Episode 24: 2 Years, 24 Episodes & The State of Security in the Age of AI
Today on the episode, we celebrate our two year mark, the Verzel breach, HackerOne pausing their own bug bounty program, and a bunch of other software related topics. This is Distilled Security Podcast. Somewhere right now, someone is digging through folders trying to find the right version of an evidence file for the third time this week. Controls scattered across a dozen system, owners who left the company months ago, due dates that already passed, nobody noticed. It's how it's always been done, and somehow, we just accept it.
Justin Leapline:There is a modern, better way. Episode. Visit us at episode.com/tsp for a special offer.
Speaker 2:If you're leading a company today, you're not short on ideas. You're buried under them. More tools, more frameworks, more initiatives that were supposed to help and somehow made everything harder. Minus Partners exists for leaders who don't need another thing added. Minus Partners helps leadership teams remove friction that's been normalized over time so execution gets easier, not harder.
Speaker 2:Less noise, clear decisions, faster execution. Minus Partners, what you remove defines you.
Justin Leapline:Alright. Welcome back to Distilled Security Podcast. So first off, guys, can you believe two years we've been doing this? It is crazy.
Joe Wynn:No. It doesn't feel like that many.
Justin Leapline:I know, like, when we first started off, a lot of people are like, oh, you're not gonna get a lot of traction. It's only once a month. People like to see, you know, more common format and everything. But, know, when we first started, it was like, we can't really devote more than Right.
Joe Wynn:We're lucky we get the month in.
Justin Leapline:Right. Exactly. It's funny like some of the behind the scenes when we started scheduling the next podcast when we're recording, was like, I can't do this week, this week, this week. These days are the only days like
Rick Yocum:I got two days this month.
Justin Leapline:Right. Right. Right.
Joe Wynn:Yeah. And then try to look at the you know, where that all intersects for all of us.
Justin Leapline:Right. Yeah. Exactly. So yeah. And, you know, blessed be we've now recorded.
Justin Leapline:This is our twenty fourth episode, two years we've been doing this, and there's been a lot of changes along the way. Oh, yeah. What what are some of the things that kinda stand out in your guys' head for good, bad, the ugly, you know, from doing the podcast?
Rick Yocum:I mean, the studio upgrade is the studio. Yeah.
Joe Wynn:Sometimes I'm nostalgic though and I miss going into your office I can figure it out.
Justin Leapline:And sitting down real closely, like, when I had to do the the the guest, I had to snuggle up with the guest, you know, on the same couch. Yeah.
Rick Yocum:We'll do a throwback episode at some point.
Joe Wynn:Right. Last
Justin Leapline:Maybe maybe actually I'll get Buzzy to throw up some pictures, you know, or something like before or after.
Joe Wynn:Yeah. Yeah. Well, last last month was our first time with a guest in this setup, wasn't it?
Justin Leapline:Yes. It was. Yeah. Yeah. And I remember, like, when we were first planning this out and everything, we did one camera.
Justin Leapline:Mhmm. You know? Mhmm. And we all had the lavalier mics, you know, right next to us and everything just sitting down. It was nice and simple, you know, had a couple of lights.
Justin Leapline:I got a big bar, a light, but, you know, the background was a curtain. Yep. A lot of people didn't know that that actual wood behind it.
Rick Yocum:It was a really good curtain.
Joe Wynn:Yeah. I like
Justin Leapline:that. So, yeah, that was just a curtain over my windows, you know, into that. And I even had my daughters, like, help set up that bookshelf on the side and everything. And, yeah, now, you know what was that? When do we go live under this?
Justin Leapline:Was it October? Or Yeah. Something around there. Something around there. Yeah.
Justin Leapline:But, yeah, we plan to, you know, do, you know, multiple angles, which the the podcast looks phenomenal when you go up and view it on YouTube and everything when we're cutting in between and all the stuff we've put into, like, getting other stuff. Now, we're doing sponsors. Now, you know, we're just it seems professional.
Joe Wynn:Yeah. Not sure. Have those professional headphones mess up your hair, but Yeah.
Justin Leapline:Right. Exactly. But, yeah, it's been a long track, you know, and Yeah. And, you know, one of the things that I still say we kinda miss, we for those behind the scenes here, we don't have anybody running the cameras. We start it and then pray that everything gets recorded fine.
Justin Leapline:And that's not always been the case, you know.
Rick Yocum:Oh, and behind the scenes, there's a gentleman named Buzzy that makes He magic
Justin Leapline:he has saved our butts multiple times onto this. Yeah. Yeah, there is a but sometimes even that, like, with his magic, he can't correct some of the stuff. We had I forget which episode it was, but it was just a little blurry, the entire episode.
Rick Yocum:That's to make it feel like you were drinking with us.
Justin Leapline:Yeah. Right. That's funny. And we've had, like, audio issues. Luckily, we've had, like, certain fallbacks, you know, into that.
Justin Leapline:But I I think I'm one where when you're on a lavalier mic, there was a crackling sound throughout the whole thing, and Buzzy was able to clean up a little bit. We would have neighbors mowing outside at, like, seven, 08:00 at night. You know? And he had to clean that up in the background. Yeah.
Justin Leapline:It's just kinda all over the place with that, but I think we have, I don't know, enough redundancy, you know, with some of this stuff here. So we're recording on, like, two separate things for each camera. So, you know, we'll have at least one of them, you know. No data corruption and everything.
Joe Wynn:So what do you have? Three cameras? We have four cameras. Four cameras. And do they all have two separate Yes.
Joe Wynn:Memory cards?
Justin Leapline:Yes. And they record simultaneously to each card.
Rick Yocum:And then separate audio channels for each mic. Right?
Justin Leapline:Yep. Yep. They all go into a soundboard and everything, and then Buzzy glues them all together, you know, at the end. But, yeah, it's it's pretty good, you know. And we have a teleprompter that was an upgrade, you know, a few months ago into that.
Justin Leapline:We didn't have that to start with.
Rick Yocum:Yeah. Some giant lights. Some giant
Justin Leapline:lights and everything. So, yeah, they it works good. That's great. Yeah. What about guests?
Justin Leapline:Any favorite guests? Not to put, you know, say
Joe Wynn:Well, no. I I'd say if I talk about my favorite episode, every episode we had a guest probably felt a little bit better of an episode than the ones that we didn't. I always liked having guests.
Rick Yocum:Yeah. I I had something similar in my notes. Like, those are some of my just getting the I love talking to you guys, obviously, that's why we do
Justin Leapline:this. Yeah.
Rick Yocum:But getting the the external perspective slightly Yeah. Different things is always a really fun thing to do.
Justin Leapline:I tell you, so all the guests were great, you know, onto this. But one I was kinda geeking out a little bit was Eddie. When he came on, he started working at the distillery. Right. You know, was one I was like, well, what do you do for this?
Justin Leapline:And what do do? Like
Joe Wynn:No. That was security.
Justin Leapline:Yeah. You know, I don't care about that. Like, tell me tell me the distilling piece of that.
Joe Wynn:Well, know, my my takeaway from that is and he was in cybersecurity. He was out working for companies, bringing solutions to to his customers, and then he aspired to do the thing we all wanna do. Yeah. Not security and go and make booze.
Justin Leapline:Yeah. Yeah. I kinda nerd it out a little bit. I was like, well, what about this and how do you do this, you know?
Joe Wynn:Yeah. That was quite I learned a lot of that episode.
Justin Leapline:Yeah. Right.
Rick Yocum:Yeah. Yeah. It was really good.
Justin Leapline:I mean, yeah, when it's not your day job, I I feel like you have more breath to, like, nerd out about it because there's so much more gaps that Oh, yeah. You know, you have into there. But, yeah, like, a lot of the I mean, we've got really smart people on, and it was just been phenomenal to the amount of guests. And, hopefully, you know, finishing off 2026 and going into the future here, we're planning on getting some big names, you know, that are kind of floating. Unfortunately, we haven't been able to lock down dates yet.
Justin Leapline:We do now, and I think I mentioned this before, but we have the capability of bringing in remote guests that Oh, right.
Rick Yocum:That'll be not
Justin Leapline:the trigger on. But, you know, just because we're, you know, here doesn't mean we can't pull in, you know, remote guests that actually talk to us during this. So, yeah, we're hoping to do a a lot more into this into it and yeah.
Joe Wynn:Yeah. So some quick metrics. Yeah. I think across, I counted these up. Well, I didn't count them, but somebody counted them with I think I'll just use a spreadsheet.
Joe Wynn:Didn't even use AI. And it was 90 topics covered throughout those 24 episodes, six guests total. Mhmm. And so far, we've done 23 episodes, but you know how many different spirits we've had?
Justin Leapline:How many? 24.
Joe Wynn:Yeah. Because one time we had two.
Justin Leapline:Gotcha. We're thirsty that
Joe Wynn:I guess so. But for for you all well, why we're why don't we hit on metrics? And then I'd love to hear from each of you what your if you had a favorite topic or two or theme and if you remember like what your favorite spirit was. But first, you know, Justin, you grabbed some metrics from the views and things like that. Do wanna share any
Justin Leapline:do have any Yeah. Let me pull them up here and everything. So some of the topics so in total, it's kinda hard because, you know, we have our audio only version and then video into YouTube Mhmm. Into that. Roughly speaking today, we're getting about, I would say, 200 people viewing both audio and video per episode.
Justin Leapline:That's only the full videos. We've at the end of last year, we did a lot of shorts. Right. We've actually had over was it 80,000 views on various clips and everything just on YouTube on whatever the topics are. And, like, some of the stuff actually, when you did the Edward Norton
Rick Yocum:Oh, yeah. That was fun.
Justin Leapline:Thousands of people saw that clip. Thousands of people saw that clip, you know Yeah. About you talking about that. So, yeah, sometimes they they really resonate and, you know, with the today's day and age, understand long form, you know, content, it's hard to digest, you know, an hour and a half too. You have
Rick Yocum:time to consume it.
Justin Leapline:Yeah. That. But the shorts get, you know, a different audience, and Mhmm. You know, we've been doubling down on that, and it's been phenomenal into there. Our number one episode, I think, is when we talk about AI risk, threat modeling, and the future of, what is it, TRC, is it?
Justin Leapline:The title's cut off.
Rick Yocum:I think that's probably right.
Justin Leapline:Yeah. Yeah. Yeah. That was probably our most. We've got, I think, almost 300.
Justin Leapline:Yeah. Do we
Joe Wynn:have a guest on that one? What episode was that?
Justin Leapline:14. Into that. No.
Joe Wynn:I don't oh, yeah. That was a John Ziola episode.
Justin Leapline:Oh, there we go. He brought all the people.
Joe Wynn:He did.
Justin Leapline:He did. So, yeah, that was a great great talk and everything, you know, into there. And I mean, all the all of them are very similar, you know, like, from numbers perspective. And we're growing every single time just, you know, slowly going up and up But, and yeah, we're in a bunch of countries now.
Joe Wynn:Yeah. What's the farthest away? I can you do you remember?
Justin Leapline:I don't know what the Oh.
Rick Yocum:Heard of this? That's a good question, though.
Justin Leapline:Away? But I thought here. I'm gonna pull something up. I thought the actual number two outside, obviously, The US is number one. Number two was wasn't it Venezuela?
Justin Leapline:Yeah. That would not have
Rick Yocum:would not have been my guess. Right. But but welcome.
Joe Wynn:Vietnam. Vietnam?
Justin Leapline:That was a number two? Number two. Okay. 80 per almost 81% United States, and then we got 2.2% going to Vietnam.
Joe Wynn:Well, we're gonna have to take a show on the road and hit there first.
Justin Leapline:And we got Taiwan, United Kingdom, China, India, Hong Kong, Germany, Australia. So Yeah. It's all over the world. You know, we're reaching That's very awesome. It's cool.
