The Security Repo

In this episode of the Security Repo Podcast, Dwayne McDaniel talks with Talia Smiley, CTO of Silversight, about why her startup chose workload identity, OIDC, and IAP instead of long-lived secrets and service account keys. Talia explains how secure-by-default design, just-in-time access, and thoughtful infrastructure choices can actually be faster and more sustainable than legacy approaches, especially for growing teams. They also touch on multi-cloud considerations, deepfake defense in the enterprise, hiring signals for technical candidates, and the security advice that still holds up versus the advice that should be retired.https://silversight.ai/https://services.google.com/fh/files/misc/cloud_threat_horizons_report_h12026.pdfTalia Smiley is a (literal) Master of Computer Science, infrastructure in particular. Her deep experience in networking, architecture implementation, data pipelines and big data have ensured that all of Silversight's cloud deployments run peacefully while she leads the development of Silversight Shield.

In this episode of the Security Repo Podcast, we uncover the wild and hilarious true story behind a forgotten piece of cybersecurity media history: “The PCI Ultimatum” and the world-building inside of it that gave us “Dwayne’s World of Security,” a DIY Cisco-era cult film rediscovered via a thrift store handbag. Guests Mike Radigan and Dwayne Edwards share how they disrupted corporate norms to create a storytelling-first, off-the-books PCI compliance movie that somehow still resonates today. Along the way, we explore the value of humor, storytelling, and going rogue to make security memorable.See that bag that started this entire conversation:https://dwayne-mcdaniel.com/img/dwosbag1.pnghttps://dwayne-mcdaniel.com/img/dwosbag2.pngWatch The PCI Ultimatum:https://www.1dave1cup.com/extra/pci/Dwayne’s World Of Security trailer:https://www.youtube.com/watch?v=7_LGzNx09igBe sure to check out:The ICS Security Radio Hour --- Half Hour (Dwayne Edward’s Podcast)https://www.youtube.com/channel/UCiTZVtx-XjO4nmQc98VwjrAAbout our guestsMike Radigan https://www.linkedin.com/in/radiganatbos/Mike is a proven executive with unique experience in defining and communicating the value cybersecurity delivers to the business. Passionate for the business of cybersecurity, the mission of cybersecurity and the advancement of the cyber risk management profession.Cyber Risk Economics: Recognized expert in applying the Open FAIR body of knowledgeCyber Risk Quantification (CRQ): Operationalizing CRQ within GRC, BoD reporting, Strategic riskProven Leader: Track record for devising accurate vision and strategies to achieve objectives---Dwayne Edwards https://www.linkedin.com/in/dwedward/During Dwayne’s tenure in IT & OT he has worked in in a variety of roles including security, data center and OT business and technology architecture. Dwayne’s primary interest is in protecting ICS environment. He also enjoys providing professional development for engineers and account managers.

In this episode of the Security Repo Podcast, Dwayne catches up with returning guest Andy Dennis (Head of Field Engineering at XBOW) to unpack what it really means to run “AI-backed” penetration testing at scale, without turning red teaming into a gimmick. They dig into how XBOW approaches discovery, guardrails, and reporting beyond “scan results,” and why operationalizing LLM-driven testing in real enterprises still demands SaaS-grade controls and infrastructure. The conversation closes on where this all goes next: continuous testing in the SDLC, deeper discovery of business-logic bugs, and a near future where findings increasingly translate into remediation-ready pull requests.https://xbow.com/  https://www.linkedin.com/in/andy-d-b43a17b/Head of Field Engineering at XBOW. Published author. Public speaker. Former undergraduate tutor and examiner. Cyber Security and AI Strategy. M&A technical due diligence. 22+ years in industry. International team management experience across 5 continents and 400+ individuals. Interest in Cybernetics. Andy has 22+ years experience in the technology industry and has worked in the UK, Canada and US. He’s had 5 books published on a variety of topics including IoT and the Raspberry Pi and spoken at multiple events around the country. Previously Andy tutored undergraduates at Goldsmith’s College, University of London’s online degree program and is currently studying with HEC in Paris.

