OIDC And IAP In Production: Scaling Startup Security For Deepfake Defense - Talia Smiley

In this episode of the Security Repo Podcast, Dwayne McDaniel talks with Talia Smiley, CTO of Silversight, about why her startup chose workload identity, OIDC, and IAP instead of long-lived secrets and service account keys. Talia explains how secure-by-default design, just-in-time access, and thoughtful infrastructure choices can actually be faster and more sustainable than legacy approaches, especially for growing teams. They also touch on multi-cloud considerations, deepfake defense in the enterprise, hiring signals for technical candidates, and the security advice that still holds up versus the advice that should be retired.https://silversight.ai/https://services.google.com/fh/files/misc/cloud_threat_horizons_report_h12026.pdfTalia Smiley is a (literal) Master of Computer Science, infrastructure in particular. Her deep experience in networking, architecture implementation, data pipelines and big data have ensured that all of Silversight's cloud deployments run peacefully while she leads the development of Silversight Shield.

In this episode of the Security Repo Podcast, we uncover the wild and hilarious true story behind a forgotten piece of cybersecurity media history: “The PCI Ultimatum” and the world-building inside of it that gave us “Dwayne’s World of Security,” a DIY Cisco-era cult film rediscovered via a thrift store handbag. Guests Mike Radigan and Dwayne Edwards share how they disrupted corporate norms to create a storytelling-first, off-the-books PCI compliance movie that somehow still resonates today. Along the way, we explore the value of humor, storytelling, and going rogue to make security memorable.See that bag that started this entire conversation:https://dwayne-mcdaniel.com/img/dwosbag1.pnghttps://dwayne-mcdaniel.com/img/dwosbag2.pngWatch The PCI Ultimatum:https://www.1dave1cup.com/extra/pci/Dwayne’s World Of Security trailer:https://www.youtube.com/watch?v=7_LGzNx09igBe sure to check out:The ICS Security Radio Hour --- Half Hour (Dwayne Edward’s Podcast)https://www.youtube.com/channel/UCiTZVtx-XjO4nmQc98VwjrAAbout our guestsMike Radigan https://www.linkedin.com/in/radiganatbos/Mike is a proven executive with unique experience in defining and communicating the value cybersecurity delivers to the business. Passionate for the business of cybersecurity, the mission of cybersecurity and the advancement of the cyber risk management profession.Cyber Risk Economics: Recognized expert in applying the Open FAIR body of knowledgeCyber Risk Quantification (CRQ): Operationalizing CRQ within GRC, BoD reporting, Strategic riskProven Leader: Track record for devising accurate vision and strategies to achieve objectives---Dwayne Edwards https://www.linkedin.com/in/dwedward/During Dwayne’s tenure in IT & OT he has worked in in a variety of roles including security, data center and OT business and technology architecture. Dwayne’s primary interest is in protecting ICS environment. He also enjoys providing professional development for engineers and account managers.

In this episode of the Security Repo Podcast, Dwayne catches up with returning guest Andy Dennis (Head of Field Engineering at XBOW) to unpack what it really means to run “AI-backed” penetration testing at scale, without turning red teaming into a gimmick. They dig into how XBOW approaches discovery, guardrails, and reporting beyond “scan results,” and why operationalizing LLM-driven testing in real enterprises still demands SaaS-grade controls and infrastructure. The conversation closes on where this all goes next: continuous testing in the SDLC, deeper discovery of business-logic bugs, and a near future where findings increasingly translate into remediation-ready pull requests.https://xbow.com/  https://www.linkedin.com/in/andy-d-b43a17b/Head of Field Engineering at XBOW. Published author. Public speaker. Former undergraduate tutor and examiner. Cyber Security and AI Strategy. M&A technical due diligence. 22+ years in industry. International team management experience across 5 continents and 400+ individuals. Interest in Cybernetics. Andy has 22+ years experience in the technology industry and has worked in the UK, Canada and US. He’s had 5 books published on a variety of topics including IoT and the Raspberry Pi and spoken at multiple events around the country. Previously Andy tutored undergraduates at Goldsmith’s College, University of London’s online degree program and is currently studying with HEC in Paris.