Justin Leapline:Not a lot of people in Africa, if you know us. There's one download in South Africa into that. But, yeah, I mean, it's obviously, you know, The United States, you know, just English speaking and over here, you know, naturally, we expect that to be number one. But, yeah, I'm actually surprised, like That's cool. Only 81% is US.
Justin Leapline:Everything else is Internet. Yeah.
Rick Yocum:The rest of yeah.
Justin Leapline:That's great.
Joe Wynn:Yeah. So do you guys have a you know, Rick, I don't know if you wanna start. Do you have the favorite topic or episode you remember?
Rick Yocum:I don't know about episode. I think I because I'm thinking about it so much these days. When we're talking about sort of the GRC engineering stuff Mhmm. Where it's like, hey, how do you automate the manual? How do you start using tools more cleverly to do stuff that has historically been just a really heavy lift in terms of analyzing and thinking about risk, etcetera, etcetera?
Rick Yocum:I I nerd out about that stuff a lot. So I think that's some of my favorite topics. That and the sort of translating the translation layer that security nerds need to provide for, like, executive leadership, I really like those topics.
Joe Wynn:Yeah. For sure. How about you, Justin?
Justin Leapline:I'd like it's a it's a rarity, but I enjoy the times that we're not all on the same page on different The arguments. Yeah. Throw I I wouldn't call them arguments. Oh. Get into.
Justin Leapline:Throwdowns. Yeah. Exactly. But, you know, where, you know, I might have more of a pessimistic view on risk management, you know, into that. Mhmm.
Justin Leapline:Or, you know, third party risk management, you know, into some of that stuff and we're, you know, talked and shared with that. But those are fun to get into Yeah. You know, type of thing. I mean, most of the time I mean, we're all pretty educated in the cybersecurity field, so, you know, like a lot of the basics. We're not gonna argue, you know, some of that stuff.
Justin Leapline:But the implementation, the culture of it, the importance of it is very debatable, you know, and the I feel like the industry is always changing, so those priorities shift all the time into why you care or not, you know, into that. And what's the value of putting in forty hours a week for a particular process if it's not yielding results, you
Rick Yocum:know Right.
Justin Leapline:The same
Rick Yocum:Well, sometimes it's contextual for like different organizations and Yeah. Stuff
Justin Leapline:Yeah. One, it could be very valuable and I could be coming from the or not coming from that, And you've seen a a one where it is very valuable. So, yeah, I think those those are the ones I enjoy the the most is, you know, when we slightly disagree on the priority or the implementation or something along that lines. I'll try to fight with you more in this season. Yeah.
Justin Leapline:Yeah. We'll throw down. Yeah. Exactly. By the way, I was thinking about doing it with our two year.
Justin Leapline:Remember our one year with the party popper?
Rick Yocum:Oh, yeah.
Joe Wynn:Like That was my favorite too.
Justin Leapline:I literally just pulled out another piece, like, two weeks ago. Oh, really? It's it's the forever thing. And I was like, yeah. I don't know if I wanna clean that up or As a surprise.
Rick Yocum:Joe and I broke.
Justin Leapline:No. Didn't do that. Yeah. So, yeah, I was like, yeah. Maybe that's funny.
Joe Wynn:That's funny.
Rick Yocum:How about you, Joe? Any any topics or episodes
Joe Wynn:Well, I I hit on we had those six guests, and so any episode I had a guest Yeah. I was super psyched about that. One of my favorite topics, and I I love talking about it, is ethics. Ethics in cybersecurity. And if you remember, that was the one that had the book, The Code of Embracing Ethics in Cybersecurity by Ed Skodes and Paul Marr.
Justin Leapline:Yeah.
Joe Wynn:I really love that topic and, you know, I I learned a lot just having read through it, like prepping for the topic. Another one I really enjoyed was quantum computing and the yeah. Yeah. Because I learned a ton researching like what Google's doing and Yep. What everybody else is doing.
Joe Wynn:Yeah. And then something that you said, any any episode where I got to rant about how to get top leadership involved.
Justin Leapline:Right.
Joe Wynn:How to, you know, like, how to actually make stuff work the way it's supposed to work and instead of people fighting the the futile problem of trying to do their best, getting burned out because it goes nowhere, I hate that. Anything where we really nerd it out on how do we get our message heard and make a difference. Yeah. I like that. Yeah.
Joe Wynn:So other favorites. I'll start with this one and pass it over if you have one. I'd say my favorite bourbon was the the Widow Jane Black Opal.
Rick Yocum:Oh, was really
Joe Wynn:best I've ever had.
Justin Leapline:I still have one upstairs. So Oh, what you doing
Joe Wynn:what are doing after this?
Justin Leapline:Yeah. Right. It's actually sitting on my bookshelf as and it came in that metal gate. Right.
Rick Yocum:The box is very cool.
Justin Leapline:Yeah. It's like a little I mean, I wouldn't lock anything up. It's pretty flimsy. But, yeah, it came into that. And I think that that was a pretty it was like $500.
Justin Leapline:Yeah. Into that. But it was When
Joe Wynn:you when you go to drink it and you figure out that it's all just colored water because your kids swapped
Justin Leapline:it Swap it. And you'll know that. Right. It tastes odd. It's like iced tea.
Justin Leapline:Right.
Rick Yocum:It's smoother than I remember.
Justin Leapline:Yeah. Right. Yeah.
Joe Wynn:Yeah. Now what was your did you have a favorite?
Rick Yocum:Too many to pick from?
Justin Leapline:Yeah. I mean, anything double oaked, I usually go to. Actually, I will say I really like when we go off the bourbon path, you know? Mhmm. Mhmm.
Justin Leapline:We had that really good mezcal.
Rick Yocum:Mezcal is great.
Justin Leapline:Scotch, red breast, you know?
Rick Yocum:Red breast and we had wee wee beastie. Right?
Justin Leapline:Yeah. So like some of those, like, I really enjoyed that, you know. Not that they're like, you know, they become my favorite, but just, you know, I don't often sip on like, I can't tell you anytime out outside of that, I I take a mezcal and actually sip on it. It. Right.
Justin Leapline:You know, like, I've had a bunch of cocktails into it and all that stuff, but, you know, I never just open up a bottle of mezcal and sip on it. So that was a new experience, you know, to me. And Yeah. Yeah. I I enjoyed that.
Joe Wynn:I did use AI to do that and I had it I put it on, you know, extended thinking, and I said, go and mine the transcripts from all of our episodes. And not all of not all the episodes consistently list the the drink in the first click description. Oh, okay. It delved in, and it found it from what we were saying in the transcript. Okay.
Joe Wynn:And it created these tables.
Justin Leapline:Nice. That's very
Joe Wynn:nice. In there. You can reference them. And then I did a second one where I went through and said, for each table, what is your thought on the estimated price for each of these spirits we had? So that's the second table.
Joe Wynn:Oh. Kinda cool.
Justin Leapline:I like that.
Joe Wynn:Good use of AI. Right?
Rick Yocum:Right. Interesting.
Justin Leapline:There are very few that are double digits.
Joe Wynn:Meaning that they're three digits.
Justin Leapline:It's 100 plus, you know. We have expensive taste, I think.
Joe Wynn:Rick, do you remember our favorite?
Rick Yocum:We've had some good drinks. You know, I think my favorite and this is because I'm just such a sucker for giant vanilla bombs, was that door knocker, that one that was just that single bottle from the one barrel and, like, can't get it again. And some of it might just be
Justin Leapline:That was the second one. It was episode number two.
Rick Yocum:Yeah. That that's one of my favorite drams, period. And it might be because I can never have it again. So now it just lives in my memory as, like, particularly delicious. But I yeah.
Rick Yocum:The that widow Jane was that they they we've had a couple really fantastic puddles.
Joe Wynn:No. And that was good.
Justin Leapline:It looks like the opal is the most expensive one we've had. So
Joe Wynn:Yeah. Good stuff. Good stuff.
Justin Leapline:Yeah. Yeah. But mostly, I mean, most are $1.01 50. We've there's a few that are less than 100 into this. So
Joe Wynn:And they were still okay. Yeah.
Rick Yocum:I haven't I don't think there are any I disliked that I recall.
Justin Leapline:No. Yeah. They're all, you know, unique and they're each in own way, you know, type of thing. Oh, yeah. That one you brought back from Scotland.
Justin Leapline:Yeah. Yeah. That was a good lady of the glen Yeah. Here, cask. What what episode was that?
Justin Leapline:That was 10. Yeah. Nice. Very good. A lot of good ones, and we're gonna have a lot more.
Justin Leapline:You know?
Rick Yocum:That's right.
Justin Leapline:So Yeah. We'll have to we'll have to really
Joe Wynn:get the average of it being not bourbon down by his going out and finding some other some other spirits.
Justin Leapline:Yeah. Yeah. I even thought about cheating into cocktails, so I was like, yeah. We're spirits. I don't know.
Rick Yocum:I think I think meat Yeah.
Justin Leapline:Or rice. Yeah. Yeah. That's probably the way it'll be.
Joe Wynn:I like my bourbon like I like my security programs. Simple.
Justin Leapline:Yeah. Right?
Rick Yocum:Love it. It's really good.
Joe Wynn:Alright. But not on the rocks. I like my spirits on the rocks, but not my security.
Rick Yocum:Not your programs. Right.
Joe Wynn:Anything else on the That was awesome. Yeah. Good memory lane here.
Rick Yocum:Yeah. I like it.
Joe Wynn:It'd be great if, you know, to it was it was great actually looking through all the topics in the old episodes.
Rick Yocum:That was a fun Yeah.
Joe Wynn:Scrolling through that. So if you haven't looked at it and you only get this because of a feed, go check out the Distilled Security website. It lists very nicely all the episodes. And and now that I pointed out that not all of them have the the spirit in there, maybe there's opportunity we can go back and Yep. Put them in there.
Justin Leapline:And, actually, this is something I I mentioned to you guys, but probably a good time to actually announce it here. We are migrating platforms. Alright. Not that, you know, that our audience really cares a lot with that. You won't see much difference.
Justin Leapline:But the difference is that will be coming is that we're gonna be pushing video to Spotify Mhmm. And to Apple now. Apple just released that
Rick Yocum:Oh, that's cool.
Justin Leapline:Videos. So we're kinda expanding our video footprint instead of YouTube only. And there's a lot of things we're moving over to Riverside that right now we have kind of a you know, we do our audio only and then distribute separately to YouTube and do that. They've been really pushing a lot of, like, improvements over their platform over the last few years, and they actually do video and audio. Mhmm.
Justin Leapline:And so we will be able to do one platform to basically upload everything, do everything right there in Riverside, and blast it out to all the content providers into there, which will be really nice. They even are playing around. We use something called Opus clips to take our long form episode and clip it down into, you know, all the short form stuff. They have their own thing now. It's not as good, but could be Oh.
Justin Leapline:Potential future that we'd remove another another thing as well Yeah. You know, and have it all into one into that. So, yeah, stay tuned if you're a Spotify user, you know, or Apple user and wanna see a little bit of video. I was just talking to the wife the other day that she listened to a lot of podcasts, and she'll have video ones up, but she doesn't always watch it. And I was like, yeah, that's like sometimes I like watching it or just having it off to the side.
Justin Leapline:Right. You know? But it's kinda cool seeing, you know, than just audio only, just a glance over Yeah. Every now and then. So it's become more and more common.
Justin Leapline:My podcast listing is on video Right. You know, into that. And not that I watch it a 100%, but have it on the background listening
Joe Wynn:Yeah.
Justin Leapline:It's Good point. Nice. So, yeah, stay tuned for that.
Joe Wynn:Yeah. Thanks for all that. Do you mind if I give a b sides Pittsburgh update? Sure. Do it.
