Frozen lake at sunset

Photo by Sanaz B on Unsplash

What if appsec used the last month of the year to celebrate security lasts?

Like, the last CVE due to a SQL injection.

The last user to be blamed for clicking a link.

Or the last time we have to memorize a top 10 list.

Securing OT Sytems in Tennessee (ep. 359)

For OT systems, uptime is paramount. That’s a hard rule that makes maintaining, upgrading, and securing them a complex struggle. Tomas “Data” Owens and James Cotter discuss how Tennessee is tackling the organizational and technical challenges that come with hardening OT systems across the state.

Making OAuth Scale Securely for MCPs (ep. 360)

The MCP standard gave rise to dreams of interconnected agents and nightmares of what those agents would do with unfettered access to APIs, data, and local systems. Aaron Parecki explains how OAuth’s new Client ID Metadata Document spec provides more security for MCPs and the reasons why the behavior and design of MCPs required a new spec like this.

Developing Open Source Skills for Maintaining Projects (ep. 361)

Open source projects benefit from support that takes many shapes. Kat Cosgrove shares her experience across the Kubernetes project and the different ways people can make meaningful contributions to it. One of the underlying themes is that code is written for other people. That means PRs need to be understandable, discussions need to be enlightening, documentation needs to be clear, and collaboration needs to cross all sorts of boundaries.

OWASP Global Appsec 2025 Interviews (ep. 362)

We wrap up the year with a selection of interviews from the OWASP 2025 Global AppSec Conference! Visit https://securityweekly.com/owaspappsec to watch all of CyberRisk TV's interviews from the conference.

First up, Sebastian Deleersnyder talks about using the OWASP SAMM to assess and improve compliance with the Cyber Resilience Act (CRA). He explains why doing so is good strategy, as the SAMM provides a framework for secure development practices such as secure by design principles and handling vulns.

Then James Manico talks about how the definition of “secure coding” is changing with genAI. He talks about how LLMs and agents are reshaping the way developers learn, apply, and scale secure coding practices — and how new risks emerge when machines start generating the code themselves.

Then Adam Shostack shares some history of threat modeling. He explains its evoluation into the Four Question Framework and how to use it as your org adopts agents and LLMs.

Whether you're launching a formal Security Champions program or still figuring out where to start, you already have allies to call on. Dustin Lehr discusses how identifying and empowering your internal advocates is the fastest, most sustainable way to drive security culture change. These allies are the developers, engineers, and team leads who already “get security” even if their title doesn’t have the word security in it.

Subscribe to catch these episodes and more!