CYBR.HAK.CAST

CYBR.HAK.CAST Episode 11: Theresa Lanowitz

CYBR.SEC.Media Season 2 Episode 11

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 35:41

The software supply chain has quietly become one of the most critical — and least controlled — risk areas in cybersecurity. But according to industry veteran Theresa Lanowitz, that’s starting to change, driven by a surprising source: the CEO. In this episode of CYBR.HAK.CAST, she and hosts Michael Farnum and Phillip Wylie trace the evolution of today’s software risk landscape back to decades-old challenges in application security, where development and security teams often operated in silos. While tooling has improved and DevSecOps has gained traction, many of the same underlying problems persist, only now they’re amplified by AI and global software dependencies.

SHOW NOTES:

Things Mentioned:

Episode 11 Timestamps

  • 03:30 – 08:00 – Theresa Lanowitz’s background: early IoT, Sun Microsystems, Gartner, AT&T
  • 08:00 – 15:00 – Application security history and the developer vs. security disconnect
  • 15:00 – 20:00 – Evolution from SQL injection to AI-era prompt injection risks
  • 20:00 – 30:00 – Software supply chain risks, third-party dependencies, and open source challenges
  • 30:00 – 36:00 – AI’s role in expanding the attack surface and introducing new vulnerabilities
  • 36:00 – 42:00 – CEO awareness and why supply chain risk is now a board-level issue
  • 42:00 – 48:00 – Real-world anecdote: “checkbox security” and vendor trust pitfalls
  • 48:00 – 55:00 – Hardware supply chain risks, chips, and critical infrastructure exposure
  • 55:00 – End – AI, OWASP guidance, and the path forward for securing the supply chain

Do you have a question for the hosts? Reach out to us at media@cscgroupllc.com 

Keep up with CYBR.SEC.CON.:

Keep up with CYBR.SEC.Media:

SPEAKER_02

Hello and welcome to another episode of Cyber Hack Cast Episode 11. I'm joined by my co-host and BBFF, Michael Farnum, and our special guest today, Teresa Lanowitz. And so for Teresa, you probably don't know, BBFF is Bald best friend forever. So that's because Michael already had a BFF, Sam Van Ryder's. We're Bald BFF. BBFF. Okay.

SPEAKER_00

That's a great new acronym to learn.

SPEAKER_03

Yeah, we're gonna get tattooed. We're gonna get tattoos and everything. Yeah, I'm pretty sure. Whole subculture. That's what's funny is at RSA every year when we used to do the I was called the bloggers meetup. I don't remember what it's called now, but we would every year we would all of the bald bloggers would get together and take pictures. And every year, about this time, it starts popping up on my Facebook memories of all of us together. Bill was part of that. Bill Brenner, our editor-in-chief, was part of that. Unfortunately, Phil was never in on that. That would have been great to have Phil. We'll have to recreate that this year.

SPEAKER_02

Yeah, it was too late to the game. Maybe a bald podcasters, the bald content creators.

SPEAKER_00

So yeah, the bald bloggers meetup, the bald podcasters.

SPEAKER_03

Yeah, I think Bill started it. I think Bill started that way back in the other day.

SPEAKER_02

You got to give us something because I know Michael probably runs in this too. You're out somewhere and someone comments on your wife's or daughter's hair, and then you feel left out.

SPEAKER_03

Yeah. My wife has really good curly hair and everybody's always so pretty. And I'm like, come on, man. What about me? Give me something.

SPEAKER_00

But you made a choice, right?

SPEAKER_03

You have a nice clear.

SPEAKER_00

It's interesting looking at all those old conference pictures. They always show somebody on stage speaking and then they show the audience. And you look at them from 10 years ago and then five years ago and then three years ago, and then now. And it's like now it's they're definitely moving in the right way of the trend.

SPEAKER_03

Started going like this.

SPEAKER_00

Yeah.

SPEAKER_02

So yeah, thanks for joining us today. So, how is your new year going so far, 2026?