Joe Wynn:Yeah. So so far, pretty excited. At first, we did the call for papers, call for presenters. Mhmm. And it was growing slowly.
Joe Wynn:And then like always happens, we get down to the last couple days before the due date. We had over a 100 submissions.
Rick Yocum:That's fantastic.
Joe Wynn:It's amazing. There's a team of people Did
Justin Leapline:you extend it? No. No. Okay.
Rick Yocum:We we were talking about it because of what the submissions were like a week or two before.
Joe Wynn:Yeah. A couple weeks before, it was like half that.
Justin Leapline:Yeah. You know, almost. Well, the isn't it like RSA? They always extend it. So people are like, yeah, they'll extend it.
Justin Leapline:Yeah. Extend it.
Rick Yocum:They expect it.
Justin Leapline:Yeah. They expect it.
Joe Wynn:Yeah. No. We we didn't extend it. And I'm very thankful for a group of people who are organized up and
Rick Yocum:Yeah.
Joe Wynn:It's a blind submission, so that means everybody's all all the talks get spread across a group of people, and they vote on the ones that they have, and the scores get, added up that way. Mhmm. Then the ones that filter to the top are the ones that end up, being part of the three tracks that we're gonna have. So last year, I think we only had two and a half tracks. And this year, have, enough talks in space, so we're gonna have, I think, full three tracks.
Joe Wynn:And some other things we're doing that's exciting. So villages, we always do the villages. New for this year, we have an ICS OT village. Yeah. We're actually bringing in this, and if you go to the b side Pittsburgh website, Rick, thanks for putting it out there, and you go to the events, link at the top and you scroll down, you'll see a picture of this wall of ICS equipment that's being shipped here from Harrisburg Yeah.
Joe Wynn:By a by a group of people, and the and it's being put on by the Steel City OT OT. Yeah. Group. Yep. So some folks that I actually met at b sides are running that, and he has helped with some other folks.
Joe Wynn:So they're doing that, and that's the first time. And then for its second year in a row, the wireless radio ops village Yep. Was a huge hit last year. They said it was like giving, a presentation every fifteen minutes for eight hours.
Rick Yocum:Yep. And
Joe Wynn:they they the team loved it. They're getting their stuff together this year. They're gonna do a great job with that. And then continuing, we have various capture the flag events. I understand.
Joe Wynn:Lockpick village is there again. We'll do speed mentoring, and and if we can, we're gonna do something a little bit more with career. If we can get a full career village, we're not sure, but we're working on it. And then the birds of a feather. So from a What's that been?
Justin Leapline:A career village. Career well, we
Joe Wynn:want a place to do more than just a speed mentoring where we get people. You participate in that, so you know what that is. But that was for people who would come and spend, what, like, five minutes with you and you would give them some advice
Justin Leapline:That has some questions or, you know, say, I'm stuck into this. I can't do this. Can't find a job, you know, all that whatever it is. Right. So what
Joe Wynn:we wanna do is if we can, we wanna have a room where you go in and you can see, you know, have some speakers who are actually from recruiters who are talking about how to do that. That's what we envision for it. We're not sure if this will come together. We don't have the full plan. But, also, we have sponsors who end up getting asked a lot of questions.
Joe Wynn:Are you hiring? And they said to us, well, if I'd have known that was gonna be a thing
Rick Yocum:We'd have sent someone.
Justin Leapline:My HR person. Yeah.
Joe Wynn:So we'll bring an internal then we might have some internal recruiters from some of our Oh, okay. Sponsors come
Justin Leapline:somebody for you.
Joe Wynn:Okay.
Justin Leapline:Yeah. So let's talk after the podcast.
Joe Wynn:Yeah. That'd be great. And and so we were trying to put this together, but it's really it's a a village to learn about how to get that next job Mhmm. If that's what you wanna do. And Tristan did one, and I've seen one in another conference, and they're always seem to be difficult to put together and get running just right.
Joe Wynn:But I think people would really appreciate it, and so I wanna make make that possible. Sponsors. I believe we're up to about 19 sponsors now. We're not. We still have some room left for, some more sponsors, and we still have tables left, but they're going.
Joe Wynn:They're going quick. Just had a conversation yesterday with somebody who met in the last couple weeks who their company is, talking about it, and so we'll probably, you know Yep. Have a couple more sold. For tickets, we have well over 400 sold at this point. Last year, I don't think we're quite to that level by this That's little ahead.
Joe Wynn:Couple months ahead. Last year,
Justin Leapline:you had over a thousand sold.
Joe Wynn:Over a thousand sold.
Rick Yocum:Oldies. Yeah.
Joe Wynn:Sold out last The
Justin Leapline:last month, don't you, like, essentially double your number?
Joe Wynn:We do, and we're trying to avoid that. And thanks for bringing that up because tickets started out at $20, and then they went up to $35 on, I think Tax
Rick Yocum:day?
Joe Wynn:Tax day. Yeah. On June 12, so they're gonna be $35 until June 12. And then they go up to $75, because we really want you to buy your ticket sooner. And the reason why is because we had to give the casino Rivers Casino the food orders.
Joe Wynn:We need to get the t shirt orders in. There's a lot of stuff that banks on knowing how many people are actually showing up.
Justin Leapline:Doesn't it help you, like, lockdown sponsors too if you can say we've already got
Joe Wynn:Oh, absolutely. Yep. Absolutely. So if you're thinking about coming and you haven't signed up yet, do it. $35, even though it's more than the $20, is still less than what it costs us to get the food ordered
Justin Leapline:As it's just the
Joe Wynn:meal. Person.
Rick Yocum:Yeah. Just the meal.
Joe Wynn:That's way more. And so Honestly, you
Justin Leapline:should just get the ticket, and if you're not sure you can go or not, gift it to somebody. Yeah. Know?
Joe Wynn:Oh, yeah. That'd be great. And so and then throughout the day, just a reminder, about 08:30, we do the kickoff. 09:00 or so is the first talk, and then three tracks of those going on. Some depending on how many we wanna do this, we might have tracks run over lunch.
Joe Wynn:We might break for lunch. We'll have to figure it out. Yeah. About 05:00, we wrap up the last talk, and then we have the after party from seven until nine. And then I always look forward to, it used to just be our our, like, personal with, like, a couple other people would tag with us after after party, and we go and end up strolling downtown, find some good cocktail bars.
Justin Leapline:Right.
Joe Wynn:Always, you know, what was it, like, 12:31AM eating pizza somewhere? Yeah. Yep. And then that's
Justin Leapline:Pizza was so hot, it burned to the top of your mouth.
Joe Wynn:But you couldn't but you couldn't help but eat it. And then Do
Justin Leapline:you know?
Joe Wynn:Do you know? No. No. It was a different place right on 6th Avenue down there.
Justin Leapline:Thought it was started with a g. Anyways, Giovanni's. Giovanni's. Yeah. Yeah.
Joe Wynn:And so and and then we had the long walk back to the casino. But, yeah, I'm super psyched about that. Last year, we ended up having more people show up for the after after party at that cafe on the Yeah. North Shore. And this year, we might try to get even a better place, we're just working on that.
Joe Wynn:Right?
Justin Leapline:Yeah. Yeah. So I would say if you're even remotely interested, plan on it, you know, plan on it safely, you know, into that.
Rick Yocum:Yeah. And there's a hotel block at the There's
Justin Leapline:a hotel block or Uber if Right. Whatever it is. You know, if you're planning on coming out for the after after, obviously, we we always, you know, wanna send everybody home safely. But we usually get a hotel, you know, under that just to, you know, be safe and everything. But even if you plan on Uber or whatever it is Yeah.
Justin Leapline:Come out, you know, I think, honestly, and, you know, me from a, you know,
Rick Yocum:a lobby con Lobby con. Perspective.
Justin Leapline:The the network and the people you meet
Joe Wynn:Oh, the connections are great.
Justin Leapline:Yeah. And really, you can't get that in a talk because you're not allowed to talk during the talk, you know, type of thing. But it's the the Should be called a listen. Yeah. Right.
Justin Leapline:You know, it's the people you meet and those are just gonna go on like those relationships are gonna last for a long
Rick Yocum:time Yeah.
Justin Leapline:You know, if you make a good impression. And having a a beer or a drink or even just coming out with water, whatever it is, making those connections on the after and just doing that. It's it's phenomenal. And I believe, honestly, in a lot of my mentoring and everything like that, college kids have a perception, like, I have a degree now. So now I'm hireable, you know, into this.
Justin Leapline:And I was just talking with another professor in cybersecurity. He's like, I got it's like he was kind of reaming on a kid. He's like, there's 30 other kids in this class that have the same credential as you. Like, how are you so different from all them and you're all competing for the same jobs, you know, into this? Right.
Justin Leapline:So, like, you need to do something different and special. Yeah. You know? So
Joe Wynn:Yeah. And so I don't know if we'll get around to it, but if we do get a better a more organized after after party, and if not, then just find us and hang out with
Justin Leapline:us. Mhmm.
Joe Wynn:Yeah. If we do, maybe maybe we can have a Distilled Security sign up sheet just to kinda get a feel for how many people might join us.
Rick Yocum:Yeah. Potential attendees. That's a good idea.
Justin Leapline:Yeah. Yeah. And then we can keep everybody cc'd in to where we're planning and what we're doing and all that.
Rick Yocum:Yeah. Yeah.
Justin Leapline:Okay. Yeah. Sounds good. Cool.
Joe Wynn:Well, thanks for letting me Yeah. Share
Justin Leapline:Absolutely. Yeah. That's a it's the the biggest security conference here in Pittsburgh every single year. So if you're not going to that and you live around the Pittsburgh area or even drivable distance, I think I I told you guys I went to Charm, which is besides Baltimore and everything. And, you know, there are good things that they did, but, you know, there's a lot of things I'm like, oh, besides this is way better, you know, type of thing.
Justin Leapline:And, I mean, it's a phenomenal space too that where we're in right now, you know.
Joe Wynn:Oh, yeah. And and we do get people coming up from DC and down from Rochester and New York and as far as Columbus. So they're they're coming from all around. So if you're not as far as those places, no excuses. You can Right.
Justin Leapline:Yeah. Exactly. Yeah. I I figure I mean, if it's in a four to five hour drive, that that's an easy conference weekend, you know, type of
Joe Wynn:And if I didn't say it, it's July 10. Friday, July 10.
Justin Leapline:Friday, July 10. Yep. Alright. Sounds good. We're just diving into the meat now.
Rick Yocum:Yeah. What are we talking about?
Joe Wynn:Why don't we start
Justin Leapline:off the Vercel breach and everything? So this happened in February. So to give a little context and everything, Vercel came out that there was a number of credentials stolen mainly through the Google Workspace aspects of this. And, you know, there's breaches every single day. What kinda stood out for me for this because, I mean, if we were talking about breaches every time on this episode, that's all we talk about every single episode.
Justin Leapline:You know? Right. Like, this person got breached. This person got breached. You know?
Justin Leapline:I was like, alright. But one of the interesting things about this was this was compromised by unauthorized software within their environment. That that software that ContextAI, Vercel came out and said, we don't use ContextAI.
Rick Yocum:Mhmm. Yeah. Not a customer.
Justin Leapline:Yeah. But but, yeah, they got the it got compromised because somebody installed it. And then it was through a Roblox script.
Speaker 5:I was
Joe Wynn:gonna ask if you knew what it was. Yeah. A single person who was using what looking up, like, like, an auto miner or an auto farm or an auto something in order to make that script work for Roblox. Right?
Justin Leapline:Yeah. Yeah. And, yeah, download it, and then it led to some compromised Google Workspace credentials that then, you know, got it more credentials out of the Vercel environment. Luckily, you know, I I actually host through Episode through Vercel. I use a lot of their services and everything, and we do Google Workspace.
Rick Yocum:Yeah. Yeah.
