In the end, it's all risk. An AppSec leader's guide to enterprise AI with Joshua Bregler

Financial Exclusion Is a Security Risk and Blockchain Confusion Is Making It Worse with Candace Kelly

Most people think blockchain means Bitcoin. That misunderstanding has real consequences for regulators, developers building on it, and for the 1.3 billion people worldwide who still don’t have a bank account. Candace Kelly spent nearly two decades as a federal prosecutor at the DOJ and FBI before becoming Chief Legal Officer at the Stellar Development Foundation. In this episode, she breaks down how post-9/11 AML legislation inadvertently locked entire communities out of the banking system, and why financial exclusion is, in her view, a national security issue. For developers building in this space, the episode lands on the areas where the real work is still happening: privacy-preserving transactions via zero-knowledge proofs, agentic commerce with dispute resolution baked into smart contracts, and the challenge of harmonizing compliance frameworks across jurisdictions that don’t move at the same pace as the technology. Topics Covered 00:00 - Introducing Candace Kelly: DOJ, FBI, and the Stellar Development Foundation 02:15 - What blockchain actually is 03:15 - Rules still apply: why blockchain doesn’t create a lawless financial system 05:00 - Blockchain vs. cryptocurrency: the internet analogy and why conflating them matters 07:30 - What runs on Stellar: stablecoins, real-world assets, and tokenized securities 11:40 - Delivering US dollar aid to internally displaced Ukrainians via mobile wallets 13:00 - How the disbursement platform was built, tested, and open-sourced 15:30 - Haiti: 89% unbanked, cash insecurity, and a local merchant network accepting digital assets 17:00 - Why there is friction in moving from digital funds to fiat funds. 18:00 - How post-9/11 AML legislation excluded low-income communities, immigrants, and charities 22:00 - How blockchain addresses the compliance vs. access tradeoff, and its limitations 25:20 - Transparency vs. privacy: the challenge of open ledgers and user-controlled data 26:15 - Zero-knowledge proofs: proving facts without revealing identity 28:30 - Blockchain as the foundation for privacy features, not a barrier to them 30:05 - Real-world blockchain applications already in the wild 33:30 - Agentic commerce: smart contracts, micropayments, and baked-in dispute resolution 34:50 - Non-financial use cases for blockchain 36:30 - Supply chain fraud and why an immutable ledger changes export enforcement 37:30 - What makes Candace most hopeful: regulators, traditional finance, and proactive detection About Candace Kelly Candace Kelly is the Chief Legal and Policy Officer of the Stellar Development Foundation (SDF), a non-profit organization focused on working with and supporting changemakers to create equitable access to the global financial system through blockchain technology. She leads SDF’s legal team, that is responsible for all of SDF’s legal affairs and the policy team that is focused on bridging the gap between the public and private sectors and fostering dialogue with global regulators and policymakers. Prior to joining SDF, Candace worked for Uber Technologies, Inc., where she held a variety of positions, helping to navigate the company’s response to regulatory investigations and advising on safety, security, privacy, consumer protection, and law enforcement response. Candace brings many years of legal experience to SDF, most notably her 17 year career at the United States Department of Justice (DOJ), where she held positions as a legal and policy advisor on national security, criminal, and civil rights issues in leadership offices in Washington D.C. and as a prosecutor in the Northern District of California. During her time with DOJ, she also served as Special Counsel for National Security for the Director of the FBI. She holds a Bachelor of Arts in East Asian Studies from Williams College and a Juris Doctor from University of California (UC), Hastings College of the Law. Candace is a member of the Janet Reno Endowment Advisory Committee at the Center for Juvenile Justice Reform at the Georgetown University McCourt School of Public Policy, and an Advisory Board Member for the UC Hastings Center for Business Law. * Connect with our guest, Candace Kelly: LinkedIn [https://www.linkedin.com/in/candace-kelly] Make it secure and ship faster? Yes, please. We built the easy button for military-grade authentication. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit www.viaknowledgehub.com [https://www.viaknowledgehub.com?utm_medium=podcast&utm_campaign=CTA_1]

In the end, it's all risk. An AppSec leader's guide to enterprise AI with Joshua Bregler

