/swn-521

First up is a technical segment on UEFI shells: determining if they contain dangerous functionality that allows attackers to bypass Secure Boot.

Then in the security news:

• Your vulnerability scanner is your weakest link
• Scams that almost got me
• The state of EDR is not good
• You don't need to do that on a phone or Raspberry PI
• Hash cracking and exploits
• Revisiting LG WebOS
• Hardening Docker images
• Hacking Moxa NPort
• Shoddy academic research
• The original sin of computing
• Bodycam hacking
• A new OS for ESP32
• The AI bubble is going to burt
• Mobile VPNs are not always secure

Show Notes: https://securityweekly.com/psw-896

Still managing compliance in a spreadsheet? Don't have enough time or resources to verify your control or risk posture? And you wonder why you can't get the budget to move your compliance and risk programs forward. Maybe it's time for a different approach.

Trevor Horwitz, Founder and CISO at TrustNet joins Business Security Weekly to discuss how the evolution of Agentic AI can automate compliance and risk programs. Move beyond spreadsheets and let the power of AI streamline your compliance and risk program.

In the leadership and communications segment,Is the CISO chair becoming a revolving door?, When Integrity Collides with Bureaucracy: The Price of Leadership in Cybersecurity — and Why Walking Away Can Be the Bravest Act!, Improve Communication With Others By Talking Less — Not More, and more!

Show Notes: https://securityweekly.com/bsw-417

Bikers, Apple, Storm-657, Astaroth, EES, Salesforce, Aaran Leyland, and more on the Security Weekly News.

Show Notes: https://securityweekly.com/swn-520

Interest and participation in the OWASP GenAI Security Project has exploded over the last two years. Steve Wilson explains why it was important for the project to grow beyond just a Top Ten list and address more audiences than just developers. He also talks about how the growth of AI Agents influences the areas that appsec teams need to focus on. Whether apps are created by genAI or directly use genAI, the future of securing software is going to be busy.

Resources

• https://genai.owasp.org
• https://genai.owasp.org/llm-top-10/
• LLM security book on Amazon at https://a.co/d/6LZoXxQ

This segment is sponsored by The OWASP GenAI Security Project. Visit https://securityweekly.com/owasp to learn more!

Show Notes: https://securityweekly.com/asw-352