Why Compliance Isn’t Governance & How GovOps Rebuilds Trust Boundaries – Mike SchwartzIn this episode of the Security Repo Podcast, Dwayne sits down with Mike Schwartz (CEO & founder of Gluu) to unpack GovOps as “next-gen governance” built to be declarative, provable, and continuous. They dig into why compliance ≠ governance, how formal reasoning can help prove policy outcomes, and why modern governance needs to shift from periodic audits to real-time visibility. The conversation closes with the collision of agentic AI + identity, the need for better software identity and token trust, and how this moment might finally unlock board-level investment in security.Links from the show:https://www.linkedin.com/in/nynymike/GovOps Working Group on LinkedInhttps://www.linkedin.com/groups/17478011/https://gluufederation.medium.com/govops-manifesto-33eb7cb01ed3Identerati Office Hourshttps://gluu.org/identerati-office-hours-episodes/The Janssen Projecthttps://docs.jans.io/stable/https://www.cncf.io/projects/oscal-compass/https://gemara.openssf.org/Mike Schwartz is the Founder/CEO of Gluu, and leads the Linux Foundation Janssen Project. He is the co-author of the book "Securing the Perimeter" (Apress 2018) about how to use open source IAM tools. In addition to his day job at Gluu, he currently hosts the “Identerati Office Hours” Livestream twice a week, which features discussions on all topics digital identity and security. Mike resides in Austin TX with family and pigeons.

In this episode of the Security Repo Podcast, we talk with Henry Odibi, a data engineer who pivoted from chemical engineering into data and AI. Henry shares how he hacked his way into tech, built his own automation tools, and now integrates AI responsibly—always with a “security first” mindset. He also emphasizes the importance of treating data as if it were your own and offers practical steps for anyone starting in AI or data engineering to stay secure.https://www.linkedin.com/in/henryodibi/Henry Odibi transforms messy, real-time process data into high-performance data systems used across global manufacturing operations.With 4+ years of experience spanning chemical engineering, utilities, telemetry integration, and cloud architecture, he's built solutions that improve OEE, energy intensity, yield, inventory accuracy, and cycle time across 30+ Ingredion sites worldwide.He began his career on the plant floor, supervising wet mill operations and responding to breakdowns firsthand. Over time, Henry transitioned into a global data role where he now designs scalable data pipelines using Azure Data Factory, Databricks, PySpark, and Power BI — empowering teams with near-real-time visibility and decision intelligence.Henry has led internal training programs, built metadata-driven automation frameworks, and collaborated with cross-functional teams to deliver insight that drives action.His passion lies in building the future of digital manufacturing — a connected, automated, and self-optimizing production environment.

In this episode of the Security Repo Podcast, Nathan Koester shares his path from reverse engineering for the Air Force to building practical security tools for real-world teams. He discusses *Pwnbook.io*, a platform for integrating and visualizing security tools and data, and *Charlemagne Labs*, a local-first browser extension using small language models to detect risky links. The conversation also explores the philosophy behind lightweight AI models, cognitive defense, and staying curious in a fast-evolving field.https://[pwnbook.io](https://pwnbook.io/) https://[Charlemagnelabs.ai](https://charlemagnelabs.ai/)Nathan Koester is an engineer with a diverse background, ranging from forward software development to reverse engineering embedded systems and performing vulnerability assessment.Nathan’s preferred work focus is leveraging his forward and reverse engineering skills with a red team mindset to provide pen-testing and vulnerability assessment capabilities.