SPEAKER_00

Oh, new year is going great, absolutely great. So much interesting stuff going on, lots of innovation happening. I live in the beautiful Pacific Northwest, and we have had a relatively warm winter. So it's been great.

SPEAKER_03

It's good to keep the vampires away from up there.

SPEAKER_02

Yeah, exactly. So for the listeners, we'll go more into Teresa's background in the second part of this segment. Get to hear about her background as long as along with the subject of the day. So how are you doing, Michael?

SPEAKER_03

I'm good, man. Just yeah, it's nice and warm here in Houston as well, which is not non-typical. So we're having a warm winter as well. But I'm doing good. Just ready to ready to get going with this talking to Teresa. We got some really good topics, I think, or a good topic today.

SPEAKER_02

Yeah, so she's new to me. So I'm looking forward to hearing more about her background, looking at her LinkedIn profile. Got a pretty impressive history. So I look forward to hearing more about it and her topic today. But first, we want to cover the promo for Cyber HackCon. So Cyber HackCon is coming up on May 27th, 2026 at the Plano Event Center. Call for Papers opens up on April 6th through 24th, as well as the Call for Villages. And we've got some amazing keynotes. We got Jason Haddock's the opening keynote and Wirefall, aka Dustin Dykes, the founder of Dallas Hackers Association, that's our closing keynote of the day. And we also have Justin Hutch Hutchins speaking as well as Tim Medine, two favorites and very sharp individuals with some great information to share. So I'm looking forward to the conference. And tickets are available now as well as sponsors. So if your organization is looking to sponsor a good event, connect with some practitioners. Make sure to sign up. And for those that haven't listened to this podcast yet, Cyber Hackcast is a practitionerslash hacker conference inspired on the old DerbyCon, HackspaceCon, ThoughtCon, and some of those other hacker conferences because in Dallas Forward area, the only practitioner conference really had was B-Sides DFW. The rest of it's more management or CISO focused. And so we thought it was a good idea to bring this conference to the Dallas area. Yeah.

SPEAKER_03

And like we've said before, it's not a it is in the area and you will get a lot of people from the area. But this is a from our perspective, we don't want to just limit it to that. We've got people coming from all over the United States. We know that. So if you're somewhere else and this is a really good spot to have a lot of people in Dallas, a lot of people don't understand realize how well known it is for its hacker scene. It's just they haven't really consolidated into an event like this, except for Phil Settle, besides DFW, which is great. Con Phil and I were there last year, but this we want to do a little bit of a bigger scene and bring people in. So if you're anywhere in the United States, or I don't care if you're from overseas, come on over. Let's let's get together and do some really cool stuff. It's going to be a lot of fun. Like some deep technical conversations and villages and a good CTF. Hutch is putting on the CTF, so that'll be good as well.

SPEAKER_02

So yeah, looking forward to it.

SPEAKER_03

All right. I think we're doing a commercial break real quick before we get back to Teresa or Phil. Sounds good. Yep. Let's jump over on that. And on the other side of the break, we will talk to Teresa.

SPEAKER_02

Welcome back. And we got joining us today, Teresa Lanowitz, as we mentioned earlier in the first half of this segment. And Teresa, why don't you share with our viewers your background? Tell us about your history. It's really impressive. I think everyone's going to be as impressed as I was.

