Supply Chain Warfare: CI/CD Threats and Open Source Security with François Proulx
In this episode of the Security Repo Podcast, François Proulx, VP of Security Research at Boost Security, discusses the evolving threats in software supply chain security, particularly focusing on attacks targeting CI/CD pipelines. He explains how open source tools like "Poutine" are being used both defensively and offensively in the ongoing battle to secure build systems. François also shares his journey into security, lessons from working at Intel, and practical advice on dependency pinning, short-lived credentials, and password best practices.
https://www.linkedin.com/in/francoisp/
https://boostsecurity.io/blog/unveiling-poutine-an-open-source-build-pipelines-security-scanner
[https://nsec.io /](https://nsec.io/)
François is VP of Security Research at BoostSecurity, where he leads the Supply Chain research team. With over 10 years of experience in building AppSec programs for large corporations (such as Intel) and small startups he has been in the heat of the action as the DevSecOps movement took shape. François is one of founders of NorthSec and was a challenge designer for the NorthSec CTF.
In this episode of the Security Repo Podcast, we welcome Srajan Gupta, a security engineer exploring the evolving security implications of Model Context Protocol (MCP) servers. Shrojan breaks down how MCPs act as AI connectors to external systems and the alarming rise in attack surfaces, including tool squatting and indirect prompt injections. The conversation dives into emerging threats, authorization challenges, and how securing MCPs mirrors early API and cloud security lessons.
Srajan Gupta is a security engineer and builder focused on uncovering how systems fail — not just through vulnerabilities, but through the architecture itself. With a background in application security, platform engineering, and threat modeling, Srajan works at the intersection of usability and risk, helping teams identify and address design-level security flaws before they become incidents.
Srajan is passionate about building practical security tools, automating guardrails, and making threat modeling an everyday engineering skill.
Blog - https://srajangupta.substack.com/
BSides LV talk - https://www.youtube.com/watch?v=Wld0VVRMN4c&t=21977s
https://www.linkedin.com/in/srajan-gupta/
Their research often explores trust boundaries, secure defaults, and the hidden assumptions baked into the applications and infrastructure. They are especially interested in how attackers exploit the gray areas between platforms, automation, and access controls — and how defenders can close those gaps without slowing down delivery.
In this episode of the Security Repo Podcast, we sit down with Matt Torbin to explore his inspiring journey from jazz musician to cybersecurity advocate and leader. We dive deep into the origins and impact of Day of Shecurity, a one-day conference aimed at increasing representation and mentorship for women and non-binary individuals in infosec. Matt also shares innovative ideas around fixing the broken technical interview process, mentorship, and his passion for building inclusive, opportunity-rich communities in cybersecurity.Day of Shecurity:https://securediversity.org/dos/Matt's talk from BSidesLV: “Your Interview Game is Weak: Gamifying Technical Interviews through Role-Playing” https://www.youtube.com/watch?v=3Ih-ul9qe3E&t=14985sLearn more about Fabric: https://github.com/danielmiessler/fabricMatt Torbin has been a driving force in secure software development for over 20 years, influencing all aspects of the software development lifecycle. He began his career as a full-stack engineer with a focus on UI/UX, creating user experiences for renowned brands including the Philadelphia Inquirer, Anthropologie, and VEVO, engaging millions of users.In the last several years, Matt has shifted his focus to information security. In his current role as the Manager of Application Security at Quanata, he collaborates closely with product and engineering teams to advance product security best practices and deliver comprehensive security training. His industry contributions span public speaking, authorship, and community involvement. He has presented at conferences such as DEF CON, BSidesLV, and Day of Shecurity (DoS), authored privacy articles for 2600 Magazine: The Hacker Quarterly, and held key volunteer roles in initiatives including the Packet Hacking Village, Day of Shecurity, and BSidesSF. Among his achievements, he co-founded the DoS conference, realizing his vision for a more inclusive event.Outside of work, Matt mentors emerging professionals in the DoS community. A passionate skateboarder and longboarder, he often spends time with his son at skate parks throughout the San Francisco Bay Area.