Justin Leapline:Yeah. So I think I was like, oh, boy. So but I had to look through nothing, nothing of, issue, and we rotate our keys just to be, you know, extra cautious of that. But
Rick Yocum:And I well, I think the thing that's interesting too is the the Vercel employee had previously authorized context AI through OAuth. Right? So that's a So essentially
Justin Leapline:Did they specifically authorize it or did they have a wide open OAuth?
Rick Yocum:No. The the employee authorized it.
Justin Leapline:So so it was The employee author. Yeah.
Rick Yocum:Yeah. The employee that downloaded the Roblox. Yeah. Yeah. Yeah.
Rick Yocum:So essentially, it was this sort of I mean, what's effectively a lingering token or a lingering key that was out there. Mhmm. And so when the inform when the script stole the information, the attackers were just able to take that and then start scraping information from, you know, the environment. So it's essentially credential theft, but it's through such a wonky pattern. Right.
Rick Yocum:It makes you think about all the stuff that you may or may not allow your employees to authorize in third in in terms of third party access or apps that you can just click and download because, oh, it's just, you know, in runtime memory or this, that, and the other.
Joe Wynn:Yep. And it almost looks like a nuisance pop up. Right? And Right. You click okay.
Joe Wynn:And if it's if your your privileges allow you to consent on behalf of your organization
Rick Yocum:Right.
Joe Wynn:Now you've, consented it to it. And so OAuth is access management at that point and Mhmm. It's, in some cases privileged access management.
Rick Yocum:Yeah. Depending on the context of the employees running it in and all that stuff. And so I thought it was interest I mean, there there's no third party risk management assessment questionnaire or spreadsheet or whatever that would ever catch this. No. Because it's a totally different thing.
Joe Wynn:It was
Justin Leapline:already But there are controls.
Rick Yocum:There are absolutely right. Absolutely right. But it's it's just interesting because the third party breach effectively Yeah. But there's not a like a your typical any third party risk management program I know Yeah. You're not looking at that typically.
Rick Yocum:Now, there are controls.
Justin Leapline:Yeah. Yeah. Yeah. And, yeah, that was a very unique thing where, like, yeah, software that was technically unauthorized. You know?
Justin Leapline:It wasn't prevented, but wasn't, you know, a part of their, you know, allow list, whatever that was, you know, into that. Also too, the the Roblox was a funny thing. I don't know. Does your kids use Roblox?
Joe Wynn:They used to play it more. I think they I think some of them still do.
Justin Leapline:Yeah. So we prevented our entire family from I'd
Rick Yocum:say it's pre banned in our household.
Justin Leapline:So Yeah. Yeah. Kids have something where the cousin shared it with Lila at a young age. Like, she was, like, six, seven or something like that. There were adult accounts talking to kids be like, oh, you're having a problem with your, like, you with your parents.
Justin Leapline:Why don't we go in a private room to talk about it? I'm like, oh, no way. Yeah.
Joe Wynn:One of the things I did was we turned off the chats.
Justin Leapline:Oh, okay. I gotcha. And
Joe Wynn:but plus our kids are I think my kids are older than your kids. So Mhmm. We'd taken a different we're able to a
Justin Leapline:different spectrum of kids
Joe Wynn:Yeah.
Justin Leapline:You know, into this. That's true. You're about to have your second, you know. Exactly. I have a group between 13 and and what, six and Mine are 16 to 20.
Justin Leapline:Yeah. Exactly. You're starting to see him go out the house.
Joe Wynn:Yeah. They're they're they're making more than they're making more in their internships than I did in my first job out
Justin Leapline:of college. Yeah. Right. Dude, I saw my original offer letter, my first job after high school, and it was for, like, $23 a year. And I'm like, $23 a year.
Justin Leapline:This is awesome. It was like Yeah. That's like a week project.
Rick Yocum:Yeah. Things have changed.
Justin Leapline:Yeah. Yeah.
Joe Wynn:Yeah. Oh, man. Yeah. And then, yeah, my question for actually, our listeners are, if your company would you even know if an employee granted Reno may I tool broad access to your Google Workspace? I mean, like.
Justin Leapline:Well, and that's the thing. Google defaults open for OAuth, you know, into that. I don't know how many people actually know that, but Right. The first thing you should do is probably flip that.
Rick Yocum:To require admin approval and not just Exactly.
Justin Leapline:Yeah. So that, you know, not everybody can OAuth against you. You know, it actually requires authorization from an admin to say, yes, this app can use us for OAuth, you know, into that. Yeah. Let's say if you're big enough, I mean, you're you're small, you know, maybe that's not as important, maybe.
Justin Leapline:But I mean, context of this, it could be very important, you know Yeah. It is. So
Joe Wynn:Yeah. Yeah. A funny thing I I saw for, like, a recommended thing to talk about with this is, you know, thinking about your third party risk management. Should your third party risk management questions start asking for your OAuth app governance?
Rick Yocum:It's so specific. It becomes like whack a mole. Like Yeah. There's so many things that could go wrong. I I do think it the the challenge and it's a pain in the butt challenge, but the challenge is really around and like the controls you were referencing.
Rick Yocum:Right? Because at the end of the day, it's like an identity and trust issue. Because like there's the chain of trust essentially that happened here, was the context AI. Right? Yeah.
Rick Yocum:The context AI employee trusted the Roblox script.
Joe Wynn:Or the Vercel employee trusted the
Rick Yocum:The Vercel employee trusted context AI. Yeah. Yeah. Right. Right.
Rick Yocum:And so that's basically the path.
Joe Wynn:Yep.
Rick Yocum:And it's it really is monitoring and regularly looking at, like, okay. Well, what have your employees, like, approved or allowed or authorized from an OAuth perspective? It's another thing to review, I suppose. And and contextually, it's just if you're real if you're a mid to big company, it's just gonna be hard to manage, if the genie's already out of the bottle.
Justin Leapline:Right. But you can pull it back. I mean, all these keys are, you know, lifetime bound.
Rick Yocum:Right.
Justin Leapline:Right. Like, they they'll expire, you know, at timely intervals and everything. So the most important thing is start, you know. Yeah. Absolutely.
Justin Leapline:You know, you'll get into a
Joe Wynn:I like your point. There's some preventative things you can do. So put those preventative controls in place, and then you can audit what's already been approved and, you know, at least do those two things, stop the bleeding, and then go look and see what's done.
Rick Yocum:Absolutely right. Exactly.
Justin Leapline:Yeah. But, I mean, it's you mentioned about, like, getting deeper questionnaires and all that stuff. You know, I I I'm always hesitant because it's like, I already have one program to run. Like, I don't wanna run another dozen programs of my third party, like, you know.
Rick Yocum:I can't see that being the solve.
Justin Leapline:Yeah. Oh, no.
Joe Wynn:No. That was a little facetious of a
Rick Yocum:Right. Just add one more
Joe Wynn:thing to your third party risk management.
Justin Leapline:Many people added AI questionnaires, you know, to third party question. I mean, anytime there's something new, they stack more questions onto the questionnaire, you know, to see how you're doing. And it's going to some salesperson that's filling it out and they're answering yes to everything, you know, and what are you measuring at the end of it? This goes back to my
Rick Yocum:Well, but I do think it it speaks to a fundamental problem that's out there and that's not gonna get better. Right? Things are gonna keep getting more complex as additional layers get added. Things are gonna keep moving faster and faster as AI or quantum or whatever continues to happen. Mhmm.
Rick Yocum:Like, yeah, in theory, you can just continue to stack onto these questionnaires, but it's gonna become just this issue where you the you can't analyze the volume anyway. And then you can automate some of that maybe, but you're just getting so abstracted from the actual issues. It Yeah. Becomes easier and more useful to just be like, no. Understand what you're allow listing and block listing.
Rick Yocum:Have strong controls in place. Try to make sure you actually know what people are doing and why they're doing it. Yeah. And none of that's easy, but it is kinda back to basics in a weird way.
Joe Wynn:Yeah. And I thought you were going to, as you were talking about that, start to sum up the theme of some of the different topics we have. Well,
Rick Yocum:in in terms of just like SDLC and AI and Right. Everything crazy.
Joe Wynn:Vercel item. Yeah. And what's happening here is, you know, that that is, you know, you're using a tool like if Vercel hadn't gotten their handle around this quickly Mhmm. This could have been another stream of things that impacted the Vercel users. But Yep.
Joe Wynn:Luckily, I don't know if there was any data on if Vercel users were Yes. Impacted.
Justin Leapline:Yeah. I don't know numbers, but there are definitely ones to say, like, you had already been contacted from Vercel through an email. Mhmm. And there were some other things that we act we actually checked our logs. They actually published a signature for some of the authorization, and we went through and checked our logs real quick with that.
Justin Leapline:So
Rick Yocum:Well, things like access authorizations are are kind of this weird and sticky and sneaky thing. I mean, they do expire. Mhmm. One of the notes that I saw that I thought was kind of interesting is a recommendation around stuff like this was saying, oh, well, if one of your vendors have a breach, even if they say it's low risk, you might still wanna like rotate your keys and things like that. And I thought that was interesting.
Joe Wynn:How many times have we seen the, vendor come out and say this is, we have it contained. This is small. And then two weeks later, it's bigger. We're now gonna add another many, many, many customers to the list in the accounts. And then a month later
Justin Leapline:thing is we consider this nonmaterial right now, but we're still investing. Investigating. Yeah. Rotate your keys. Yeah.
Justin Leapline:Yes. That happens a
Rick Yocum:lot. It's interesting.
Joe Wynn:But anyway, I don't do you wanna talk a little bit more about I liked how you saw the theme and the thread that was through these various topics with SDLC and CI pipelines?
Rick Yocum:Well, just in turn yeah. I mean, everything's just getting faster and faster, and and it ends up being and it it's an issue of process, an issue of trust, and can't see how things continue as is without some real material changes to help people run their programs. Right?
Joe Wynn:Yeah. And you and I were talking a little bit ago about, you know, even even twenty years ago Mhmm. When I was doing third party risk management, I was asking companies that were selling to the company I was working at, tell me about your security. And when I got to the part and I said, well, tell me if this is like pre questionnaire. This is questionnaires were just becoming a thing.
Joe Wynn:Yeah. Then I was still asking these questions. And I said, tell me about your software development processes. Do you lock your software development processes down? Do you lock your dev environments down like production?
Justin Leapline:Mhmm.
Joe Wynn:And if not, what do you do to prevent somebody from exploiting the code and have that make its way into Right. Production? And then eventually, I install it or our our our organization installs it, and now we're running this problem. Mhmm. And it always stumped them.
Joe Wynn:Like, nobody the people we were talking to, they never had a solid answer for that.
Rick Yocum:Right. And those were vendors. Right? Those were people trying to sell their software product. And I think in a lot of organizations now with AI, it's even more complex in some ways because you might have, you know, you might have sort of internal developers that are part of an ERP team, for instance, modifying their code, and they have a certain pipeline.
Rick Yocum:And then you might have people in marketing that wanna spin up their own AI agents to do x y z, and and maybe they have a slightly different environment or pipeline or whatever, but it's still depending on what exactly they're doing. It could still be app dev at the heart of it. Yeah. And then, you know, as part of the very same company, you could have you know, you could be building software to then sell to clients. And so even just from a general SDLC perspective and the the acceleration that AI and the tooling and all that stuff provides, it becomes a pretty heavy problem.
Rick Yocum:And you may or may not be able to apply the same kind of weight of controls across those environments for different reasons.
Joe Wynn:Yeah. For sure. And, you know, just how much you gotta rely on that's out of your control. It it's just mind boggling.
Rick Yocum:Yeah. I've I've seen a lot around AI bill of materials lately and stuff like that. So kinda like the s bomb, but now it's the AI bomb because there's all the, you know, additional layers and stuff and
Justin Leapline:So what models you're using, what yeah. All that stuff and everything.