What would you do if your AI agent deleted your production database because it decided that was the logical thing to do? That's not a hypothetical. It happened. And according to Joshua Bregler, it happened because someone gave an AI agent the same admin privileges they'd never hand to a new hire. Joshua is an application security leader at McKinsey, working at the intersection of AppSec, AI adoption, and risk. He spends his days helping some of the world's largest organizations figure out what to do when a shiny new AI tool shows up at their door — and what to do when they've already let the wrong one in. In this conversation, Joshua shares front-line stories from enterprise AI deployments gone wrong, breaks down the guardrail and access control decisions that teams consistently get wrong, and makes a case that's both simple and easy to miss: the right way to manage an AI agent is a lot like the right way to manage a junior developer. The fundamentals don't change. We just haven't learned how to apply them here yet. Topics Covered 01:20 - Why AI adoption fails when humans are removed from the loop entirely 02:30 - Real-world use cases: When AI fabricates data, and it admits it on the spot 04:30 - AI given admin privileges, and why it deleted the production database 06:00 - The three themes: human-in-the-loop, guardrails, and access control 07:00 - Treating AI like a junior developer: prompt guardrails, library restrictions, and code review that holds 09:30 - The old methods are still the right ones, we just need to apply them to AI 10:30 - Why ignoring business logic creates vulnerabilities that don't surface for weeks 12:00 - What good AI adoption actually looks like: small, purposeful agents over monolithic platforms 13:00 - Why an unused AI agent is an attack surface waiting to be activated 14:45 - Test, test, and retest: the only real advice for AI-powered compliance tooling 16:00 - An example where an AI-generated compliance report could be a huge liability trap 17:20 - The ROI question every executive asks first, and why the answer is always “it depends” 20:00 - "In the end, it's all risk:” money, lawsuits, reputational capital, and institutional knowledge 21:30 - What questions companies are (and aren't) asking about AI adoption 24:20 - Managing AI identities: why blanket permissions don't work, and granular access is harder than it sounds 27:00 - The AI agent inventory: from Excel spreadsheets to dashboards 28:30 - Don't ignore the frameworks: OWASP Application Security Verification Standard, OWASP AI Top 10, and why they apply more than you think About Joshua Bregler Joshua Bregler is a cybersecurity executive with deep expertise in application security, cloud architecture, and mission-critical systems. He currently serves as the Application Security Leader at McKinsey & Company, where he builds and scales firmwide application security capabilities, enabling secure product development and enterprise resilience. Before joining McKinsey, Joshua was a Principal Security Architect at Amazon Web Services, where he supported the U.S. Department of Defense and the Intelligence Community. In that role, he led secure cloud transformation initiatives, architected high-assurance systems, and partnered with national security stakeholders to advance zero-trust security models across classified and critical workloads. Joshua holds an MBA from Johns Hopkins University and is a U.S. Marine Corps veteran, bringing a mission-first mindset and disciplined leadership style to every engagement. His career reflects more than two decades of advancing cybersecurity strategy, designing secure digital ecosystems, and guiding organizations through complex technical and regulatory environments. Connect with our guest Joshua Bregler: LinkedIn — Join the VIA Knowledge Hub community on Substack: viaknowledgehub.com [http://viaknowledgehub.com] Get passwordless logins instantly with VIA's Zero Trust Fabric (ZTF): solvewithvia.com/via-ztf Test out VIA's Zero Trust Fabric on GitHub: github.com/viascience/ztf-tutorial This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit www.viaknowledgehub.com [https://www.viaknowledgehub.com?utm_medium=podcast&utm_campaign=CTA_1]

The Four Ps every developer needs to know before their next product decision with Eve Maler

Most teams treat identity like plumbing: invisible, unglamorous, and someone else’s problem… until something breaks. Eve Maler has spent thirty years proving that’s the wrong mental model, and it’s costing companies more than they realize. As the co-creator of SAML and User-Managed Access, former CTO of ForgeRock, and author of the forthcoming Mastering Digital Identity: From Risk to Revenue, Eve introduces a sharper lens: identity is a product. The teams that own it intentionally ship faster, convert better, and lose less to fraud. The ones that don’t are one incident away from finding out why it mattered. Eve shares her Four Ps framework: Protection, Personalization, Payment, and People, and explains why fraud is a design problem long before it becomes a detection problem. She also makes the case for why decentralized identity isn’t a future trend to monitor. It’s a present-tense decision your team is already making, whether you know it or not. Topics Covered * Why identity is part of your technology strategy * What “identity strategy” actually means for developers (not just CISOs) * The Four Ps framework: Protection, Personalization, Payment, and People * Why identity and payments are inseparable, and what’s at stake when they’re not designed together * Fraud as a design problem: modeling happy paths and unhappy paths * The cost of separating fraud teams from development teams * What changes when your org has a dedicated identity product owner * Decentralized identity: why it’s happening now, and what developers need to know * How to make the case for identity investment to a CEO or board * Baking identity in from the start vs. scrambling to fix it after launch About Eve Maler Eve Maler is President and Founder of Venn Factory and an award-winning Digital Identity Strategist, whose work has influenced how people, organizations, and technologies establish identity, exchange data, and operate securely at scale. From early Internet standards such as XML to identity-defining protocols including SAML and User-Managed Access, Eve has helped build the underlying systems that enterprises around the world rely on every day. Her career in identity spans 25+ years, from Technology Director at Sun Microsystems to Chief Technology Officer of ForgeRock, where she brought identity innovation strategy to dozens of Global 5000 brands. As a former Forrester Research security analyst and now founder of Venn Factory, Eve transforms companies’ digital identity strategies from a cost center into a growth engine by reducing friction, optimizing security and privacy protection, and unlocking new revenue opportunities. Her influence can be seen across global initiatives, including UK Open Banking and U.S. and Canadian health IT efforts. An author, speaker, and board member, Eve is known for connecting technical reality with business outcomes and for showing why, when identity is done right, it becomes one of the most powerful levers of competitive advantage. * Connect with our guest Eve Maler: https://www.linkedin.com/in/eve-maler [https://www.linkedin.com/in/eve-maler] Make it secure and ship faster? Yes, please. We built the easy button for military-grade authentication. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit www.viaknowledgehub.com [https://www.viaknowledgehub.com?utm_medium=podcast&utm_campaign=CTA_1]