In this episode of the Security Repo Podcast, we chat with Alyssa Miles, a product marketing leader at CyberArk, about building authentic developer communities in the security space. She shares her journey from agency marketing to driving developer engagement, along with insights from Hacker Summer Camp and strategies for enabling community-driven identity tooling. Alyssa also discusses how to shift from traditional marketing to true enablement and why "thinking like a hacker" is key to building impactful security communities.https://lp.cyberark.com/20251110-cyberark-workload-identity-day-zero-atlanta-registration.htmlhttps://www.linkedin.com/in/alyssanoellemiles/https://infocondb.org/con/def-con/def-con-33/thinking-like-a-hacker-in-the-age-of-aiAlyssa is a product marketing leader passionate about making security easy for developers. At CyberArk, she drives developer experience initiatives that help platform engineers, DevOps teams, and cloud security pros adopt identity tools that fit naturally into their workflows. She also leads efforts to grow and engage CyberArk’s developer community. When she's not working, she's probably driving her ten-year-old daughter to ballet or hanging out at a brewery.
In this episode of the Security Repo Podcast, Aria Langer returns to share deep insights from her work in privileged access management and the challenges of implementing security controls without alienating coworkers. She and Dwayne dive into the often-overlooked importance of empathy in cybersecurity, exploring how human connection can make security efforts more effective. The conversation touches on the cultural shifts needed in security teams, how storytelling can foster understanding, and the risks of relying too heavily on tools like AI without understanding their underlying mechanics.
What you need to know about AriaDear is that she’s a Security Engineer by day, DuckBurg resident by night!
Been working in SecOps for almost 5 years, specializing in Privilege Access Management
Have spoken at BlueTeamCon, ChibrrCon and the Defcon Furs village on that topic.
In this episode of the Security Repo Podcast, we chat with Jake Hildreth, Principal Security Consultant at Semperis, about the enduring challenges of securing Active Directory in a hybrid cloud world. Jake shares war stories from the field, including dangerously misconfigured environments and the real-world impacts of legacy systems. We also explore practical advice for defenders, including the critical importance of identifying and protecting Tier Zero assets.https://linktr.ee/jakehildrethhttps://www.linkedin.com/in/jakehildreth/Jake Hildreth is a dedicated husband, fun-loving father, and seasoned IT professional with nearly 25 years of experience. As Principal Security Consultant at Semperis, Jake helps organizations fortify their digital defenses against Active Directory incursions. His open-source tools (Locksmith, BlueTuxedo, and PowerPUG!) are designed to lighten the load for overworked AD administrators by making security more accessible and manageable. Jake’s expertise is further underscored by his CISSP certification and Microsoft MVP status, which serve as testaments to his wide base of knowledge and commitment to cybersecurity excellence.
In this episode of the Security Repo Podcast, Andre Van Klaveren talks about his decades-long journey through IT, software development, and application security, culminating in the reboot of the OWASP St. Louis chapter. They discuss the history and importance of OWASP, community building in a post-pandemic world, and how risk-based thinking and strong fundamentals drive effective security practices. Andre also shares practical advice for anyone curious about joining a security meetup and the significance of influencing positive change within teams.https://owasp.org/www-chapter-saint-louis/We organize our meetups on Meetup.com:https://www.meetup.com/owasp-saint-louis-chapter/https://www.linkedin.com/in/andrevanklaveren/Andre is a seasoned technologist who has spent more than 30 years in the trenches of IT, software development, and architecture. For the past 15 years, he's been laser-focused on application security - finding and fixing the vulnerabilities before they become problems. He’s passionate about building secure software and loves connecting with others in the security community to share ideas.Outside of work, Andre has what his wife calls 'way too many hobbies,' but you can usually find him either tinkering with a new IoT project, talking on his ham radio, or getting lost in the great outdoors.
In this episode of the Security Repo Podcast, Jenn Gile shares insights from her hands-on security education at DEF CON's AppSec Village, where she ran a wildly successful lottery-style dependency upgrade game. She discusses the challenges developers face with remediation, the importance of empathy in AppSec, and how gamified, tangible learning experiences can bridge gaps between dev and security teams. The episode also explores how community engagement and inclusive learning can strengthen security culture.https://www.linkedin.com/in/jenngile/Jenn Gile is a tech educator and community builder with experience in AppSec, DevOps, and national security spaces. She’s a frequent speaker at security meetups and conferences, a prolific writer, and is the host of LeanAppSec - a free educational program that helps AppSec professionals be more effective without getting bigger budgets. Jenn is currently Head of Community at Endor Labs, and previously worked at F5, NGINX, and the U.S. Department of State. Outside of work, Jenn is deeply involved in the cycling community as a board member for 2nd Cycle.
