Cybersecurity Today

AI-Powered AppSec, OWASP Origins, and Anthropic's "Mythos" Model: Jeff Williams on What Changes Next
Cybersecurity Today  would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale.  You can find them at Meter.com/cst
Jim hosts Jeff Williams (Contrast Security co-founder/CTO and former OWASP global chair) for a wide-ranging discussion that begins with Anthropic's new "Mythos" model, described as powerful for finding zero-day vulnerabilities, and expands into how AppSec must evolve. Williams explains Contrast's runtime instrumentation approach, recounts OWASP's early days, the creation of WebGoat and the OWASP Top 10, and notes that many common vulnerabilities persist despite years of maturity models. They debate open source versus commercial security scrutiny, the likely high cost and scalability limits of advanced AI vulnerability discovery, and why finding more bugs matters only if remediation improves too. Williams argues for AI-powered "software factories" with feedback loops, assurance evidence, and runtime monitoring, and flags the EU Product Liability Directive treating software as a product with no-fault liability for security defects, including those from embedded open source.
00:00 AppSec Stuck in Ruts
00:42 Show Intro and Sponsor
01:40 What Contrast Security Does
02:35 OWASP Origins and WebGoat
04:33 Why the Top 10 Persists
06:28 Mythos Model Overview
08:05 Open Source Scrutiny Myth
11:31 Cost and Adoption Barriers
15:04 Finding vs Fixing Bugs
15:55 AI Code Quality Reality
17:46 AI Powered Software Factory
23:11 Building with AI in Practice
25:18 AppSec Metrics and New Approaches
26:42 Staying Optimistic as a CISO
28:00 EU Product Liability Shift
32:13 Bug Bounties in an AI World
34:06 Wrap Up and Outro

Fortinet EMS Zero-Day Exploited, Anthropic's AI Finds Thousands of Bugs, and Iranian Hackers Target US ICS
Cybersecurity Today  would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale.  You can find them at Meter.com/cst
Host David Shipley reports Fortinet issued emergency hotfixes for a new actively exploited FortiClient EMS unauthenticated RCE zero-day (CVE-2026-35616) affecting 7.4.0.5/7.4.0.6, with over 2,000 exposed instances online and a full fix coming in 7.4.0.7. Anthropic says its Claude "Mythos" model (Project Glasswing) has found thousands of high-severity zero days and demonstrated advanced exploit chaining and sandbox escape, but will not be released publicly; it is being used with major partners and funded with up to $100M in credits plus $4M for open-source security. A postmortem details a North Korea–linked social-engineering supply-chain breach of Axios on NPM, part of a broader campaign spreading 1,700+ malicious packages across multiple ecosystems. US agencies warn Iranian-linked hackers are targeting Rockwell/Allen-Bradley PLCs in critical infrastructure. The White House proposes a $707M cut to CISA, reducing staffing while preserving $1.4B for core cybersecurity.
00:00 Headlines and Sponsor
00:55 Fortinet EMS Zero Day
03:21 AI Finds Zero Days
05:56 Axios Supply Chain Breach
08:02 North Korea Package Campaign
10:13 Iran Targets Industrial Control
12:22 CISA Budget Cuts Debate
14:05 Wrap Up and Thanks
14:59 Sponsor Message Meter