Rick Yocum:Yeah. Yeah. Yeah. And and are they trustworthy? It's interesting.
Rick Yocum:I was thinking on the way down here, I don't know, just a thought that popped into my head is a lot of organizations will talk about AI like it's a monolith, and obviously, we know it's several different things. Right? But even from, like, a development perspective, when you think about models or or agents and things like that, I was starting to build the parallels to like, well, we're talking about it like it's tech, and it is tech, but it might be clever to start to think about some of these things like it's people in a way in terms of trustworthiness. Right? So, hey, I'm gonna use these models and build these agents to perform these functions.
Rick Yocum:And, like, I started thinking about, well, how do we vet people? You don't like you don't necessarily go through their entire history every like, you do you look at their interview like, you have some interviews. They have a resume. They you may or may not require some certifications or something like that.
Justin Leapline:Agents will require a a CV
Rick Yocum:I resume. I kinda actually, that that's kinda what I'm thinking. Right? There's probably, like, some certifications to be like, are you even eligible for me to review you? Almost like the resume.
Justin Leapline:Yeah.
Rick Yocum:Right? Must meet these standards. And then frankly, like some and this is more for external, but maybe internal too. And then some like live fire testing, kinda like an interview. Right?
Joe Wynn:I'm sorry, Rick. You can't use that AI agent because it doesn't have a CISSP. Yeah. They make it through the HR
Rick Yocum:process. Right. But I think, like, when we talk about trust and the fact that agents and models are trained the same way that people are trained and how do you not the same way, but similar to. Right? There's there's a knowledge base behind them.
Rick Yocum:There's experiences behind them kind of. And it doesn't make allow you to predict what a person's gonna do or an agent necessarily, but you can have a lot more confidence that they'll be right most of the time in the context you're putting them versus not. Don't know. I didn't like land anywhere on that thought. Just I started thinking through
Joe Wynn:Well, no. It's really important though to think about an AI agent the same you would about an employee. Because just think about least privilege and access management coming back to that. It's do you have an agent? Does it have more Privs than it should?
Joe Wynn:And if it does, can you really get it down to the only the Privs it needs so this agent doesn't go off and Right. We didn't prep for this article, but there was one where was it a Claude agent deleted a database Oh,
Rick Yocum:I see.
Joe Wynn:Yeah. Eight seconds. I was
Justin Leapline:wondering if that was clickbait. It looked like a number of people echoed it, but those are some of those stuff that you're
Joe Wynn:The article was good. I like the article. It was, you know, it went deep enough to make me think that it So
Justin Leapline:basically, deleted production and it also deleted backup.
Joe Wynn:It do because it would deleted the volume. And so what it said is, I delete this volume. In order to the agent, it was very interesting because they asked the agent why it did what it did, and it sounded like it was realized it did something wrong, but there was it was too late. And it said, yes. I should have checked first, and I should have
Justin Leapline:Yeah. Right.
Joe Wynn:Checked what where the backups were. And what it did, and instead of actually testing to see if the things were the way it should have been, it actually went and did the action
Rick Yocum:Right.
Joe Wynn:Which validated it was what it thought. But by then, it deleted it, the whole volume that the database was on and the backups were on.
Justin Leapline:So That sounds like a bad design.
Joe Wynn:It I Right. That's the next part. You do not put your backups on the same volume as your primary database.
Rick Yocum:Well, all truly good problems are never just one thing. Yeah. Right? It's it's typically a combination of a couple things going wrong. Yeah.
Rick Yocum:Yeah.
Joe Wynn:So but, you know, least privilege of Yeah. That thing that had least privilege and it wasn't maybe it could have deleted a record Mhmm. But not the whole database, let alone the whole volume the database is running on.
Rick Yocum:Right. Well, in oversight and auditability and etcetera etcetera. I've the other thing I was thinking about in terms of AI and people and stuff like that was like the we talked a little bit about this at an event kinda recently, like the three lines of defense model. Mhmm. And does it apply to AI?
Rick Yocum:How does it apply to AI? Are you eventually gonna have three different AI things, right? One for line one to execute, one for line two to oversee, and one for line three to audit. Yeah. Like, how's it all gonna work?
Rick Yocum:It's just kinda interesting. But I do think treating the AI concept more like people than like tech Yeah. Is beneficial in some ways.
Justin Leapline:Yeah. For, I don't know A little while. Now. Yeah. Everything's moving so fast in AI.
Justin Leapline:I can't say years Right. Right. You know, type of thing. But yeah. Because the the question comes down, how do you permission Mhmm.
Justin Leapline:You know, into that. And so it's, you know, having agents as their own identity, you know Yeah. Yeah. Personalities and cluing it into exactly what they need access to for the role that they have, you know, into that, which makes a ton of sense, but that's not the way it's designed normally nowadays. It inherits whatever you have, you know, into that.
Justin Leapline:So it flows through, if Justin Leapline has access, then Justin Leapline could, you know, give access. And there are some tooling out there, like, I know Anthropic through their desktop app. You can actually they have for each of their connectors have read, write, you know, for a number of different functions that they can do into each of the skills.
Rick Yocum:I see.
Justin Leapline:Yeah. So but you have to go through and configure that, you know, type of thing. It's actually interesting. So I think I mentioned before Mercury is my bank Oh, yeah. Choice.
Justin Leapline:It's interesting. So they have AI connectors, which was phenomenal during tax time. Let me just say that I had Claude
Rick Yocum:go through Yeah.
Justin Leapline:And it would build a spreadsheet and then do calculations off the spreadsheet because I told it, like, you need to double read the the triple check your work. You know? Yeah. Because these numbers are going to the IRS, and then I validate, like, some of them. But it would actually build the spreadsheet then do, like, actual calculations in the spreadsheet there.
Justin Leapline:But one of the things that was interesting to me is for if it was just read only access, an API key would work, you know, into that. If you gave it any write access, it would actually you have to limit it down to an IP address, you know, through Mercury. Oh, interesting. It actually Mercury enforces that. Yeah.
Justin Leapline:Not API key just can't float out there that has send sendable money, you know, out Yeah. You know, that. Because I wanted not not that I use it to send money, but if it found a wrong category, I wanted it to write I'll
Rick Yocum:fix it.
Justin Leapline:You know? Yeah. Type of thing. And I was looking for something to do give that only access, but I would I had to put my IP address from my home here. You know?
Justin Leapline:Right. It was interesting.
Rick Yocum:Yeah. That's neat. So
Justin Leapline:you guys hook up your bank with your AI? Yeah. I have no. So but it was really good with taxes and everything. So, you know, how you you all your deductions and everything like that.
Justin Leapline:And IRS, you know, has all those particular categories that, you know, fall into it. And then for certain ones, like, filed through H and R Block. Yeah. You know? For certain ones, they want it broken down more, like travel and entertainment, you know, type of thing.
Justin Leapline:They want more specifics, like, how much did you do actually with hotels? Oh, sure. How much was transportation? And it broke down everything. And there was a few fixes I had to do, you know, because there the things were miscategorized and all that.
Justin Leapline:But
Rick Yocum:I find I use it, like, from a banking perspective, from a tax perspective, and and just in general, a lot more to check my work than I do to draft the work Mhmm. If that makes sense.
Joe Wynn:Alright. No. I'd say. Yeah. Yeah.
Joe Wynn:Now, is IRS using they're gonna use their AI in order to review your AI's results. So can you get your AIs to talk to each other
Justin Leapline:Exactly.
Joe Wynn:That. Like, hey, tell your buddy over at the IRS to not pay attention to this part.
Justin Leapline:Yeah. Right? Yeah. So yeah. I mean, I would well, I don't know.
Justin Leapline:Government's always so slow, so who knows what they're using. I mean, they're obviously using flags, you know, in certain cases.
Rick Yocum:Yeah. I'm suspect traditionally coded.
Justin Leapline:Yeah. Yeah. Like, if you're deducting this mod based on this volume, red flag, you know. Yeah. Right.
Justin Leapline:You know.
Joe Wynn:Maybe your AI agent can take the IRS AI agent out for beers and kinda over.
Justin Leapline:Yeah. And it didn't mind the, you know, you know, 6 figure deductible I had on alcohol, so I thought it was good. There you go. Perfect.
Rick Yocum:I love this agent.
Justin Leapline:Yeah. Right. Best agent ever. Yes. I'm like, that's that's cool.
Justin Leapline:Like, you must have a podcast or something. Remember. Yeah. That that flies. That tracks.
Justin Leapline:Well, that's funny. Yeah. So, you know, into this, we're talking about, like, keeping up with volume, and I think it's probably a good segue into another talk Yeah. Into this. I thought this was ironic, to say the least, that HackerOne is a bug bounty, you know, program into this.
Justin Leapline:And they came out a few weeks ago and said they're suspending their bug bounty program because they're getting so many submissions from AI that they can't keep up with the actual fixing.
Rick Yocum:I should know this, but I just don't. Does I always thought that HackerOne just did bug bounties. Yes. They don't do anything other than bug bounties.
Justin Leapline:Yeah. They basically serve as a portal for other companies to do bug bounty. Yeah. So if they're
Rick Yocum:oh, so it's just it's so there's still gonna be a portal for other people to do their bug bounties. They just stop their own.
Justin Leapline:They're they're a service. Okay. Yeah. Yeah. Okay.
Justin Leapline:Yeah. Exactly. So, yeah, bug crowd, hacker one, you know Got it. Got Got all the stuff out there. Yeah.
Justin Leapline:They're just portals for people to run their own programs. Yeah.
Rick Yocum:So people can still use hacker one to run their own
Justin Leapline:bug bounties. Stop their entire company.
Rick Yocum:That was I was like Yeah.
Justin Leapline:This is what I know them into HackerOne for that. Yeah. Yeah. Yeah. So but funny, you know, that they're a bug bounty programmer.
Justin Leapline:Like, we we don't have a solution for this. Like, it's working too well. You know?
Joe Wynn:Right. Well and and the whole everybody's finding these AI flaws and not everything is good quality bugs. Mhmm. And it just became overwhelming for them to handle the volume. Right?
Joe Wynn:And so and so which is which tells you a couple things is AI is helping you find more vulnerabilities. People are using these tools in order to go after Right. All the bug bounties. And, you know, we were talking earlier. It's almost like they got DDoS or they buffer overflowed their ability to handle as many as they they wanted to.
Justin Leapline:So do you guys think this is a good thing or a bad thing? Because and I'll put a little context into this. You who sent the thing about the vulnerability for GitHub Yeah. Into that? I saw that a couple of days ago,
Rick Yocum:I think.
Justin Leapline:That was discovered by AI. That there was a basically, a, you know, custom ex exploitable thing both on github.com and enterprise servers that they crafted, you know, commit, I think it was or something like that, that you can actually ex execute stuff. And they showed looking at the UID of of the user, you know, doing that type of thing. That was discovered by Right.
Joe Wynn:AI. Yeah. And I don't have a
Justin Leapline:been out there, you know, into that. And then the Linux thing, I think, was AI discovered. Sure. What was that one called? Copy something?
Rick Yocum:That was the kernel thing? Yes.
Justin Leapline:Yeah. So and that was a really bad one. Copy fail. Fail.
Joe Wynn:Yep. Yeah. I was just testing that out this afternoon.
Justin Leapline:Did you? How'd it work?
Joe Wynn:I was trying out on cache OS
Justin Leapline:Okay.
Joe Wynn:Which cache OS. Cache OS. I know that. I I forget what's a variant of. And it's so I'm running this headless and just have, like, a lab system with it on.