In this episode of the Security Repo Podcast, Narayan Ram Narayanan shares his journey into cybersecurity, sparked by a personal data breach and fueled by a passion for privacy and secure development. He discusses his upcoming talk on threat modeling OpenSSL applications using STRIDE and other threat models, and highlights the value of volunteering and networking at events like BSides. The conversation also explores lessons from past mistakes, favorite security tools, and advice for newcomers in the field.Links mentioned in this episodehttps://nixos.org/guides/nix-pills/10-developing-with-nix-shell.htmlhttps://asciinema.org/https://www.linkedin.com/in/n2r/Narayan Ram Narayanan is passionate about Linux, cryptography, and secure SDLC. He loves digging into code, threat modeling, and breaking things (responsibly). Whether it’s hardening apps or decoding exploits. He’s all about making software safer - one commit at a time.
In this episode of the Security Repo Podcast, Sean Juroviesky joins us to share their journey through cybersecurity, from finding community in BurbSec to giving talks at major conferences like DEF CON and BlueTeamCon. Sean dives deep into the realities of risk management, executive sign-off processes, and the critical importance of understanding business impact. The conversation also touches on the necessity of building cross-functional relationships and documenting everything to make informed, actionable security decisions.https://burbsec.com/Sean Juroviesky is a dedicated cybersecurity, risk management, and privacy advocate, speaking on those topics at conferences across the world, including DEF CON, CypherCon, CornCon, BSides Rochester, SecretCon, Sec-T, and more. Sean also acts as a cybersecurity architect for a large music streaming provider. Beyond their professional pursuits, Sean finds joy in backpacking through the mountains with their adventurous Australian Shepherd, partner, and twins, embracing the serenity of nature and the thrill of exploration.
In this episode of the Security Repo Podcast, Dwayne McDaniel and Sankalp Kumar dive into the world of deepfakes, how they are created using transformer models and GANs, and the real-world scams they enable. They discuss current detection techniques, including physiological analysis, iris scanning, and PKI-based authentication. Sankalp also shares actionable advice for security teams to adopt existing tools and prepare for the evolving deepfake threat landscape.
With over 7 years of experience working with industry giants like McAfee, Juniper, and Fraunhofer, Sankalp Kumar has consistently been at the forefront of security innovation. He has expertise in building software systems that do intrusion detection and was one of the lead engineers in building McAfee’s IPS. Today, Sankalp leads efforts for scaling, improving network software stacks, and securing software systems.
Further reading for the audience:
(1) News article for deep fake scams:
DOJ's probe into Doppelganger: https://www.justice.gov/archives/opa/pr/justice-department-disrupts-covert-russian-government-sponsored-foreign-malign-influence
Deepfake CFO scam: https://www.cnn.com/2024/02/04/asia/deepfake-cfo-scam-hong-kong-intl-hnk/index.html
(2) Some tools for further understanding the detection of deep fakes:
Darpa MediFor: https://www.darpa.mil/research/programs/media-forensics
Microsoft Video Authentication: https://blogs.microsoft.com/on-the-issues/2020/09/01/disinformation-deepfakes-newsguard-video-authenticator/
In this episode of the Security Repo Podcast, we’re joined by Matt Gracie, a seasoned blue team expert and senior engineer at Security Onion Solutions. Matt dives deep into the architecture and practical deployment of Security Onion, a powerful open-source enterprise security monitoring tool. He also shares insights from his role as a cybersecurity educator, reflecting on how generational shifts are changing the way students learn and approach security.https://securityonionsolutions.com/Matthew Gracie is a defensive security specialist with fifteen years of Blue Team experience in higher education, manufacturing, financial services, and healthcare. He is currently a Senior Engineer on the professional services team at Security Onion Solutions, as well as an adjunct professor of Cybersecurity in the graduate school at Canisius University. Matt is also the lead organizer of Infosec 716, a monthly meetup for security enthusiasts in Western New York, and the BSides Buffalo technology conference. He enjoys good beer, mountain bikes, open source security tools, and college hockey, and can be found on Bluesky as @InfosecGoon.