SPEAKER_00

Thank you so much. And thanks so much for having me on the show today. So my career, I started as a software developer. And as a software developer, I was just out of college and worked at a very large enterprise with a Department of Defense top secret security clearance doing development. And from there I moved on and I worked in at a variety of software companies: product management, product marketing. I was early on in the IoT scene, I worked for Sun Microsystems. And at the time, Sun Microsystems was, of course, founded by Bill Joy and Scott McNeely, but Bill Joy, he was doing this Skunk Works project called Genie, spelled J-I-N-I, pronounced like the girl's name Genie. And this was after Java had already been a success. And the idea was to build out these personal area networks. And this is now, you know, what we know today as IoT. So this was doing IoT before there was really IoT. And we were creating all these fantastical use cases, things such as, you know, what if you could put some type of device in onto a golf ball, for example. So when you're out playing golf, you never have to wonder where that ball is. Or put some type of chip in the end of a football so you know exactly where that first down is. Do something in a kitchen, for example. Have everything connected to the internet, be able to create recipes based upon the contents of your refrigerator. So these are the types of things we were doing. And this is back right around 1999. So we were really early in that IoT space. And of course, everything has now come on to IoT. Of course, IoT has been wildly successful when we see edge computing, and but that was back in the early days. And that was a lot of fun. I moved from there and I became an industry analyst. I worked for Gartner for a number of years and also ran my own analyst firm for a number of years. And then moved on to NT Cybersecurity, where I was the chief evangelist and led communications as well as thought leadership. And a lot of the things that I did at ATT Cybersecurity, and then NT Cybersecurity was spun off into a company called Level Blue, I would do a lot of research, a lot of research that was really vendor neutral. So pre creating this thought leadership research and the when you read the report, it wouldn't say, oh, here's why my company is so great. It was really that business-friendly data. And that's really something that took off in the industry. And of course, we now see that independent data being so powerful as the large language models, and we're using generative AI inside of those large language models, that those large language models are now citing that independent data coming from these vendors.

SPEAKER_02

Yeah, it's a pretty pretty amazing background. We missed each other by two years at ATT security consulting. I was in 2017, yeah, we're in the consulting division. I was a pen tester there at ATT.

SPEAKER_00

And pen testing is one of those things that I think has been so underrated. I was a, as I mentioned, I was an analyst with Gartner. And when I was at Gartner, pen testing was one of those things that was just starting to become popular. And I was covering the software quality assurance area. And so you look at what was going on in the software quality assurance area back in the early 2000s, and there are a lot of similarities with what the software quality assurance teams would do, with what the cybersecurity teams are doing now. The same side of a different coin, so to speak, with the software quality assurance engineers and what we now see with cybersecurity professionals, especially in that pen testing area.

SPEAKER_02

Yeah, I agree with the under underappreciated and underutilized because so many cases people just treat it as a checkbox. There's nothing wrong with compliance, but let's do it the right way.

SPEAKER_00

And that was one of the big things early with software quality assurance as well as with application security. People would say, oh yes, it's a governance checkbox. And the governance group would say, Oh, yes, of course the developers are putting that in there. And nobody was doing any sort of pen testing, nobody was doing any sort of testing for SQL injections, that sort of thing. And now here we are fast forward 20 years later. And if you look at what OWASP has just come out with in terms of their top 10 for LLMs and generative AI, what's the top thing? It's a prompt injection. It's not SQL injection, but it's a prompt injection. We're advancing a whole lot in terms of the innovation that we see going on in terms of ease of use of doing things and less friction to the user. But there are still a lot of the same underlying problems that we have to fix.

SPEAKER_03

Yeah, I worked several years at HP, specifically in the Fortify group. We were doing all app sec. And yeah, we saw that over and over again, like the same issues popping up in all of these apps. And we always tried to find this way of getting to the developer to say, hey, look, these things are gonna get less. You're gonna ultimately have to pay us less if you fix the issues that were popping up. But what all it would do is stay within the security group. They would try to get that, but we couldn't build the bridge for them, basically, to say your security group and your developer group need to talk. What we would find out is that the in just the process of what if we were doing like a static test, the the developer would provide the binaries to the security group, and the security group would be the one who uploaded the binaries into our system so we could do the testing. And what that translated into is that the developers never got into our system to see what the flaws were. It would be uh, hey, you need to fix these things, but they would never be the one that was really looking at it. They just looked at security as being that ones that kept telling them that their baby was ugly, and it was like extremely frustrating. At the same time, we were like, the more you keep doing this, the more job security we have because we're gonna keep finding these flaws. It just was like the purest mindset of me, like the idealist was like, we need to get these things fixed, and the business guy going, that customer is gonna be around a really long time, we're gonna keep finding these things.