Why Compliance Isn’t Governance & How GovOps Rebuilds Trust Boundaries – Mike SchwartzIn this episode of the Security Repo Podcast, Dwayne sits down with Mike Schwartz (CEO & founder of Gluu) to unpack GovOps as “next-gen governance” built to be declarative, provable, and continuous. They dig into why compliance ≠ governance, how formal reasoning can help prove policy outcomes, and why modern governance needs to shift from periodic audits to real-time visibility. The conversation closes with the collision of agentic AI + identity, the need for better software identity and token trust, and how this moment might finally unlock board-level investment in security.Links from the show:https://www.linkedin.com/in/nynymike/GovOps Working Group on LinkedInhttps://www.linkedin.com/groups/17478011/https://gluufederation.medium.com/govops-manifesto-33eb7cb01ed3Identerati Office Hourshttps://gluu.org/identerati-office-hours-episodes/The Janssen Projecthttps://docs.jans.io/stable/https://www.cncf.io/projects/oscal-compass/https://gemara.openssf.org/Mike Schwartz is the Founder/CEO of Gluu, and leads the Linux Foundation Janssen Project. He is the co-author of the book "Securing the Perimeter" (Apress 2018) about how to use open source IAM tools. In addition to his day job at Gluu, he currently hosts the “Identerati Office Hours” Livestream twice a week, which features discussions on all topics digital identity and security. Mike resides in Austin TX with family and pigeons.

In this episode of the Security Repo Podcast, we talk with Henry Odibi, a data engineer who pivoted from chemical engineering into data and AI. Henry shares how he hacked his way into tech, built his own automation tools, and now integrates AI responsibly—always with a “security first” mindset. He also emphasizes the importance of treating data as if it were your own and offers practical steps for anyone starting in AI or data engineering to stay secure.https://www.linkedin.com/in/henryodibi/Henry Odibi transforms messy, real-time process data into high-performance data systems used across global manufacturing operations.With 4+ years of experience spanning chemical engineering, utilities, telemetry integration, and cloud architecture, he's built solutions that improve OEE, energy intensity, yield, inventory accuracy, and cycle time across 30+ Ingredion sites worldwide.He began his career on the plant floor, supervising wet mill operations and responding to breakdowns firsthand. Over time, Henry transitioned into a global data role where he now designs scalable data pipelines using Azure Data Factory, Databricks, PySpark, and Power BI — empowering teams with near-real-time visibility and decision intelligence.Henry has led internal training programs, built metadata-driven automation frameworks, and collaborated with cross-functional teams to deliver insight that drives action.His passion lies in building the future of digital manufacturing — a connected, automated, and self-optimizing production environment.

In this episode of the Security Repo Podcast, Nathan Koester shares his path from reverse engineering for the Air Force to building practical security tools for real-world teams. He discusses *Pwnbook.io*, a platform for integrating and visualizing security tools and data, and *Charlemagne Labs*, a local-first browser extension using small language models to detect risky links. The conversation also explores the philosophy behind lightweight AI models, cognitive defense, and staying curious in a fast-evolving field.https://[pwnbook.io](https://pwnbook.io/) https://[Charlemagnelabs.ai](https://charlemagnelabs.ai/)Nathan Koester is an engineer with a diverse background, ranging from forward software development to reverse engineering embedded systems and performing vulnerability assessment.Nathan’s preferred work focus is leveraging his forward and reverse engineering skills with a red team mindset to provide pen-testing and vulnerability assessment capabilities.

In this episode of the Security Repo Podcast, we dive into the world of incident response with Robert Saul, General Manager of AWS Security Incident Response Services. Robert shares insights from decades of experience, emphasizing that over 70% of security incidents stem from credential loss and that these challenges are rooted more in people and process than technology. From governance and playbooks to building a culture of incremental improvement, this conversation is packed with hard-won advice for security professionals at every level.https://aws-samples.github.io/threat-technique-catalog-for-aws/https://aws.amazon.com/iam/access-analyzer/https://www.linkedin.com/in/robert-saul/With nearly 30 years of experience in security and network engineering, Robert Saul currently serves as the General Manager of the [AWS Security Incident Response service](https://aws.amazon.com/security-incident-response).In this role, Robert establishes the strategy and measures the operations of a global network of security incident responders dedicated to supporting the investigation of security events that occur on the customer side of the shared responsibility model. The service's focus is on the coordination, detection, analysis, mitigation, and recovery from cyber incidents, ensuring AWS customers receive top-tier support to accomplish their business objectives.He is incredibly proud to be a part of this team of talented professionals. Their collective experience, dedication, and expertise allow them to provide invaluable guidance, often in high-pressure situations where time is critical. Robert is continually inspired by their commitment to excellence in incident response and their unwavering customer obsession in line.Prior to AWS, Robert engineered and secured tactical communications platforms for defense and intelligence sectors. This background provides him with a unique perspective on the evolving landscape of cyber threats and the importance of robust incident response strategies.Robert's blend of technical capabilities, leadership skills, and experience in both public and private sectors enables him to effectively lead the AWS Security Incident Response service. Together with his exceptional team, they guide customers through the complex world of cybersecurity and incident response.He is also deeply grateful for the opportunity to work alongside such a talented and dedicated group of professionals. Their expertise, passion, and commitment to our customers’ security make it an honor for him to lead this service every day.

