SEC.co Podcast cover art

SEC.co Podcast

SEC.co Podcast

By: Eric Lamanna
Listen for free

A podcast about latest trends, techniques and learnings in cybersecurity and cyberdefense.2026 SEC.co Economics Leadership Management & Leadership
Episodes
  • CVSS Is Broken: Scoring Vulnerability Risk in the Real World
    Jul 1 2026

    Vulnerability management runs on a single number — and that number is lying to you. CVSS scores are embedded in scanner reports, regulatory frameworks, and executive dashboards worldwide, yet most defenders who work with real production environments eventually reach the same conclusion: the system, used in isolation, is a poor guide for prioritizing actual risk. This episode draws on this seven-minute breakdown of CVSS's real-world failures to examine five hard-earned lessons about what goes wrong — and how to fix it.

    Here's what the episode covers:

    • Context blindness: CVSS is deliberately environment-agnostic, which means an internet-facing payment gateway and an air-gapped lab server can carry identical scores despite wildly different blast radii — and the fix is tagging assets with business context before acting on any score.
    • Exploitability gaps: Base scores assume worst-case conditions even when no working exploit exists, while actively weaponized bugs sometimes sit below the critical threshold; pairing CVSS with CISA's Known Exploited Vulnerabilities list and EPSS closes that gap.
    • Score manipulation: The eight metrics that feed a CVSS calculation can be nudged — intentionally or not — by whoever files the advisory, producing legitimately different numbers for the same flaw; independent validation by internal engineering teams is the safeguard.
    • Temporal decay: Vendors freeze the base score at publication and rarely update it, so dashboards stay static even after proof-of-concept code drops publicly; automated score-aging policies tied to exploit maturity keep the queue honest.
    • Patch paralysis: A wall of 9.8s doesn't drive action — it drives overwhelm; replacing the binary "critical vs. everything else" model with a triage ladder built on reachability and live exploit status turns an unmanageable backlog into prioritized sprints.
    • What good looks like: A concrete case study shows how a global manufacturer handled two simultaneous 9.8-scored CVEs differently based on exposure and compensating controls — patching one the same day, scheduling the other for the following quarter — with zero incidents.

    The episode closes with a clear framework for enriching CVSS rather than discarding it: layer in asset criticality, live threat intelligence, compensating controls, and exposure surface data. When briefing leadership, swap raw CVE counts for plain-language statements about business risk — that's what actually moves patching decisions forward. For more on preparing for systemic shifts in security fundamentals, listen to the episode on Cryptographic Agility: Preparing for the Algorithm Lifecycle Crisis.

    SEC.CO

    Show More Show Less
    9 mins
  • Cryptographic Agility: Preparing for the Algorithm Lifecycle Crisis
    Jun 30 2026

    Every cryptographic algorithm has an expiration date, and the gap between "trusted standard" and "actively exploited weakness" is shrinking. This episode of Cybersecurity examines the algorithm lifecycle crisis — the accelerating convergence of advances in cryptanalysis, cloud-scale computing, and the approaching reality of quantum computers — and makes the case that the window for proactive action is narrower than most organizations realize. The discussion is grounded in this six-minute deep-dive on cryptographic agility, which informed the episode's research and framework.

    The episode covers the full arc from historical precedent to practical implementation, including:

    • The algorithm graveyard: How DES, SHA-1, and RSA each followed the same arc from crown jewel to liability — and what that pattern tells us about every algorithm in use today.
    • Why hard-wired crypto is so dangerous: When cryptography is baked into products, embedded systems, and compliance checklists, retiring a broken algorithm stops being a patch and becomes a multi-year engineering project or a board-level crisis.
    • The five pillars of a crypto-agile architecture: Inventory everything that encrypts (with specifics, not generalities), classify and prioritize by risk, decouple cryptographic logic from business code, design for dual-stack coexistence during migrations, and automate rollouts through CI/CD pipelines.
    • Common roadblocks and how to navigate them: The "wait for NIST to finalize" trap, vendor lock-in behind proprietary quantum-safe interfaces, post-quantum performance overhead, and legacy operational technology that can't be patched.
    • Two contrasting case studies: A global financial institution that rotated SHA-1 across two thousand microservices in under a week using a single feature flag — versus a regional hospital forced into frantic weekend remediation after a regulatory audit exposed decade-old RSA key sizes still in production.
    • Where to start this quarter: Concrete first steps — a crypto-asset inventory template, a low-risk algorithm toggle pilot, and a lab environment simulating post-quantum TLS handshakes — that turn agility from abstract strategy into practiced muscle memory.

    The central takeaway is that cryptographic agility isn't a one-time project; it's an organizational discipline. The cost of building it in from the start is a fraction of the cost of retrofitting it under pressure — and history offers no shortage of cautionary tales for teams that waited. For more on related credential and token risk, listen to the episode Cross-SaaS Token Sprawl: Discover, Rotate, and Revoke API Tokens.

    SEC

    Show More Show Less
    9 mins
  • Cross-SaaS Token Sprawl: Discover, Rotate, and Revoke API Tokens
    Jun 29 2026

    API tokens are the invisible connective tissue of the modern SaaS stack — and they accumulate far faster than security teams can track them. This episode tackles cross-SaaS token sprawl head-on, drawing on this in-depth eight-minute read on discovering, rotating, and revoking API tokens to walk through a full governance lifecycle that actually holds up at scale. Whether you're running a lean security program or managing a sprawling enterprise integration mesh, the conversation offers concrete, actionable steps rather than abstract principles.

    The episode covers the full token sprawl lifecycle, from root cause to measurable outcomes:

    • Why sprawl is a context problem, not just a counting problem — a single over-scoped, forgotten token is more dangerous than dozens of well-managed ones, making ownership and scope as important as raw inventory.
    • Continuous discovery as a discipline — using vendor APIs, static and dynamic code analysis, and repository scanning to build a living inventory tagged with owners, lineage, and blast-radius estimates.
    • Telemetry and anomaly detection — turning raw token logs into an actionable signal layer that flags unusual geography, call-volume spikes, and access to sensitive endpoints before an attacker can pivot.
    • Rotation architecture that makes secrets boring — moving away from hard-coded values toward secret managers, runtime injection, and risk-tiered cadences so that rotating a token feels like a routine deployment, not a crisis.
    • Revocation as a verified campaign — building kill switches before you need them, checking for residual access in cached sessions and downstream copies, and codifying each incident's timeline to speed up the next one.
    • Governance that engineers will actually follow — designing secure token flows to be the fastest flows, using procurement conversations as a security control, and tracking meaningful metrics like mean time to revocation and the ratio of short-lived to long-lived tokens.

    The episode closes with a look at the most common failure modes — sprawling spreadsheets, rotation without monitoring, and policies that sound rigorous but can't be executed with available tooling — and explains how a tight feedback loop between inventory, rotation, and revocation compounds into a program that scales gracefully with each new integration your teams add.

    For more on protecting credentials from evolving attack techniques, check out the earlier episode Credential Stuffing Is Evolving—Are Your Defenses?

    SEC

    Show More Show Less
    9 mins
adbl_web_anon_alc_button_suppression_t1
No reviews yet