SPEAKER_00

That's such an interesting time. And one of the things that we've seen in IT, and we still have this, is that the silos have been built up over the past four, five, six plus decades. And you were talking about the developer not talking to the security team. And if you really take a look at it, and I remember back in the days when Fortify was just starting out, when I was a Gartner, I was doing some work with Fortify, and then Fortify, of course, was later acquired by HP, HPE, Microfocus, now text. And if you look at what was going on back then, I think everybody said, hey, the developer should be doing this. But if you look at it, the developers have an incredible job, and they still have an incredibly difficult job. So they weren't likely to sit over there and say, yes, I'm a developer. Let me raise my hand to take on this whole idea of security, because I what I'm doing is already incredibly hard. Let me bring on the most difficult thing now we have in our time and add that to what I'm already doing. And I mean there was so much talk around the tools need to be less frictionless. We need to build this into the developer workbench. And yes, of course, that works very well to build something into developer workbench. But there was nobody at a higher level saying, hey, we have to really focus on application security. And now application security is one of those top areas that we see investment in. And a lot of it is because exactly what you were talking about. There's that friction between the development team and the security team, and the security team saying, developers, why aren't you doing this? And developers saying, hey, I already have more than enough on my plate to put out with good software production. So I think where we're coming to now, we're seeing a lot of those frictions disappear, application security becoming more important. And what we're also seeing is, in my opinion, I think we're starting to see a return to some good software engineering practices, which is really great because quality was ignored for some time because people just had the mentality of let's just put it out, let's just ship the software, and then we'll figure out what the problem is later on. And you don't necessarily have that luxury all the time now.

SPEAKER_03

No. DevSecOps will fix it all. That's what we've got.

SPEAKER_02

Yeah, so based on that, I was going to ask you if you, can you answer that question, if you saw things getting better in that area over your long tenure?

SPEAKER_00

Yeah, I would be interested to see what you guys think too, because I'm an internal optimist. And as I said, I think I see things getting better. Of course, software and where organizations are getting their software from now, it's very splintered, very fractured. But I think the developer is now saying, okay, we need to be able to talk to the security team. We need that security team integrated with what we're doing from a KPI perspective, from a top-down level perspective. We see now organizations are saying across the board, everybody has a KPI for security. So we're going down the path of saying we're going to try to bring together all these previously disparate organizations and these disparate parts. So I think we are seeing things get better, hopefully. And as I said, I'm an eternal optimist.

SPEAKER_03

I Phil, I don't know about you. I think I also think it's a really good segue to talk about the main topic because the last several years before, and we can't talk about it without talking about AI, and it just is what it is. But the last few years before AI really became a thing, and we started seeing all the AI generated code was the it was the supply chain issue that we were having from in software where it was really easy. And you just made the point, Teresa, that we're getting it from all these disparate sources, and they're all over the place, all these different repositories. Nobody writes code from the ground up. They pull different stuff to put it in into place to take different functions. And that that was a huge issue. And we started seeing a lot of vendors popping up, a lot of personal friends of mine from back in the days when I was working at Agunt Labs that were starting software supply chain and companies to go look at the repositories and make sure those were clean. We've got other like James Wickett doing dry run security. It's the same kind of stuff. When you commit, let's what are the changes that are happening? And full disclosure, none of them are sponsors of the podcast or just people I know that have been doing this stuff. So that so I saw it getting, at least from a perspective of visibility into the problem, getting much better than I saw people making efforts in commercial companies, but who were doing side efforts to go scan all of those repositories and try to figure out what they're when I work at Fortify. I mean, we had SBOM vendors back then that we worked with to give the software bill of materials. Back when that wasn't, most people didn't even use that as a term, not widely in the cybersecurity field. So I see the visibility on it better. But the supply chain, I think, is still an issue. I every three or four podcasts I watch or listen to their own cybersecurity, they talk about that whole XKCD comic with all of the blocks and then that one little one little piece right there that could, you know, the one piece of software that could get pulled out and the whole internet just falls down. So I don't know. It's like I'm not an eternal optimist. I'm not an eternal pessimist. I fall somewhere and every day I could be affected. My opinion could be affected on which way I go. But I think that supply chain stuff is still a major issue. I still think developers are going to pull from those repositories and still keep using those. And AI keeps using some of that potentially bad code out there to learn. So my hope is that it comes back, and as we have people fixing the AI generated code that it'll start learning from the fixed code and eventually get better. But I just I don't know if that's ever really going to be, we're going to hit nirvana on that.