In this episode of the Security Repo Podcast, we dive into the world of incident response with Robert Saul, General Manager of AWS Security Incident Response Services. Robert shares insights from decades of experience, emphasizing that over 70% of security incidents stem from credential loss and that these challenges are rooted more in people and process than technology. From governance and playbooks to building a culture of incremental improvement, this conversation is packed with hard-won advice for security professionals at every level.https://aws-samples.github.io/threat-technique-catalog-for-aws/https://aws.amazon.com/iam/access-analyzer/https://www.linkedin.com/in/robert-saul/With nearly 30 years of experience in security and network engineering, Robert Saul currently serves as the General Manager of the [AWS Security Incident Response service](https://aws.amazon.com/security-incident-response).In this role, Robert establishes the strategy and measures the operations of a global network of security incident responders dedicated to supporting the investigation of security events that occur on the customer side of the shared responsibility model. The service's focus is on the coordination, detection, analysis, mitigation, and recovery from cyber incidents, ensuring AWS customers receive top-tier support to accomplish their business objectives.He is incredibly proud to be a part of this team of talented professionals. Their collective experience, dedication, and expertise allow them to provide invaluable guidance, often in high-pressure situations where time is critical. Robert is continually inspired by their commitment to excellence in incident response and their unwavering customer obsession in line.Prior to AWS, Robert engineered and secured tactical communications platforms for defense and intelligence sectors. This background provides him with a unique perspective on the evolving landscape of cyber threats and the importance of robust incident response strategies.Robert's blend of technical capabilities, leadership skills, and experience in both public and private sectors enables him to effectively lead the AWS Security Incident Response service. Together with his exceptional team, they guide customers through the complex world of cybersecurity and incident response.He is also deeply grateful for the opportunity to work alongside such a talented and dedicated group of professionals. Their expertise, passion, and commitment to our customers’ security make it an honor for him to lead this service every day.

In this episode of the Security Repo Podcast, Ryan Bonner dives into his exploration of legacy enterprise integration platform WebMethods, revealing alarming vulnerabilities that allow unauthenticated access and even system shutdowns. He discusses how collaboration with Iceland’s top bug bounty hunter led him into this niche area of research, and shares practical advice for responsible disclosure and improving enterprise security hygiene. The conversation also touches on broader security culture, from overlooked credentials to the value of testing unconventional attack vectors.https://github.com/Roll4Combat/IntegrationSurferhttps://www.linkedin.com/in/roll4combat/Ryan 'Roll4Combat' Bonner is a penetration tester and educator who enjoys breaking things and sharing knowledge. By day, he's a Senior Cybersecurity Consultant, testing the defenses of web apps and corporate networks. By night, he dives into AI and bug bounty huntingA firm believer that we all get better by sharing, Ryan is a community speaker at events like BSides and DEF CON. He is committed to paying forward the mentorship that launched his career by helping others get their start in the community.

In this episode of the Security Repo Podcast, we dive into the world of zero-day exploits, marketplace dynamics for vulnerability research, and the evolving role of cybersecurity in boardroom decision-making. Guest Evan Dornbush, founder of Desired Effect, shares his journey from government cyber-ops to founding multiple security startups, and explains why attackers don’t care about compliance paperwork. We also explore the real-world consequences of hardware vulnerabilities, how a plug won’t save your hotel lock, and why we might be fooling ourselves by trying to “out-tech” cybercriminals.https://www.linkedin.com/in/evandornbush/https://www.desiredeffect.io/Evan Dornbush is the founder and CEO of Desired Effect, which helps vulnerability researchers get fairly compensated and helps defenders act before attacks begin. He hosts the researcher-focused Hackers On The Rocks podcast. Previously, Evan co-founded Point3 Security, a cybersecurity workforce development firm acquired in 2021, and served as CEO. He co-founded P3F, a cybersecurity research firm acquired in 2021. He led Customer Experience at Vulnerability Research Labs, a security research firm acquired in 2010. He worked as a Computer Network Operator for the National Security Agency. Evan holds an M.S. in computer science from The George Washington University and has four ridiculously good-looking children.