Joe Wynn:And I could tell that I wasn't on the patch version, but luckily, I couldn't get it to to exploit. It wasn't one of the operating systems listed in the article either. So
Justin Leapline:Right. Gotcha. I wonder if you you had, like, SE Linux or something like that that was preventing it or I don't I I didn't dive into it deeply, but the uniqueness of this, if people are don't know, definitely look it up. Copy fail, basically, from what was it? 2037.
Joe Wynn:2017
Justin Leapline:Last week. On that it was actually affected the the the core Linux kernel. Yeah. So all the variants had this applicable. There was no variations between all the different distros out there.
Justin Leapline:It was the same Python script that basically you need local auth, but you can elevate your privileges, you know, from that. So having a console access Yeah. You could elevate your privilege, you know, in this. So
Joe Wynn:And and at first, it seems like not a big deal because it's only a local exploit. You have to already be on the system. But then you think about systems that are like Kubernetes containers, multi tenant Linux hosts, other places where you can get on. And some of these, like, web hosting places will let you execute a shell command. So if you can get to that point and then run this, you could effectively take over or escalate to a super user
Justin Leapline:Right.
Joe Wynn:On those kinds of systems using the local exploit.
Justin Leapline:Right.
Joe Wynn:Yeah. Which is only less than one k of code.
Justin Leapline:Yeah. Exactly. So, yeah, as far as local exploits go, pretty dangerous, you know, kind of thing. And that's not even covering, like, if web apps are doing some sensitive calls or something like that, you know, some type of injection or flaw into that could actually cause local execution, you know, into some of the things like that. So Right.
Justin Leapline:But the reason my initial thing for bringing this up is
Rick Yocum:Good thing or bad thing? Yeah.
Justin Leapline:We wouldn't have known about either one of these Right. Without AI.
Joe Wynn:Oh, yeah. And and so what I didn't like about the bug bounty is problem is that they're getting impacted by a ton of low quality reports Mhmm. Because people are using AI. They're thinking they're gonna get their payday, and they're submitting, and it's some of them are just not even real bugs. That's what I read in the article.
Joe Wynn:And what it's doing, it's overwhelming the company. So it's like out of the woodwork are coming are are these nonqualified people who are now qualified because they're using AI
Rick Yocum:Right.
Joe Wynn:To do this, and then they basically overwhelm the organization to the point where they couldn't function properly. That part, I I'm not not a big fan of. Am I a big fan of you using these tools to find to more quickly find vulnerabilities so they can be ethically reported and then managed? Absolutely, a 100%.
Rick Yocum:If you're a good guy.
Justin Leapline:Yeah. Well, and I think
Joe Wynn:I mean And the bad guys are gonna do it anyway, so you gotta do Right?
Justin Leapline:Yeah. And they they would do it anyway without AI. I mean, I I ran a bug bounty program. Alright. And you get a lot of slop, you know, into that.
Justin Leapline:Even if you have your rules set up or, like, we're not Yeah. Accepting some of the low level whatever stuff, you know, do you get submissions that they don't they don't read, you know, what your rule Right.
Joe Wynn:And you have to process that to know if it's
Justin Leapline:a bad submission. And, you know, you'll deny it, or it's bug bounties is first come, first serve.
Rick Yocum:It's like
Justin Leapline:type of thing. So if it's a duplicate, then you deny all the others. I mean, honestly, I think that the solution is they need AI on the receiving end now. I was
Joe Wynn:thinking the same thing.
Justin Leapline:Like, they they now need a process. You have your rule set. You have your submission. You could probably clear out a lot of those just by a simple screening test Yeah. Into that.
Rick Yocum:Yeah. I mean, it it feels like so you asked if it's a good thing or a bad thing. Mhmm. It feels like it's a disruptive thing that will eventually become a good thing. Like, it feels to me very similar to a pandemic in a lot of ways.
Rick Yocum:Who tell? Well, super high volume, super disruptive, and probably gonna break a bunch of stuff. But on the back end, there's gonna have to be immune systems built to prevent against these things from breaking stuff in the future. Yeah. Like, the whole economics of this is because it has been so hard for so long to find bugs.
Rick Yocum:Yeah. So now AI makes it less hard to find bugs. So all these cottage economies built around finding bugs are gonna get blown up. Right. And then what happens?
Rick Yocum:Right? Well, something replaces it. Right? It does it become monetized for fixing bugs in a different way? Does it become it's just gonna be something different.
Rick Yocum:Does everything say, yeah, this is crazy. We're just gonna move to all straight allow lists and block lists and have to get way more diligent about what specifically is allowed to execute and what's not? Like Right. I'm not saying that's definitely what it's gonna be. It's just there's a couple paths that things can take And similar to the pandemic where people go like, oh, well, maybe maybe this level of just in time inventory is a bit too risky.
Rick Yocum:Right. Right? I feel like things are gonna adjust on the back end, but right now, it's hyper disruptive.
Justin Leapline:Yeah. Exactly. And, you know, at any time a new technology comes out, you know, it will be disruptive. You know, you look at the car to the horse and Exactly right. The horse industry, like, oh, yeah.
Justin Leapline:All these, you know, and, you know, barns and all that stuff like, there was an industry around horses. Was it
Rick Yocum:was it a good thing? No. I don't know. Are you a horse breeder?
Joe Wynn:Yeah.
Justin Leapline:Exactly. But then the car came in and then, you know, we had mechanics and, you know, and repairmen and tow trucks and, you know, all that stuff and people actually making roads
Rick Yocum:Right.
Justin Leapline:You know, do the stuff. So I think it, you know, it it's always disruptive. It'll always change, you know, into that. And I think industries will disappear. Like, the bug bounty thing, I think it has a time limit.
Rick Yocum:Feels, you know Dead or dying.
Justin Leapline:Yeah. I mean, if you can get your AI agent and they're always getting better to look at your code, you know, into that, then
Rick Yocum:The economy's changed. Yeah. Why wouldn't I just use my own agents to scan
Justin Leapline:my the pen testing, you know, into that. While I still think AI isn't the spot to look at, like, human knowledge and business process knowledge into the pen test Right. They get pretty close, you know, into that. It's not getting worse. Yeah.
Justin Leapline:Exactly. So is there a point when we're gonna be changing our security standards to say, well, if you get AI to look at it, that's good as a pent up.
Rick Yocum:Well, again, which AIs? Is it a qualified AI?
Justin Leapline:Right? Yeah. Right.
Rick Yocum:I mean, honestly Yeah.
Joe Wynn:Well, one of the things one one of our team members at CISO, Sean, he was we do we just had a podcast episode released for the CISO side up. Mhmm. And he they were talking about AI and pen testing and things like that. He he had some go listen to it. I I won't do it justice Yeah.
Joe Wynn:Yeah. To give a high level overview. But he gave a good overview about how he's been a developer, understands how development works, understands how it all comes together. And over the years, he has, like, twenty years or so of experience going through and understanding how people work in this stuff. Mhmm.
Joe Wynn:And to be able to train an AI, how to think like a person exploiting a web application is something that we're just not seeing that yet. Right. And Yeah. Taking that human aspect. So maybe your your simple enterprise pen testing, like, can take that more junior layer.
Justin Leapline:Right.
Joe Wynn:I think that could be solved in the way you're talking about. But when you're getting to the more sophisticated, how am I gonna chain things together that need context that AI may not be able to get that context. And that's the that's where I
Justin Leapline:think that the valuable
Joe Wynn:piece will be.
Justin Leapline:Today. Mhmm. You know, type of thing. Tomorrow, I don't know. Yeah.
Justin Leapline:You know, type of thing.
Joe Wynn:You don't know.
Justin Leapline:Yeah. Yeah. It's it's changed that. Like, I I'm still thoroughly impressed. Like, eight months ago, like, we did not have the coding processes we did with AI that we did eight months ago.
Justin Leapline:Oh, for sure. Like, functional things, little things, fixing bugs, you know, but you couldn't say go create an app. Right. It would just do it.
Joe Wynn:Right. Now you can install a tool like Paperclip and let it just run and give it a give it a you're the board, you give it a CEO agent, and you tell the CEO agent what your goal is, and it will create and hire agents that will work within the context. And different agents, you can assign them different LLMs on the back end through API keys to which which to use based on whether this is a marketing agent, maybe it's a Claude thing that's better. Maybe it's a Right. Maybe it's a ChatGPT.
Justin Leapline:Yeah. Right. Codex or
Joe Wynn:Using Codex or something like that to be a better one. And and so now a whole company can be built by these agents. So I 100 agree with that.
Rick Yocum:Yeah. And I think to some extent, the magic that expert humans have in this space is like innovation, right?
Justin Leapline:Yeah.
Rick Yocum:Like, oh, this is just so crazy it might work type stuff. Right. Right? And so it's jazz, right? It's using all these patterns and putting them together in a slightly new way that's a little bit different with some predictable results to say, oh, yeah, this will probably work because no one's used Notepad plus this plus this in this very specific way, so I can exploit this.
Rick Yocum:The thing with AI, I think where it's gonna it's catching up quickly, but I think the biggest risk to innovation is, like, you don't need to innovate when you can permutate. Right? So AI can just run through every attack chain. It can just do every like, if you have the processing power in a little bit of time, you don't really need to innovate because you can try every option to some extent. Yeah.
Rick Yocum:And those Not every every forever.
Justin Leapline:But And those were our specific tax. I guess what I'm saying is, like, if there is a business requirement, you needed an invoice number in a certain format, you know, out, you know, into that before you could submit to the next screen
Rick Yocum:Yeah.
Justin Leapline:Or something like that. A human could recognize that where maybe an AI agent, you know Identify the context Yeah.
Rick Yocum:Exactly. And respond to it.
Justin Leapline:You know Yeah. Type of thing. Obviously, if it's telling you the format, it would get it, you know, type of thing.
Rick Yocum:Yeah. Yeah. Yeah.
Justin Leapline:But those are the type of things that just throwing attacks at it
Rick Yocum:No. Totally agree
Justin Leapline:with that.
Rick Yocum:Totally
Justin Leapline:agree. You don't know the business contacts to be able be able to, you know, look at that type of thing. Like, a a popular one, we actually I I was part of a company that we did a penthouse and caught it, but we had through the sales form in the form data, you could actually modify the total, you know, and actually put negative numbers, and we would honor that, you know, type of thing. Would an AI agent necessarily test that? Maybe maybe not, you know, type of thing.
Justin Leapline:That's more the business process end of, you know, submitting it and now I owe you for a product that you just bought.
Rick Yocum:But it comes back to context and training. Right? Yeah. Like, so at some point I mean, like, this has been happening in user behavioral analytics for a while from a security perspective. You go, oh, well, what's this person trying to do generally?
Rick Yocum:Mhmm. Right? You kind of figure that out you go, oh, they're this is like some personal browsing. Don't freak out unless unless it's like really dangerous or
Joe Wynn:Yeah.
Rick Yocum:Yeah. Oh, this is, you know
Joe Wynn:Oh, this is Roblox. Yeah. They're just Yeah.
Rick Yocum:They're just looking at Roblox scripts.
Justin Leapline:Yeah.
Rick Yocum:Yeah. But, right, the rules can shift a little depending on the context already. Right? And so, honestly, it's not that much of a logical leap to be like, hey, system doing the testing, identify what type of system you're testing based on these types of contextual clues. Oh, this looks like an ERP.
Rick Yocum:Oh, this looks like a CRM. Oh, this looks like an HRS or whatever.
Justin Leapline:Right.
Rick Yocum:And then you go, oh, okay. Well, now I'm gonna load into the context the typical risks or the what could go wrongs Right. With respect to that system. And now you have effectively an expert trying to break the system. So, like, I don't agree.
Rick Yocum:I I agree it's not there yet, but I don't think it's that far off. Yeah.
Joe Wynn:Yeah. It'll get there.