SPEAKER_00

That's the idea of bringing back that good software engineering practice, right? So you have AI can generate code so fast, so quickly, but is it all and that's the question. And so now we have these autonomous types of software testing tools that can find defects much more quickly and be able to put out something clean. You bring up such a good point about the software supply chain. And you look at the software supply chain and you say, why and for those of us I think who have been in this area, we know the software supply chain has been tenable at best over the past several years. But if you look at the software supply chain, why is it becoming such a big issue right now? It's we have these global regulations. You mentioned SBOM. We also have the expanded attack surface. And the expanded attack surface is all of the AI code that we're bringing in and consuming and generating and using. Plus, every organization out there is doing some type of integration with a third-party partner. So you have that expanded attack surface. And then you just have these global awareness of a software supply chain when something happens in the software supply chain, whether it be a breach or whether it be something accidental, that the software supply chain has taken center stage. And I'll tell you, it's interesting. My research that I've done shows that the person in the organization who is most keenly aware of the software supply chain and the problems that it can bring to the overall organization is the CEO. So the CEO is more concerned about the software supply chain. The CEO realizes that because you're bringing in all of this AI work, that your software supply chain is becoming a little more brittle. And the software supply chain, many of them, 40% of them from my research, say that they believe that the software supply chain is their biggest risk to organizational security. So you have the top level, a very top level, the CEO of an organization saying they understand why the software supply chain is so precarious at this point.

SPEAKER_02

Yeah, it's pretty, pretty scary stuff when you think about even sometimes people just overlook the physical part of the supply chain. You can integrate some new chip or new into your system, and threat actors could be intercepting information when you may be encrypting it on disk, but as it's coming through, whatever on that circuit's on that device are able to intercept it. And so I think that's in my opinion, seems to be one area that people aren't really taking serious enough.

SPEAKER_00

Yeah, absolutely. All those third-party integrations that you're bringing in, you look where does your software come from? Internally, you have internal legacy source code that you might be using. You might be using some commercial off-the-shelf software, you might have a trusted third party that you've been working with for years and years. But is that third party doing all of the coding work? Are they actually building out the software or are they going off to another supplier and another supplier? So getting to that nth degree. And then you have open source, and open source is becoming what was always open source. We can trust open source because there's a lot of rigor around what goes on with open source. And now with the new workforce that we have, and that new workforce being AI agents, those AI agents are deploying more code than really great contributor to any type of open source repository. So, how do we really manage that? How do we understand that is now part of the reality of our software supply chain? So the software supply chain is it's I think it's one of those things that we started to hear a lot about in the mainstream sort of weightgeist, probably 2025. I think we'll probably still continue to hear more about that software supply chain. During the pandemic, I think everybody was exposed to the supply chain. We had ships that couldn't unload inside of harbors. And that was the physical supply chain. And I think everybody, everybody was watching the news, everybody understood the problem. And now the software supply chain is going to become just as blunt in the news and continue to make inroads, I think, in the next year, two years.