In this episode of the Security Repo Podcast, Eric Woodruff dives deep into the complexities of identity and access management (IAM), from the evolution of Active Directory to the future of non-human identities. He explains the real-world challenges of hybrid environments, governance, and over-engineered identity solutions. Eric also highlights practical ways for newcomers to start learning IAM and emphasizes the importance of soft skills in security roles.https://www.linkedin.com/in/ericonidentity/https://idpro.org/body-of-knowledge/https://ericonidentity.com/Throughout his 25-year career in the IT field, Eric Woodruff has sought out and held a diverse range of roles. Currently the Chief Identity Architect for Semperis; Eric previously was a member of the Security Research and Product teams. Prior to Semperis, Eric worked as a Security and Identity Architect at Microsoft partners, spent time working at Microsoft as a Sr. Premier Field Engineer, and spent almost 15 years in the public sector, with 10 of them as a technical manager.Eric is a Microsoft MVP for security, recognized for his expertise in the Microsoft identity ecosystem. Eric is a strong proponent of knowledge sharing and spends a good deal of time sharing his insights and expertise at conferences as well as through blogging. Eric further supports the professional security and identity community as an IDPro member, working as part of the IDPro Body of Knowledge committee.

Hi everyone, It's Dwayne, host of the security repo podcast. The show is taking a 2-week break over the holidays to give you a chance to catch up on our backlog of security conversations. Our next new episode premieres January 7th, 2026. It's one to look forward to. And I wanted to say a huge thank you to each and every one of our listeners and subscribers. Thanks to you, in 2025, we gained 1300 new subscribers and crossed the 3500 mark on YouTube. Thank you. And I honestly hope you all are learning as much as I am from the amazing guests.I am honored to get to talk to some of the smartest people I have ever met and get to ask them about stuff I care about.I wish you the very best in 2026 and beyond, and may you and your loved ones have the best holiday season ever.Thanks, Dwayne

In this episode of the Security Repo Podcast, Douglas Brush, digital forensics expert and self-proclaimed "CISO Whisperer," shares his journey from early IT consulting to guiding CISOs and boards through complex security decisions. He breaks down his “Dad Bod Security” framework, connecting personal health metrics to meaningful cybersecurity goals, and highlights the need to move beyond vanity KPIs to focus on sustainable security programs. With candid insights on executive communication, legal challenges, and cultural resistance, Douglas offers a blueprint for building trust and progress in modern security leadership.https://www.linkedin.com/in/douglasabrush/https://brushcyber.com/Douglas Brush, the founder of Brush Cyber, excels in data privacy, cybersecurity, litigation, and information governance. His unique combination of technical skills and business insight has earned him the respect and admiration of clients and colleagues.What truly sets Douglas apart is his unwavering dedication to his clients. He understands that protecting data in today’s digital age is a technical challenge and a business imperative. Whether testifying as an expert witness or providing virtual CISO services, Douglas always brings his A-game with an engaging yet intelligent approach. He translates bits and bytes to dollars and cents like no other professional in his field.In fact, he’s so good at what he does that he is a federally court-appointed Court Appointed Neutral (formally known as a “Special Master”) and neutral expert in high-profile litigation matters. Douglas Brush is a beacon of light in a world where data breaches and cyberattacks are becoming increasingly common. He is always ahead of what is coming next, and you’d think he’s got his crystal ball. He’s a leader who inspires confidence and empowers organizations to embrace the digital age without fear. With Douglas at the helm, organizations can rest assured that their data is safe, allowing them to focus on their core business objectives and drive growth in the digital economy. Douglas is a heavyweight in his field, with over three decades of experience in information governance, data privacy, cybersecurity, and dispute consulting is second to none. His unique approach, blending technical expertise with a light-hearted touch, sets him apart, making the complex world of cybersecurity and privacy more accessible and engaging. His unique ability to break down complex technical concepts into easy-to-understand language has made him a sought-after speaker at industry events and conferences.