In this episode of the Security Repo Podcast, Ryan Bonner dives into his exploration of legacy enterprise integration platform WebMethods, revealing alarming vulnerabilities that allow unauthenticated access and even system shutdowns. He discusses how collaboration with Iceland’s top bug bounty hunter led him into this niche area of research, and shares practical advice for responsible disclosure and improving enterprise security hygiene. The conversation also touches on broader security culture, from overlooked credentials to the value of testing unconventional attack vectors.https://github.com/Roll4Combat/IntegrationSurferhttps://www.linkedin.com/in/roll4combat/Ryan 'Roll4Combat' Bonner is a penetration tester and educator who enjoys breaking things and sharing knowledge. By day, he's a Senior Cybersecurity Consultant, testing the defenses of web apps and corporate networks. By night, he dives into AI and bug bounty huntingA firm believer that we all get better by sharing, Ryan is a community speaker at events like BSides and DEF CON. He is committed to paying forward the mentorship that launched his career by helping others get their start in the community.

In this episode of the Security Repo Podcast, we dive into the world of zero-day exploits, marketplace dynamics for vulnerability research, and the evolving role of cybersecurity in boardroom decision-making. Guest Evan Dornbush, founder of Desired Effect, shares his journey from government cyber-ops to founding multiple security startups, and explains why attackers don’t care about compliance paperwork. We also explore the real-world consequences of hardware vulnerabilities, how a plug won’t save your hotel lock, and why we might be fooling ourselves by trying to “out-tech” cybercriminals.https://www.linkedin.com/in/evandornbush/https://www.desiredeffect.io/Evan Dornbush is the founder and CEO of Desired Effect, which helps vulnerability researchers get fairly compensated and helps defenders act before attacks begin. He hosts the researcher-focused Hackers On The Rocks podcast. Previously, Evan co-founded Point3 Security, a cybersecurity workforce development firm acquired in 2021, and served as CEO. He co-founded P3F, a cybersecurity research firm acquired in 2021. He led Customer Experience at Vulnerability Research Labs, a security research firm acquired in 2010. He worked as a Computer Network Operator for the National Security Agency. Evan holds an M.S. in computer science from The George Washington University and has four ridiculously good-looking children.

In this episode of the Security Repo Podcast, Eric Woodruff dives deep into the complexities of identity and access management (IAM), from the evolution of Active Directory to the future of non-human identities. He explains the real-world challenges of hybrid environments, governance, and over-engineered identity solutions. Eric also highlights practical ways for newcomers to start learning IAM and emphasizes the importance of soft skills in security roles.https://www.linkedin.com/in/ericonidentity/https://idpro.org/body-of-knowledge/https://ericonidentity.com/Throughout his 25-year career in the IT field, Eric Woodruff has sought out and held a diverse range of roles. Currently the Chief Identity Architect for Semperis; Eric previously was a member of the Security Research and Product teams. Prior to Semperis, Eric worked as a Security and Identity Architect at Microsoft partners, spent time working at Microsoft as a Sr. Premier Field Engineer, and spent almost 15 years in the public sector, with 10 of them as a technical manager.Eric is a Microsoft MVP for security, recognized for his expertise in the Microsoft identity ecosystem. Eric is a strong proponent of knowledge sharing and spends a good deal of time sharing his insights and expertise at conferences as well as through blogging. Eric further supports the professional security and identity community as an IDPro member, working as part of the IDPro Body of Knowledge committee.