SPEAKER_03

I made a short little video when I was, it was right in 2021, I think. So I had uh I'm a Toyota tundra guy. I love my Toyota tundra. I'm on my third one. I had a 2020 that I was gonna keep forever because the 20 the new ones were coming out, and I was like, no, I want to stay with my V8 engine. Excuse me, anybody who doesn't like V8 gas guzzlers, but I loved the sound of that engine and I got in a wreck and got totaled. Somebody hit me from behind, and so I was like, Well, I've got to get a 2022 now. That's all they had out because all of the used ones at that time were extremely expensive because the supply chain, so everybody needed a who needed a vehicle, we're trying to get used ones. So I was sitting on my lot and my dealer finally got one in 2022, and this is the largest Toyota or Toyota dealership, I think, in the United States is down here in Houston. And the lot was almost completely empty, like no new cars, no new trucks, nothing. It was almost completely. So I recorded a little video about supply chain. I was like, for everybody who doesn't understand software supply chains, this is like a hardware supply chain, physical supply chain issue, but this is the here's how they correlate, here's how they match up. When you break one part of it and have an issue, it just goes all the way down the line. And it was like one of my most popular videos because people were like, Oh, that just makes sense. But I was running into that, but then when I started thinking even deeper about it, I was like, a lot of the supply chain issues are like chips, and there was a lot of software people, to your point, who were trying to put stuff on the chips to program because the the vehicles are a lot more reliant on software now than they used to be. When I was growing up, if they didn't start, it was probably the carb or or what could be the battery or could be the starter. There was no computer in that thing to worry about, so you didn't have to worry about all that. Makes me think of that. What is the Tom Cruise movie where they the aliens were coming down and they did the EMP, and the only car that would start was the one that didn't have a computer in it or whatever. Yeah, War of the Worlds. Good movie. So yeah, that I don't know. It there's a lot of correlation between the two, but uh and talking about those the chips on like critical infrastructure, any of the devices to your point, Teresa. like who who developed that. I know I've talked to people at the Department of Energy who have said we try to get an S bomb on some of the PLCs and things like that in the in the critical infrastructure. And they don't have an they're the manufacturer of the thing and they don't have an SBOM because they outsource the development of the firmware on it. And the only way to get that is to try to find a binary and literally reverse engineer to find the binaries to find how many vulnerabilities. And the whole thing was if you looked at how many vulnerabilities like any CVEs that were out for that particular device, there may be two as soon as you break it apart, a whole mess of crap comes out and you've got a thousand all of a sudden it's oh there's a whole lot of vulnerabilities in this thing we've got to worry about.

SPEAKER_00

And where else have they been deployed aside from maybe that particular chip, right?

SPEAKER_03

Yep.

SPEAKER_00

Yeah, you just bring back so many memories of car shortage right after the pandemic. I bought a brand new car at the same time and because of the chip shortage when I bought the car, when you buy your new car you usually get two keys because it's the FOB now. It's not a key that you put into the ignition to start the engine. There was a chip shortage and it took I want to say it took a good 18 months for me to get the second key fob because the short the chip shortage was so bad at the time. And that's the whole supply chain. And you're right so that those vulnerabilities that have been shipped onto that chip, where else have they been deployed? And then getting that S bomb if the manufacturer can't get the S bomb because they've shipped they've given the work to a third party and that third party has maybe given it to another third party that may be reusing that code someplace else it's such a a a web an intricate web of where that software resides and where that software came from. And it's interesting because as I mentioned the CEO is the one who is acutely aware of this. And what I found out in my research is that there's very low visibility in the software supply chain. So most people don't have good visibility most organizations they really don't know what's going on with their software supply chain. But yet they all say yes we're investing in it and they all say yes we believe a software supply attack or a software supply chain breach is highly likely but they are not necessarily engaging with their third party suppliers to understand what their what their security practices are. They're being driven by some somebody in the organization or some force in the organization to say yes you need to be aware of this but they're not really reaching out to those third party providers and anecdotally I like to tell this story last year I was speaking at a conference I won't say which one it was the last day of the conference the stragglers are pegging around having dinner the last night there I was sitting at a restaurant enjoying dinner. It was a nice night sitting outside and it was a group of about four people that rolled in they were at the conference they had their conference badges on I could see their name I could see the company they work for and they were having a lot of fun. Let's just say they were having a lot of fun at the end of the conference and they came in and they sat down at the table next to me and they were talking about some of the sessions that they had attended at the conference. And one of the sessions was about the software supply chain and the importance of understanding what's going on with your third party providers from a security perspective. And the one person in the group he said I understand the importance of this and I'm paraphrasing what he said I understand why this is important but I just don't have the time to do it. So I'm just going to say yes, I asked them and they said they're doing security so that has to be good enough for me. Back to your days of it's a checkbox by the governance team or compliance is great? Are you really being rigorous about the compliance that you're looking at and the compliance that you're using. It's a great anecdote that's where we are with the software supply chain and understanding your vulnerabilities how many organizations really understand their vulnerabilities and then once you get further and further away from that single pane of truth that you have, where else are those vulnerabilities deployed? And then there's some great tooling out there. You were talking about Fortify earlier there's some great tooling out there to help you with exposure management, vulnerability management, threat detection, that sort of thing and there's some great tooling but there has to be this organizational KPI or an organizational effort to be able to say yes, we want to be able to understand our software supply chain and it's so critically important. And I think that's something that organizations can take advantage of right now is the CEO knows how important the software supply chain is. So take advantage of that and work through that and figure that out.