In this episode of the Security Repo Podcast, software engineer and newly minted CISSP Matt Olmsted joins us to explore cryptographic fundamentals and why understanding them matters for anyone in security. From explaining symmetric vs. asymmetric encryption to the real-world implications of side-channel attacks, Matt delivers practical insights for blue teamers and developers alike. Plus, we dive into his journey in InfoSec, his unique use of podcasting tech to distribute ocarina music, and even enjoy a live performance to close the show.https://mattthetall.site/https://www.linkedin.com/in/matthew-olmsted/Matt Olmsted has worked professionally in software engineering for over a decade, and been interested in infosec his entire career. In 2024 he decided to go for the CISSP as his first infosec cert and passed the exam at the minimum number of questions after only studying two weeks. He's something of a polymath and renaissance man, the latter in both a literal and figurative sense.
In this episode of the Security Repo Podcast, Johnny Xmas shares the grassroots story and philosophy behind BurbSec, a unique InfoSec meetup network focused on genuine community and consistent in-person engagement. He dives into the evolution from IRC to Discord, detailing how digital platforms have helped expand and sustain their hyperlocal connections. Johnny also discusses the broader social impacts of tech culture, the value of assuming breach in security strategy, and the dangers of oversimplified advice like "just patch your stuff."https://burbsec.com/https://www.linkedin.com/in/johnnyxmas/Johnny Xmas, a prominent figure in the Information Security community since 2002, has been a dedicated contributor to public forums, sharing his extensive research and knowledge. Most notably recognized for being the showrunner of the BurbSec Infosec Meetup Network, his pivotal role in exposing the American TSA Master Key leaks (2014-2018), uncovering Venmo stalking vulnerabilities (2018), and being an overall nuisance. Currently, he is the Global Head of Offensive Security for a Fortune 200 food manufacturing company. Before that, he spent many years in the field as a penetration tester, security engineer for a global Fortune 500 corporation, and Mainframe auditor and Systems Engineer for several IT asset recovery firms.
In this episode of the Security Repo Podcast, we meet Christian Pinkston, a cybersecurity student and car culture enthusiast who's become a recognizable figure in the hacker community. Christian shares his unique journey into cybersecurity—from early experiments with hacking tools to volunteering at major conferences and running mesh networks with Meshtastic and LoRa. He also offers insightful advice on how to get involved in security through local meetups, hands-on projects, and staying curious.
https://www.meetup.com/oc2600/
https://www.irvineunderground.org/
Christian Pinkston aka “Itz.Ghriz” is a niche internet personality blending cybersecurity, car culture, and humor across platforms like Instagram, Threads, and YouTube.a self-described "Local Hacking Legend and General Sex Icon." His profile indicates he's a cybersecurity student and car enthusiast, with a flair for humor and a strong online persona.
In this episode of the Security Repo Podcast, we sit down with Matt Glaman, a veteran developer in the Drupal community, to explore the role of static code analysis in maintaining secure, performant, and upgrade-ready PHP applications. We dive into tools like PHPStan and DrupalCheck, and how they help identify deprecations and prevent security risks. Matt also shares insights on mentoring in open source, the impact of AI on contributions, and lessons from surviving Drupalgeddon.https://mglaman.dev/https://bsky.app/profile/mglaman.bsky.socialhttps://www.drupal.org/node/3343181Matt Glaman is an experienced software engineer and a prominent member of the Drupal community. With over a decade of experience in web development, he has gained a wealth of knowledge and expertise in the field. He is the author of several books, including "Drupal 8 Development Cookbook" and "Drupal 10 Development Cookbook," which provide a comprehensive guide to building and customizing Drupal sites.As an active member of the Drupal community, Matt is dedicated to sharing his knowledge and expertise with others. He regularly contributes to Drupal projects and is passionate about helping others develop their skills and become more proficient in Drupal development.
In this episode of the Security Repo Podcast, Manoj Viswanathan shares his unconventional journey into cybersecurity, from a personal phishing incident to mastering Capture The Flag (CTF) competitions and interning at Toshiba. The conversation dives deep into the community-driven value of groups like BurbSec, the practical benefits of hands-on experience over certifications, and the evolving path from student to professional. Manoj also offers candid reflections on the importance of mentorship, curiosity, and perseverance for those entering the field.https://www.linkedin.com/in/manojvisw/https://burbsec.com/https://chibrrcon.com/Manoj is a recent cybersecurity graduate from Illinois Institute of Technology, where he gained hands-on experience as a Product Security Intern at Toshiba Global Commerce Solutions.Passionate about staying ahead in the ever-evolving cybersecurity landscape, Manoj is an avid attendee of security conferences, finding them an excellent resource for keeping up-to-date with the latest trends and advancements.