Justin Leapline:I mean, yeah. Like we said, it's only getting better every single day. So I think I mean, at the end of the day, at least as it exists today, talking with people, you know, afraid of everybody's afraid of the Skynet and losing all their jobs and everything. You just need to get good at using AI. You know?
Joe Wynn:I think I'm more afraid of Skynet than I am losing.
Justin Leapline:Yeah. Right. Yeah. I got some prep kits, and I got a good selection of bourbon, you know, in case it goes down. So
Joe Wynn:We got Sarah Connor. Don't worry.
Rick Yocum:Right. My my AI agent will automatically order me what I need if things go wrong.
Joe Wynn:Awesome. So before we hit our last topic, which I think is a good way to go from here, which is the state of vibe coded security, Do one, two yeah. Let's let's talk about the what we have here.
Justin Leapline:So alcohol time. So this is a distillery that we've all been to.
Rick Yocum:Mhmm.
Joe Wynn:That was a fun tour.
Justin Leapline:Yeah. So this is Peerless Distilling. Fun fact about this company here, they they stopped distilling for the longest time.
Rick Yocum:Yeah. They have like a very early DSP number. Under a 100.
Justin Leapline:Yeah. I'm actually wondering if it's on the bottle.
Rick Yocum:I feel like it is, but I can't remember where.
Justin Leapline:But they just started distilling about ten ten, fifteen years ago where they picked it back up. And, essentially, the owner with his two sons, I believe it is, they started it was in DSPK y 50.
Rick Yocum:50. Alright. Yeah.
Justin Leapline:Yep. So number 50 from Kentucky distilleries into that. And so they appealed to Kentucky to pull back their license number Right. Family and everything. And this guy, the story that we heard was he was a big shot executive, you know, had 2,000 people report to him.
Justin Leapline:He retired. He went down to Florida. He played golf for six months Right. And realized he's kinda bored. You know?
Justin Leapline:And he's like, we should really get back into distilling from a family perspective. And him and his two sons, you know, got on board and they created the company. A unique thing about Peerless is that most companies do a sour mash Right. Which is a lot easier to go from batch to batch. Sweet mash has and I don't know all the particulars, but obviously has more sugar into it, which is more susceptible to bacteria.
Rick Yocum:Spoilage or whatever.
Justin Leapline:Yeah. Exactly. In between getting stuff basically, like, growing in your batch, and you can, like, throw out entire batches because you don't clean it well. Whereas sour mash is more resilient to that. You could reuse some of the stuff without, like, doing a full clean.
Rick Yocum:Right.
Justin Leapline:But they decided to do sweet mash because they think it it tastes better, and it is delicious.
Joe Wynn:I think it tastes better.
Rick Yocum:It's really good.
Justin Leapline:And everything. And, yeah, we're we're big fans of Peerless.
Rick Yocum:Yeah. And this is their double oaked.
Justin Leapline:And this is their double oaked. So if you're not familiar with it, they take it out of their original barrel and then re age it into another one with that. And no water added, no chilled filter. I like to from a tasting note, obviously, oak, you get a lot of caramel and everything. I tasting it on the latter end of the taste, a lot of vanilla kind of vanilla.
Justin Leapline:You know, comes out at the latter taste of it, which is really good with it. So definitely look them up. They're not the well, we're in PA. Nothing's really easy. You know, into that.
Justin Leapline:But if you could find it, definitely do it. I'm into that. Yeah. Cheers, guys. Cheers.
Justin Leapline:Cheers.
Speaker 5:Quick break to hear from one of our sponsors. If you own security, compliance, or risk, and it feels like you're always pushing a boulder uphill, I want you to know about CISO. CISO helps growing companies get audit ready, reduce risk, and stay resilient without drowning in tools, endless checklists, or one time reports that quietly rot the moment the audit ends. This isn't shelfware. It's not drive by consulting.
Speaker 5:With CISO, you don't just get advice. You get hands on support from real security engineers, GRC specialists, and former CISOs who help you build, operate, and continuously improve your security program over time. Whether you're chasing SOC two, ISO 27,001, CMMC, HIPAA, or you're simply trying to get security under control so the business can move faster, CISO meets you where you are. Their managed VGRC model gives you enterprise level expertise without hiring a full internal team reinventing the wheel. The focus is simple.
Speaker 5:Clear priorities, practical controls, and measurable progress leadership can actually understand. Visit cisollc.com and start the conversation. Security you can trust, compliance you can prove, and people
Joe Wynn:you can depend on. Well, just cheers over your laptop.
Rick Yocum:Yeah. I was gonna say, I like their I was gonna make try and figure out a risk management joke.
Joe Wynn:That's right. My my my thought is it's better than falling out of the back of a car.
Justin Leapline:I don't know what you're talking about. Too soon? It's been months.
Joe Wynn:So well, the next article we had was in the same theme. This one was by securityscanner.dev, did a report on the state of vibe coded security. And looking at this, I I I kinda like the metrics. 4,783 AI assisted apps were scanned, and they turned up 727 critical and over 5,000 high severity issues with 7% of Lovable and Bolt apps exposing Zupa based databases publicly. Nice.
Joe Wynn:Yeah. And More convenient. Yeah. Yeah. And so the the point here is that after scanning all these things, you know, these common critical issues are are being found and databases are you know, real data is out there to be, you know, exposed.
Joe Wynn:And so if you look at, like, AI coding tools, sure, that's gotten better Yeah. But it's also lowering code quality. And so as you start thinking about that oh, there was a good quote I saw. Let me see if I can find it. And it was really just thinking about, you know, are you you know, how are you shipping code?
Joe Wynn:And are you vibe coding? Or are you vibe deploying is
Rick Yocum:Yeah. Yeah. I was gonna say, yeah. The problem isn't vibe coding. It's vibe deploying.
Joe Wynn:Right. Yeah. And so, you know, kinda thinking about that, what are you doing to make sure that all of this AI built code is actually quality enough to be putting out and deliver. So just something to, you know, think about what what do people do so that they're not just building this stuff with AI, but actually having it checked to make sure it's quality before it goes into production?
Justin Leapline:I mean, that's the question there. Yeah. Yeah. So yeah. And it's I mean, it goes into the gates you put into it.
Justin Leapline:But, I mean, you bring up good point that people that don't know a Lickit code or architecture or whatever it is, they say, I have a great idea for an app. Let's do this, you know, type of thing.
Rick Yocum:Yeah. It's WordPress. Yeah.
Justin Leapline:And so
Rick Yocum:The barriers to putting something on the Internet
Justin Leapline:Oh, now WordPress is probably more secure.
Rick Yocum:Well Which is phenomenal. There. Hooray. Predictions we wouldn't have made. No.
Rick Yocum:But, like, but that's you're exactly right. I I think the issue is exactly what you said. People that don't know anything about code like, you don't have to understand code to build code Mhmm. And deploy code. And, like, I I think of it like WordPress because it was kinda you don't have to understand websites to Right.
Rick Yocum:Put a website out there. Now, will it be secure?
Joe Wynn:Yeah. You don't you don't have to be a software engineer to get it done.
Rick Yocum:Right. Right.
Joe Wynn:And, you know, it basically creates a a a new class of small business breach risk. So, like, you got an idea? You go do it. But I was talking to somebody who actually did that, and they got a quote from a software developer for around a quarter million dollars to help build a piece of software. Yep.
Joe Wynn:Instead, they vibe coded it. Mhmm. They got it almost there. And then before exposing real stuff to it, they ended up having a less than $50,000 agreement with that same company Mhmm. In order to so, like, $52.50 down to 50 in order to get it over the finish line and put those checks in place and and do that.
Joe Wynn:So
Rick Yocum:But they were they were mindful enough to build themselves the gate. Yes. Okay.
Joe Wynn:Yeah. Yeah. And so not everybody does that, and then it ends up exposing data, and that's what this article did a good job of getting to.
Justin Leapline:I wonder if that 50 was even too expensive into that. So depending on what they did, I don't know, type of thing. Because, I mean, it's hard for me to actually say some of this stuff because, like, I understand basic architecture and concepts, you know, so I know, like, you know, when it's like, oh, yeah. I should give, you know, access to a service key, then I was like, okay. But who's authenticating?
Justin Leapline:Like, you know, if the if if you have the service key access, now you need to do a whole bunch of authorization. I don't prefer that, you know, type of thing. I read it like, there's a number of things I fought with AI. I was like, why don't I just have the user make the call and they're following their creds with them? Why do I if I do through a service call, you know, then I have to validate the user and I have to build that logic in, which could be prone to failure, you know, type of thing or change over time that I'm not aware of.
Justin Leapline:You know? So you know? And those are things that you have to be very cognizant of because Mhmm. That could be a lot of issues. And we have it's actually I I probably should try to optimize that at some point.
Justin Leapline:We have a whole bunch of, like, end to end and RLS testing that run for, like, ten minutes every pull request. Oh, yeah. And it just runs over thousands of tests, you know, of things we expect to happen or not happen, you know. So we test authentication between workspaces, all this stuff in a mock environment to say like, yeah, I expect that if I'm this user, I don't have access over to this user. You know?
Justin Leapline:And if that fails, then the the whole thing kinda collapses
Joe Wynn:Mhmm.
Justin Leapline:Into that. And, yeah, I I guess it comes down to I I like the speed of apps, but maybe security now won't be moving more to the service provider, like the lovable and all that stuff, you know, into that. Like, they're gonna have to build gates, you know, or include gates into it Yeah. As they're building. Because we're moving so fast and it happens every single time.
Justin Leapline:We move so fast and they're like, wait a minute. That's a little too fast. How would be do we do this a little bit more safely? Right. That type of thing.
Justin Leapline:You know?
Joe Wynn:Yeah. So check out that article because they list a bunch of good examples and talk a little bit about it. You know, I threw that
Justin Leapline:Say, coincidentally, today, actually, Anthropic released their security thing out to their enterprise users.
Rick Yocum:Oh, see. That's I I was thinking something like this. I how much at the heart of this, it feels like an education problem. Right? Because you have people that don't understand code necessarily instructing the AI to build some code for them.
Rick Yocum:Mhmm. And and I think about the predictive prompting thing. You know how if it's just in a general LLM, it's like, oh, next, would you like me to do this? Like, trying to predict how many people would it actually help if kind of the default approach after building some code is, next, would you like me to check this for security? Yeah.
Rick Yocum:Like, honestly, if it did that more by default for some of these people that know nothing about code, it would at least be another pass of stuff that's interesting. So it's interesting that you said Anthropic just released their did you say you said security thing?
Justin Leapline:Yeah. So security, I'm looking it up. I just saw it drop today.
Joe Wynn:And
Justin Leapline:I don't have enterprise license. I have the team license, so I wasn't able to play around with it for enterprise. Yeah. It's Claude for security. And is that different than the
Joe Wynn:one that the that they've released?
Justin Leapline:Security is now in public beta.
Rick Yocum:Because it's been trained specifically on a bunch of that stuff.
Justin Leapline:Yeah. It is not Mythos. Oh, okay.
Joe Wynn:That's what
Justin Leapline:I was wondering. Yeah. Yeah. No. It's not Mythos.
Justin Leapline:It's on their Opus 4.7 into this. But this is specifically if you remember, you know, everything runs so fast here. They announced this, like, a month or two ago, and a whole bunch of security vendor stock dropped.
Rick Yocum:That's
Justin Leapline:right. Because they're like, AI is gonna replace all security vendors and everything like that. I was like, oh, like
Rick Yocum:Oh, because it found whatever, like a gazillion vulnerabilities in, like, open source.
Justin Leapline:Yeah. And they're talking about, like, with cloud security, this will be basically be able to insert down a lot of different places looking for security issues all into that. Eventually, yeah, Mythos will come out and, you know, be also integrated, you know, into this. But, yeah, you'll be able to see, you know, basically, it'll find and fix security vulnerabilities, you know, when a lot of the code.