Scaling Open Source Observability and Managing Risk in the Software Supply Chain – Avi PressIn this episode of the Security Repo Podcast, Avi Press, founder and CEO of Scarf, dives deep into the evolving world of open source observability and its intersection with security. He unpacks how better visibility into software usage can inform both defensive strategies and smarter commercialization, while raising concerns over the concentrated risk in critical open source dependencies. Avi also shares his thoughts on dependency management, security tooling, and the importance of nuanced data collection in a privacy-conscious world.https://about.scarf.sh/Avi Press is the Founder and CEO of Scarf, a company focused on open source usage analytics. We process over 2 billion open source package downloads every day. Open source maintainer and advocate. Functional programming enthusiast. Avi serves on the Haskell Foundation board, as well as the Haskell.org committee. Avi is a former engineer at Pandora and is based in Oakland, California

In this episode of the Security Repo Podcast, Jeffrey Bell, Principal Security Engineer and founder of CatchingPhish.com, discusses the confusion surrounding the naming conventions of threat actor groups across different security vendors. He explains how companies like CrowdStrike, Palo Alto, and Mandiant label the same adversaries with different names due to marketing and commercialization pressures, creating challenges for threat intelligence. Jeffrey also introduces MITRE ATT&CK Groups as a reliable, centralized resource to demystify these aliases and strengthen defenses based on shared TTPs.https://catchingphish.comhttps://attack.mitre.org/groups/https://github.com/mcdwayne/mitre-gang-lookupJeffrey Bell is a Principal Information Security Engineer and Threat Intelligence Lead at a Pharmaceutical Intelligence company. He graduated from UNC-Charlotte with a B.S. in Computer Science, specializing in Cybersecurity. Jeffrey has over 6 years of experience in Threat Intelligence, Incident Response, and Security Engineering. When not working, he writes for his blog, catchingphish.com, and loves to ski! He currently live near the beach in North Carolina.

In this episode of the Security Repo Podcast, David Cross, CISO at Atlassian and former Microsoft, Google, and Oracle security leader, shares his journey from Navy electronic warfare to global cybersecurity leadership. He offers hard-won insights on breaking into the industry, the evolving demands of the CISO role, and the practical impacts of AI on security operations. David also delivers candid advice for aspiring professionals and emphasizes the value of veterans in the cybersecurity workforce.https://www.linkedin.com/in/david-b-cross-b856657/David started his work in security with his five years’ active-duty service with the aviation electronic warfare community of the United States Navy. David was awarded with numerous honors including a Navy Achievement Medal, Southwest Asia Service Medal, Armed Forces Service Medal and NATO medal for his combat-based tours. David is now the CISO for Atlassian after 6.5 years as the CISO for the Oracle SaaS Cloud Security organization. Previously, David was a Director and built the Google Cloud Security Engineering organization for 3 years with his preceding 18 years spent with Microsoft in numerous security platform, cloud, product and engineering leadership roles. David is also a Venture Partner with Rain Capital VC. David holds a B.S. in CIS as well as an MBA with a MIS concentration along with 30+ issued patents with all in security technology related areas.

In this episode of the Security Repo Podcast, Dwayne McDaniel sits down with Amy Devine, a systems architect who transitioned from embedded wireless systems to cybersecurity. Amy shares the eye-opening story behind her Blue Team Con talk on how misdirected emails exposed sensitive personal data and what that means for digital identity. The conversation dives deep into privacy, data brokers, and what we sacrifice when companies prioritize convenience over security.https://github.com/bitsdanceforme/email_scrubbinghttps://bitsdanceforme.blog/https://www.linkedin.com/in/bitsdanceforme/Amy Devine worked in embedded systems development of wireless protocols before switching over to cybersecurity. She currently works as a Systems Architect for AV while also contributing to her cybersecurity community. Her talks to the local community include securing your email and how to avoid online scams. When she’s not sitting at a keyboard, you can find her working out in her other happy place - her home gym. Or running errands. Or trying to keep up with her kid. Or sleeping. You can find her online at her somewhat out of date website https://bitsdanceforme.blog/She has a bachelors in Computer Engineering from the University of Illinois and a masters in cybersecurity from DePaul University.