SPEAKER_02

Great advice yeah very good information there and just and one of the things too mentioned that's interesting too with the way things are developing we mentioned AI earlier but it's really interesting to see how these security researchers are finding things faster now using AI with seeing someone that has a talk at a upcoming conference about finding Macs vulnerability and how they're leveraging AI to do that.

SPEAKER_00

That's great. That would be a really interesting session to attend again I go back to the OWASP top 10 for large language models and generative AI and I mentioned the prompt injection but you also have I think it's number three on their list the software supply chain really understanding what's going on in that software supply chain. So the impetus to make sure that you are doing your very best to secure that software supply chain I think it's coming from all sides. It's coming from the bottom up and it's also coming from the top down. You have the CEO really understanding the impact of a software supply chain. So you're going to have executive motions to say yes we need to do something about it. And then you also have it at the practitioner level with OWASP coming out and saying to developers, saying to people who are in this new role of AI ops to be able to put the guardrails in place for how you're using AI in your organization. Those people are also being told through lists like the OWASP list for example that hey here's something that you really need to be concerned about with the software supply chain.

SPEAKER_02

Great information there. So we appreciate you taking time out of your busy schedule to join us. It was very interesting getting getting to learn more about you and your background and the knowledge you shared on supply chain very informative and I'm sure our guests will get a lot of good information out of that. And before we close it up I'd like to also mention our media partners think our media partners so our media partners are the cyber distortion podcast barcode security by Chris Clanton and the new podcast by Lindo and Sonic called CyberKill Chain Radio.

SPEAKER_03

Great partners to have good friends at the conference and all of them all the conferences and cybersek community so we appreciate them. Thanks for them being on Teresa any parting thoughts?

SPEAKER_00

Thank you so much for having me on your program today. This was great. I learned a new acronym and really enjoyed talking to you guys and just talking about some of the things that you did early on and application security is one of those top imperatives right now being able to secure those AI agents and be able to secure that new workforce which is largely composed of those AI agents.

SPEAKER_03

Totally agree. All right Phil, this has been a good one.

SPEAKER_02

Yes, yes another interesting guess one of the things I love about episodes like this is always enjoy podcast episodes where you're getting to meet someone for the first time because so many times I interview people that I've known for years but then when you get someone that comes in and you get to learn something from it it's very awesome. It's good stuff. Thank you both so much.

SPEAKER_03

Yeah thank you very much appreciate it.

SPEAKER_02

Thanks everyone for joining us and we hope to see you in the next episode.

SPEAKER_01

This has been a Cybersec media production. CyberHackcast is hosted by Michael Farnham and Philip Wiley with production and editing by Lauren Andrews. Our music is by Kike Gutz. The views and opinions expressed on this show are those of the speakers and do not necessarily reflect the views or positions of any entities they represent. This show is for informational purposes only and does not render or turner personalized advice. Subscribe now so you never miss an episode. You can find all of our podcasts, articles, blogs, and conference to us on cybersekimedia.com at cyber without the following cybersecondia on LinkedIn at Instagram and Facebook at cybersecond. You can keep up with cyberhatcom by following us on LinkedIn at Instagram and Facebook at cyberseccon and you can learn more about cyber hatcom or by taking it at cyberhatcom