Host David Shiple covers major cybersecurity news: investigators attribute a record $285 million April 1 hack of crypto platform Drift Protocol to North Korea, describing a three-week setup involving a fake "Carbon Vote Token," wash trading to inflate value, social engineering to pre-approve backdoored transactions, Drift's removal of a timelock, and rapid collateralized withdrawals that crashed Drift's token and are now tracked by TRM Labs; the report notes North Korea's 2025 crypto theft total of $2.5B and lifetime total surpassing $7B after this incident, alongside mention of a North Korea-linked supply-chain compromise of the widely used Axios package. Stryker Medical says it has fully recovered from a March 11 Iran-linked wiper attack that used a compromised admin account and Microsoft Intune, prompting Microsoft guidance on multi-admin approval for wipes. The FBI labels a suspected China-linked breach of a U.S. surveillance system a "major incident," likening it to the 2024 Salt Typhoon campaign, while Sen. Mark Warner cites staffing cuts and leadership turmoil at CISA. TechCrunch reports embattled compliance startup Delve faces new claims it repackaged an open-source tool (Sim Studio) as its own "Pathways," as Delve denies broader fraud allegations, says it was targeted by a malicious actor, and Y Combinator cuts ties.
Cybersecurity Today  would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale.  You can find them at Meter.com/cst
00:00 Headlines And Sponsor
00:54 North Korea Crypto Heist
01:16 How The Drift Hack Worked
03:20 Bigger DPRK Crypto Trend
04:24 Stryker Wiper Recovery
06:39 China Breach Major Incident
08:38 Policy And Staffing Fallout
09:37 Delve Startup In Crisis
10:29 Stolen Software Allegations
13:12 Delve Fights Back YC Cuts Ties
14:35 Wrap Up And Thanks
15:12 Sponsor Message Meter
00:00 Headlines And Sponsor
00:54 North Korea Crypto Heist
01:16 How The Drift Hack Worked
03:20 Bigger DPRK Crypto Trend
04:24 Stryker Wiper Recovery
06:39 China Breach Major Incident
08:38 Policy And Staffing Fallout
09:37 Delve Startup In Crisis
10:29 Stolen Software Allegations
13:12 Delve Fights Back YC Cuts Ties
14:35 Wrap Up And Thanks
15:12 Sponsor Message Meter

EV Charging Infrastructure Security: How Hackers Could Disrupt Chargers, Networks, and the Grid
Cybersecurity Today  would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale.  You can find them at Meter.com/cst
In this holiday weekend edition of Cybersecurity Today, Jim Love introduces David Shipley's interview with Steve Visconti, CEO of Xiid Corporation, about cybersecurity risks in electric vehicle (EV) charging infrastructure. Visconti explains Xiid's software-based security layer for IP networks, aimed at critical infrastructure across enterprise, public sector, and DOD environments, and its growing focus on OT/IoT such as EV charging systems. The discussion highlights how EV chargers connect vehicles, homes, back-office billing/control systems, cloud services, and potentially vehicle-to-grid power flows, creating large-scale attack surfaces that could enable disruption, DDoS activity, or broader grid instability. Visconti argues for "unreachability" architectures that close ports and remove static exposure while allowing only registered users and machine-to-machine access. The interview also touches on concerns about vulnerabilities leading to fires, supply-chain risks, and policy debates such as government-accessible vehicle kill switches.
00:00 Holiday Weekend Intro
01:46 Meet Steve Visconti
04:16 EV Charging Symposium
06:40 Vehicle to Grid Risks
09:16 Fires and Attack Vectors
12:14 Making Chargers Unreachable
14:37 Car as the Threat
19:05 Awareness and DDoS Reality
23:09 Government Kill Switch Debate
24:49 Wrap Up and Sponsor Thanks

Cisco Source Code Stolen in Trivy Fallout, Axios Supply Chain Attack, and Active Exploitation of Fortinet and Citrix Flaws
David Shipley reports multiple major security incidents: attackers used credentials stolen in the Trivy supply-chain attack via a malicious GitHub action to breach Cisco's internal development environment, clone 300+ GitHub repos, steal source code (including AI products) and AWS keys, and impact customer-related code; Cisco contained the breach, re-imaged systems, and rotated credentials. A separate supply-chain attack hit the widely used JavaScript library Axios after its maintainer account was compromised, pushing poisoned NPM versions that installed a dropper/RAT via a fake dependency; users are told to downgrade affected versions, remove the dependency, rotate credentials, and review CI/CD logs. Active exploitation is confirmed for a Fortinet FortiClient EMS SQL injection (CVE-2026-21643) and for critical Citrix NetScaler flaws (CVE-2026-3055, possibly alongside CVE-2026-4368). Anthropic accidentally exposed details of a new model, "Code Mythos," described as highly capable in reasoning, coding, and cybersecurity. Finally, TechCrunch reports escalating allegations that compliance startup Delve helped fabricate audit evidence and worked with weak auditors. The episode also marks show episode 1,500.
00:00 Headlines and Sponsor
00:54 Cisco Trivy Breach
02:28 Axios NPM Attack
04:12 Fortinet SQLi Exploited
06:24 Citrix Bleed Returns
08:05 Anthropic Model Leak
10:24 Fake Compliance Scandal
12:30 Episode 1500 Milestone
14:03 Sponsor Closing Message