In this episode of the Security Repo Podcast, we sit down with Darren Desmond, a seasoned CISO with a background in UK military intelligence, to unpack his unconventional journey from fish and chips to threat intelligence. He shares how his military forensics experience shaped his InfoSec leadership and dives deep into the evolving role of the CISO in a world increasingly driven by AI. Darren also gives candid insights into AI governance, red flags in hiring, and why the basics of cybersecurity still matter most.https://www.linkedin.com/in/desmondo/Darren Desmond is an information security leader and Certified Information Systems Security Professional with diverse experience in security risk management within the UK Defence sector, global online gambling industry, a major UK telecommunications & media company, a ‘Big Four’ managed services company and latterly as the CISO at one of the UK’s most recognizable brands.

In this episode of the Security Repo Podcast, we sit down with Martín Villalba, founder of InfoSecMap, to explore how his platform is transforming the way InfoSec professionals discover global events, communities, and CFPs. We dive into the origin story of InfoSecMap, its recent growth surge, and its strategic partnerships with organizations like OWASP. Martín also shares practical advice on building strong security cultures and the importance of addressing root causes over chasing vulnerabilities.https://infosecmap.com/LinkedIn: https://www.linkedin.com/in/wmvillalba/Twitter:https://twitter.com/act1vand0W. Martín VillalbaFounder & Principal, C13 SecurityFounder & Principal, InfoSecMapMartín is an application and product security consultant with over 15 years of industry experience. He founded C13 Security, where he specializes in Secure SDLC, pentesting, and vulnerability management. He is an active member of the InfoSec community, collaborating with local groups and global organizations such as BSides and OWASP. He also built InfoSecMap, an open-access platform for discovering InfoSec events and communities from all around the world.

Supply Chain Warfare: CI/CD Threats and Open Source Security with François ProulxIn this episode of the Security Repo Podcast, François Proulx, VP of Security Research at Boost Security, discusses the evolving threats in software supply chain security, particularly focusing on attacks targeting CI/CD pipelines. He explains how open source tools like "Poutine" are being used both defensively and offensively in the ongoing battle to secure build systems. François also shares his journey into security, lessons from working at Intel, and practical advice on dependency pinning, short-lived credentials, and password best practices.https://www.linkedin.com/in/francoisp/https://boostsecurity.io/blog/unveiling-poutine-an-open-source-build-pipelines-security-scanner[https://nsec.io /](https://nsec.io/)François is VP of Security Research at BoostSecurity, where he leads the Supply Chain research team. With over 10 years of experience in building AppSec programs for large corporations (such as Intel) and small startups he has been in the heat of the action as the DevSecOps movement took shape. François is one of founders of NorthSec and was a challenge designer for the NorthSec CTF.

In this episode of the Security Repo Podcast, we welcome Srajan Gupta, a security engineer exploring the evolving security implications of Model Context Protocol (MCP) servers. Shrojan breaks down how MCPs act as AI connectors to external systems and the alarming rise in attack surfaces, including tool squatting and indirect prompt injections. The conversation dives into emerging threats, authorization challenges, and how securing MCPs mirrors early API and cloud security lessons.Srajan Gupta is a security engineer and builder focused on uncovering how systems fail — not just through vulnerabilities, but through the architecture itself. With a background in application security, platform engineering, and threat modeling, Srajan works at the intersection of usability and risk, helping teams identify and address design-level security flaws before they become incidents.Srajan is passionate about building practical security tools, automating guardrails, and making threat modeling an everyday engineering skill.Blog - https://srajangupta.substack.com/BSides LV talk - https://www.youtube.com/watch?v=Wld0VVRMN4c&t=21977shttps://www.linkedin.com/in/srajan-gupta/Their research often explores trust boundaries, secure defaults, and the hidden assumptions baked into the applications and infrastructure. They are especially interested in how attackers exploit the gray areas between platforms, automation, and access controls — and how defenders can close those gaps without slowing down delivery.