Joe Wynn:And and update on mythos, which will be old news to this, gets pushed out. But just recently, the White House is opposing Anthropics plan to expand access from the original, I think, about 50 or no, 20 or so top companies like AWS and others were were given access. And the White House Anthropic wanted to give access to another 70 companies, but, you know, the administration, the White House officials were pushing back on that because of national security claims.
Justin Leapline:So Mhmm. That's I mean, they have well, so I have a couple of thoughts on that. One, they kinda have a pissing match in between Endographic. Yeah. So that's one thing that I'm like, oh, okay.
Justin Leapline:Two, I I think it's more hype than real.
Rick Yocum:I was just gonna say, the marketing hype around the it's just too powerful. We can't let you we weren't even gonna sell you this car. Yeah. It's too fast and too fun to drive. Like, I don't know.
Rick Yocum:Yeah. Think there's a little bit
Justin Leapline:of that more onto that boat. Yeah. Yeah.
Joe Wynn:I I totally agree, but that's that was the latest news.
Rick Yocum:Yeah.
Justin Leapline:Yeah. So just I mean, they could they could claw it up, but, I mean, they stopped their contract. So how would they even have access to it to even say how dangerous it is, you know, type of thing. So, yeah, I I I have my hesitations on that. Yeah.
Rick Yocum:No. Slightly skeptical.
Joe Wynn:Yeah. I don't think the think the doesn't the White House have some access now to it? So I'm not quite sure.
Justin Leapline:But I don't know the I mean, from what I heard the federal government shut all anthrop they had, like, a month or two to get it all out and transition.
Rick Yocum:But even assuming that's true, it still feels very much like a game of whack
Justin Leapline:a mole.
Rick Yocum:Like, no, you can't give this to more companies. Well, okay. Why? Like in Yeah. And and I don't even need to know the why, but understand like this is a swimming against the tide moment.
Rick Yocum:Like, if the tide is this stuff's gonna get more and more powerful and additional models are gonna come out that are just as powerful, if not more powerful, then if you just need to buy yourself some time to do something about it defensively, like, okay. But
Justin Leapline:And I agree. Like, even presuming, let's say, this is the most dangerous Yeah. You know, AI model ever, you know, type of thing.
Rick Yocum:Tomorrow, there's gonna be one that's more dangerous.
Justin Leapline:Well, I guess to my point is Anthropic's doing this the right way. Like, like, they're handed out to big companies that have a lot of footprint with a lot of customer data behind it and say, run it on your stuff first and fix this stuff, you know, type of thing. And now they're opening up to another 70 companies, theoretically bigger companies that have a lot of data, a lot of footprint with customers, you know, that type of thing. So
Joe Wynn:Yeah. Let them find the let let them use a tool Yeah. To get the breaches that are gonna be found. And once this is out there and it's running, hopefully, it's not gonna find those those problems.
Rick Yocum:Yeah. I will acknowledge maybe some competition risks if you're like, yeah, let's give the biggest players in various spaces the most powerful things and not let anyone else have it.
Joe Wynn:I mean,
Justin Leapline:I There's some Fine.
Rick Yocum:But but your point but it just do I have a better way of releasing these things that are potentially dangerous?
Justin Leapline:Like, why do not? Like I said, presuming that initial assumption is correct. Yes. You know, type
Rick Yocum:of Yeah. Yeah. Yeah.
Justin Leapline:Yeah. You know, then what how are you gonna How else are
Rick Yocum:you gonna do it?
Justin Leapline:Roll or or just shoot in the head. You know, it's like, well, I guess we can never roll it out because it's just too dangerous. But that doesn't mean that it won't come out tomorrow.
Rick Yocum:That's right.
Justin Leapline:It just means our anthropic won't be the one with That's exactly. You know, type of thing. So, yeah, that's it.
Joe Wynn:So kinda wrapping that up then, you know, if you're gonna do vibe coding, you know, get that's great. Let's make sure you're also using AI to to run the test like you were talking about to, do some scanning, and and use a different agent to do that. So you can start to, basically, almost like if these agents were real people, you would have your engineer and you'd have your, security team
Justin Leapline:Yeah.
Joe Wynn:Running the scans.
Justin Leapline:Yep. Yeah. We do and it's a combination of everything. We have unit tests. We have RLS tests against a live production environment.
Justin Leapline:We use headless Chrome to actually go through it like a user, all that stuff. And then we have two AI agents that also look at the code base Yeah. You know, and what's changing and look at it from that perspective. So we have a whole bunch of static tests, AI tests, all that, and hopefully in combination. And I think also too, I think we need to get out of the mindset of we're gonna prevent everything from happening.
Justin Leapline:Like, I I think that's the wrong mindset everybody should have. It's we're gonna try to get all the big stuff, you know, with this, but we should always be prepared to respond to something Yeah. You know, into that. I mean, you look at this Vercel breach, you know, something that, you know, they even didn't prioritize or didn't foresee, you know, as being an issue. Whatever it may be, you know, type of things like an issue happens, you have to respond.
Justin Leapline:You have to deal with it. You've gotta solve it and then get past it, you know, type of thing. That's what most cost customers expect, you know, and not to be totally dumb about it.
Joe Wynn:Right. So you're saying get back to the basics.
Justin Leapline:Yeah.
Joe Wynn:I mean, we say that almost every episode. And make sure you have your response processes because things are gonna go wrong.
Rick Yocum:Yeah. When I understand the risk of the things that can go wrong or at least think about it a little bit. Like, there's a difference between never leaving your house because you're afraid you're gonna get hit by a car and looking both ways before you cross the street.
Justin Leapline:Put your seat belt on and all that. Yeah. That that's the thing where Oh. Yeah. Do you have go ahead.
Joe Wynn:I was gonna say what's happening now is that you walk out of your house and the black swan event happens. Problem is is that there's a new black swan event, so they're not really black swan events anymore. And so you walk out of your house and instead of you getting hit by a car, an airplane falls on you. Right. You know, like, is that gonna happen?
Joe Wynn:Probably not until it does, and then there it is.
Rick Yocum:Yeah. Yeah. But but you do I to your point though, you the answer is just it's the answer cannot be don't do anything. Right. And I think if if it's vibe coding and going fast and all that stuff is the new way of things, alright.
Rick Yocum:Well, I guess you need to do some vibe security
Joe Wynn:Right.
Rick Yocum:Paired with some actual thinking about what architecture and risk looks like.
Justin Leapline:Right. Yeah. I think, I mean, this year and probably next year, still into this, security will be spending a lot on AI. You know? I think we're from a security industry, there there are still so much gaps that people don't realize what you can do with AI within a lot of the tooling.
Justin Leapline:We're either getting it straight from a vendor like, we've integrated AI and now we can charge you more, you know, type of thing. It's like, alright. You know?
Rick Yocum:It searches our documentation for the answer. You can
Justin Leapline:implement yourself. Exactly. You know? But there are so much stuff that you can actually integrate natively or with some tooling and scripting you can do yourself. Like, the whole there's a lot of things being shifted.
Justin Leapline:Like, I I was thinking about the other day, you know, the build it, buy it, you know Yeah. Predicate where, like it was like, oh, yeah. It's almost never worth building it because then I have to maintain everything in that. Like, that that's almost destroyed now. You know?
Justin Leapline:Yeah. Like Yeah. Like, now I can build it within thirty minutes, you know, an hour, and maintaining it is another thirty minutes or an hour conversation with AI, like
Joe Wynn:Yeah. I was listening to a podcast. I forget the name off the top of my head, but it was they were talking about they wanted to see what it would be like to build Microsoft Teams. So they just told their agents to build a replica of Microsoft Teams, and then they had an in house version of a video conferencing system that they use. And that they did that in a less than a day.
Rick Yocum:That's pretty wild.
Joe Wynn:And then they kept using it for testing and they were doing their podcast use. They they forgot they weren't using Microsoft Teams at one point, they said.
Justin Leapline:That's funny. Yeah. So if
Rick Yocum:you and then you and then if you want a feature, you just ask for that feature. That's pretty wild.
Justin Leapline:Funny enough, a story related to that, a company is suing another company because they vibe coded a copy of their application. Like, didn't steal the code, didn't do anything, but they basically vibe coded after them and, like, oh, you took our you took our app. And I'm like, we we coded it. I'm like, what are you talking about?
Joe Wynn:Yeah. We made it ourselves.
Justin Leapline:I I'm I'm not this obviously just got entered. No decision or anything out of that, but it was it made the headlines of, company got sued for vibe coding, another company.
Joe Wynn:You know? Oh, yeah. I gotta look that up. Yeah. Put that in the notes.
Justin Leapline:Yeah. I'll put it in the notes. It's where was it? Here it is. Right here.
Justin Leapline:Awesome name home appraisal software company sue Silicon Valley rival. True footage claims San Francisco startup Automax AI faked MLS kind of vibe coded a copy of its product.
Joe Wynn:Wow. Impressive.
Rick Yocum:I so a gazillion years ago when I worked at Del Monte, one of the things that blew my mind was when some of the executives were telling me about how consumer product goods work. And when you're in like the canned food industry for instance, as soon as you make a change to the shape of your cans or the content of the cans or whatever, like and it's been this way for years. It's like whatever, a dozen years ago or more. They were like, yeah, as soon as it hits the shelves, it's basically reverse engineered in a week. And in two more weeks, there's a factory typically overseas that can do the same thing.
Rick Yocum:And so, again, like, what's nothing new under the sun kind of.
Joe Wynn:Right.
Rick Yocum:Right? There's physical analogies for this kind of stuff where it's like, well, you put it in the public and you made it for sale. And so and, you know, IP gets a little funny because Right. You can't just copy and paste a can of corn. But the designs for it, the models for it, whatever, someone can just buy what you did and figure out how to do it.
Rick Yocum:Right.
Justin Leapline:And put it into an unfriendly country that there is no, like
Rick Yocum:Yeah.
Joe Wynn:You don't have the legal recourse.
Rick Yocum:Yeah. Exactly. So, I mean, we're just gonna see this more and more from Yeah.
Joe Wynn:That's that's very interesting. Oh, Google gotta follow that.
Justin Leapline:And and that's a thing, like, a lot of the entrepreneurs I follow in anymore. It's not about the actual app anymore. That's like a competitive advantage. It's about distribution, marketing
Rick Yocum:100%.
Justin Leapline:All that stuff. Like, getting it out to the users Yeah. Is actually more important than the app itself.
Rick Yocum:Well and I wonder if I, like, zoom way out and I think about geopolitical instability and a lot of countries that have what they call, like, in country value contracts or things that say like, oh, you wanna do business in our country, you have to spend at least 40% of the tech budget for these things on people that are local or Yeah. Yeah. Places that are local. I wonder how much we'll see a I don't know what to call this, deglobalization in a way because you could say, well, you could spend the money with this overseas software shop or you could spend the same money or similar money or whatever with this in country software shop that just vibe coded the exact same
Justin Leapline:application. And then just copy and go.
Rick Yocum:Yeah. So then infrastructure becomes the limiting factor,
Justin Leapline:I guess.
Rick Yocum:Right?
Justin Leapline:That's why all the data centers are blowing up. So Yeah.
Joe Wynn:Yeah. Well, this was good. Yeah. It was fun. Conversation.
Justin Leapline:Anything else? I think we're at a good time. I think we're good. Yeah. Alright.
Rick Yocum:It was fun. Two years. Two years, guys.
Justin Leapline:Yeah. Alright, everyone. Thank you for joining us as always for episode 24. Don't forget to like, comment, and subscribe. We definitely need to bump up those numbers so we can gloat about it on year three and see how it's all, you know, doubled, tripled in size, hint, hint, you know, into that.
Justin Leapline:But thank you everybody for joining, and join us next month. Bye. Cheers.