In this episode of the Security Repo Podcast, we dive deep into the evolving role of DevSecOps with Nivathan Athiganoor Somasundharam, a technical account manager at Teleport. He shares his journey from cloud engineering to becoming a DevSecOps practitioner, emphasizing proactive security, the elimination of secrets, and the future of identity-based infrastructure access. We also explore how AI can enhance DevSecOps practices and the cultural shift needed to embed security across development and operations.https://www.linkedin.com/in/nivathan/https://goteleport.com/Nivathan Athiganoor Somasundharam is a technical account manager at Gravitational Inc. DBA Teleport. He specializes in Zero-Trust implementation, identity security, and DevSecOps. He has a unique blend of experience in the cloud, working on Hyperscalers like AWS, GCP, Azure, and Security for them, which makes him an actual DevSecOps Practitioner. An active contributor to the cybersecurity community, Somasundharam shares his expertise through blogs, webinars, and conferences focused on cloud infrastructure security. He is also a key contributor to the open-source VMware Carbon Black Harbor Adapter project. Beyond that, Nivathan enjoys cooking and snowboarding on the slopes.
In this episode of the Security Repo Podcast, Andy Dennis, VP at Modus Create, joins Dwayne McDaniel to unpack what "shifting left" really means for security and engineering teams. They explore the impact of hands-on security training at B-Sides events, the concept of developer toil, and the role AI tools like GitHub Copilot AutoFix are starting to play in secure coding workflows. Andy also shares candid advice for aspiring security engineers and insights on measuring the true value of AI in developer environments.https://docs.horusec.io/docs/overview/moduscreate.comhttps://www.linkedin.com/in/andy-d-b43a17b/Andy Dennis is VP of the Platform and Cloud Practice at Modus Create, a Digital Transformation consulting agency. He is responsible for overseeing engineering teams across Cybersecurity, Cloud/DevOps, Build Systems, Functional Programming and Tooling.Andy has 22+ years experience in the technology industry and has worked in the UK, Canada and US. He’s had 5 books published on a variety of topics including IoT and the Raspberry Pi and spoken at multiple events around the country. Previously Andy tutored undergraduates at Goldsmith’s College, University of London’s online degree program and is currently studying with HEC in Paris.
In this episode of the Security Repo Podcast, we sit down with Rebekah Skeete, COO of BlackGirlsHack, to explore how her organization is increasing diversity and accessibility in cybersecurity through hands-on training, mentorship, and inclusive community building. Rebekah shares the origin story of BlackGirlsHack, their evolving programs including SquadCon and Friday Night Labs, and the core values driving their mission. https://www.blackgirlshack.org/https://squadcon.me/https://www.linkedin.com/in/rebekah-skeete-01270192/Rebekah Skeete is a dynamic and accomplished leader in the technology and cybersecurity space, bringing a wealth of expertise and passion to her multifaceted career. As the Chief Operating Officer at BlackGirlsHack, Rebekah plays a pivotal role in empowering underrepresented groups in cybersecurity by fostering education, mentorship, and career development opportunities. Her dedication to diversity and inclusion has made her a trailblazer and a mentor to aspiring tech professionals worldwide.In addition to her COO role, Rebekah served as a Senior Security Engineer, leveraging her deep technical knowledge to design, implement, and manage robust security solutions that protect organizations from ever-evolving cyber threats. Her technical prowess is matched by her ability to communicate complex concepts to diverse audiences, which has positioned her as a sought-after speaker and podcaster. She shares insights on topics ranging from cybersecurity trends to personal growth, inspiring others to excel in their careers.Rebekah's creative talents also extend to the arts as a voice-over artist, where her engaging and versatile voice brings stories and brands to life. Her ability to connect with audiences in a variety of formats reflects her broad skill set and unique perspective.A recipient of the prestigious 2024 Dallas Business Journal 40 Under 40 award, Rebekah has been recognized for her exceptional leadership, innovation, and impact within her industry and community. Her commitment to excellence and advocacy for diversity make her a beacon of inspiration for the next generation of leaders in technology and beyond.
