Supply chain security remains one of the biggest time sinks for appsec teams and developers, even making it onto the latest iteration of the OWASP Top 10 list. Paul Davis joins us to talk about strategies to proactively defend your environment from the different types of attacks that target supply chains and package dependencies. We also discuss how to gain some of the time back by being smarter about how to manage packages and even where the responsibility for managing the security of packages should be.
Paul is an experienced IT Security Executive who, as Field CISO at JFrog, works to help CISOs, IT execs and security teams, enhance protection of their software supply chain. Additionally, he advises IT security startups, mentors security leaders, and provides guidance on various IT security trends. Paul also spends his time exploring the latest technologies, DJing, reading, and boating.
Security Weekly listeners save $100 on their RSAC 2026 All Access Pass! RSAC 2026 Conference will take place March 23rd to March 26th in San Francisco. To register using our discount code, please visit securityweekly.com/rsac26 and use the code 56U5SECWEEKLY! We hope to see you there!
Most security conferences talk about threats. Zero Trust World lets you attack them. From March 4th to 6th, 2026 in Orlando, Florida, this hands-on cybersecurity event features live hacking labs where you’ll break real environments, think like an adversary, and learn how attacks really work. You’ll also get expert sessions, real-world case studies, CPE credits, and networking with top practitioners. And yes — the Security Weekly team will be there too. Don’t miss it! Register today at securityweekly.com/ZTW.
Mike Shema
- A 0-click exploit chain for the Pixel 9 Part 3: Where do we go from here? – Project Zero
There are a few important ways to read this article beyond the narrow focus of a single software flaw. It emphasizes the time investments in finding and exploiting flaws, with the implied desire to decrease the former and increase the latter. It doesn't cover the time investment in fixing flaws, but touches on such considerations in terms of prioritizing security flaws like this one and, more generally, improving solutions like KASLR.
And with KASLR in mind, the other important takeaway is looking at how secure by design principles in a system make exploitation harder. If you're compiling C code with LLVM, the "-fbounds-safety" flag can help mitigate the impact of some memory mishandling. Yes, it'll introduce overhead, but there's also a key difference between vague "some overhead" and measuring real impact on how the app runs. Seeing a minor, say 1% increase, in runtime overhead is a worthwhile tradeoff for more user protection.
- [Daniel’s week] January 16, 2026 — Curl Drops Bug Bounty
Curl is dropping bug bounties due to the overwhelming noise, distractions, and terrible quality of LLM-influenced reports.
Curl still has a fine vulnerability disclosure policy and mechanism. The point is that people are trying to obtain bounties by with low-effort submissions that require high-effort reviews. Removing an incentive for bounties (i.e. money) will hopefully send lazy and uninformed bug bounty reporters elsewhere.
This isn't a quality problem unique to LLMs. People have been submitting bad bug bounty reports from the unreviewed cut-and-paste output of scanners for years. But those reports were trivial to identify and trivial to ignore. LLMs create reasonable-sounding text about reasonable-sounding flaws that bounty chasers have been lazily reporting in unreasonable volumes.
- CodeBreach: Supply Chain Vuln & AWS CodeBuild Misconfig | Wiz Blog
This research isn't the start of a trend nor the end of the world, but it's still a great explanation of the impact of a common security mistake with regular expressions -- forgetting anchors.
Regexes are great. They can be simple, powerful tools. If you're trying to match an exact string, they can do that. But you also have to determine whether your security model needs an exact match against an entire input text or if the match just appears somewhere in that text. In other words, remember to use anchors when you need a match against the full input text.
This type of flaw easily goes back decades to the 90s themselves when regexes were first appearing in CGI scripts.
- The State of OpenSSL for pyca/cryptography
Also check out "[The State of SSL Stacks]" from HAProxy back in May 2025 and the curl project's recent work with HTTP/3 in January 2026 for similar views of OpenSSL's API.
- What does it take to ship Rust in safety-critical?
This is the kind of article that is informative regardless of whether you're using or even considering using Rust.
If there's only one thing to remember from, focus on this phrase -- "...isolate the highest-criticality logic into the smallest surface area you can..."
- The AI Slop Discourse Is Missing the Point: Your “Authoritative” Security Guidance Might Be Worse
I first noticed this when Mark Curphy posted his PR against OWASP's repo for this Go documentation, where he noted how the guidance seemed frozen in 2017.
I think the real problem here is maintaining relevant, useful documentation for any software project. I can see how an LLM can feel useful in aggregating existing documentation to create security guidance, but it can't create guidance from thin air. Someone needed to create that documentation in the first place and what this article is highlighting is that documentation -- and security guidance -- must be curated on a regular basis.
That principle is very similar to the discussion of revisiting threat models and updating advice that we covered with Bob Lord back in episode 365.
- Trail of Bits Claude Code skills for security research, vulnerability detection, and audit workflows
- CVE-2026-0915: GNU C Library Fixes A Security Issue Present Since 1996
I will forever be fascinated by flaws that last decades before being discovered. How does that happen!? It's not an obscure codebase, although perhaps it requires an obscure means to trigger the vulnerable state. How was this missed by an industry of scanners? Could this have been discovered through fuzzing? Should it have been discovered that way? Could it have been identified through code quality reviews? Is it a code pattern that's worth searching for elsewhere?