How to break into DevSecOps (without expensive bootcamps) with Damien Burks

DevSecOps is everywhere right now, but most teams are still treating it like a tooling problem. Damien Burks says it's actually a culture problem. He's a DevSecOps expert and the founder of the DevSec Blueprint, a free, open-source learning guide with a 650+ member community. His mission: help people break into DevSecOps by focusing on foundations and systems thinking, not expensive bootcamps. In this episode, Damien explains why DevSecOps engineers are “the glue”, the people connecting developers, operations, legal, and compliance into a single security-minded team. He walks through the patterns that repeat across every cloud platform, why the first thing you should automate is your CI/CD pipeline, and how to think about LLM risks (hallucinations, data residency, prompt injection) when you’re working in regulated environments. He also shares the story of a woman in Africa who used the DevSec Blueprint to land her first internship, proof that accessible education works. The bottom line: security isn’t something you bolt on at the end. It’s a shared responsibility. And the sooner your team internalizes that, the faster (and safer) you’ll ship. Topics Covered Why DevSecOps is a cultural movement, not a job title DevSecOps engineers are “the glue”: connecting developers, operations, legal, and compliance The DevSec Blueprint: an open-source learning guide for breaking into DevSecOps Systems thinking over tool-chasing: recognizing patterns that work across platforms Why soft skills and communication matter as much as technical chops The #1 thing to automate this year: your CI/CD pipeline with security gates Build, test, scan, deploy: the repeatable pattern inside every secure pipeline LLM risks in regulated environments: hallucinations, data residency, and prompt injection Air-gapped AI as a strategy for heavily regulated industries Why prompt injection is still an unsolved problem and what that means for DevSecOps The DevSecOps Home Lab: buying two machines from a pawn shop and learning by doing One mindset shift: “Security is a shared responsibility” About Damien Burks Damien Burks is a DevSecOps leader, security engineer, educator, and the founder of the DevSec Blueprint, a free, open-source learning guide that helps people transition into DevSecOps and cloud security development. With a background in software development and experience working in heavily regulated environments, Damien focuses on making security education accessible, practical, and community-driven. His Discord community has grown to over 650 members who actively contribute projects and capstone exercises. Damien also creates content on YouTube covering cloud security, DevSecOps, and the tech career landscape. His philosophy: less tools, more foundations, and always lead with the mindset that security is a shared responsibility. Connect with our guest Damien Burks: LinkedIn [https://www.linkedin.com/in/damienburks] Check out The DevSec Blueprint: https://devsecblueprint.com [https://devsecblueprint.com] _ Join a community of developers on VIA Knowledge Hub’s Substack: https://www.viaknowledgehub.com/ [https://www.viaknowledgehub.com/] Get passwordless logins instantly with VIA’s Zero Trust Fabric (ZTF): https://www.solvewithvia.com/via-ztf/ [https://www.solvewithvia.com/via-ztf/] Test out VIA’s Zero Trust Fabric (ZTF) on GitHub: https://github.com/viascience/ztf-tutorial [https://github.com/viascience/ztf-tutorial] This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit www.viaknowledgehub.com [https://www.viaknowledgehub.com?utm_medium=podcast&utm_campaign=CTA_1]

The one security practice most teams skip: tabletop exercises with Jeff Fields

Most security teams aren’t underprepared because they lack tools, they’re underprepared because they haven’t rehearsed what happens when humans, systems, and pressure collide. Jeff Fields says that the single most important thing teams can do is run tabletop exercises. Fresh off a 20-year FBI career, Jeff explains why the most damaging incidents aren’t caused by “unknown threats,” but by breakdowns inside the organization, alerts going to the wrong people, missing owners, and teams operating in silos. Tabletop exercises expose those weak points early, forcing engineering, HR, legal, leadership, and comms to operate as one security team. The result is a security posture that assumes human error, limits blast radius, and lets teams ship faster with confidence. Topics Covered * Why “there’s no separating the digital from the human” in modern cyber attacks * Nation-state motivations: how PRC, Russia, North Korea, and others target differently * The “geopolitical layer cake” and why every builder is in it (whether they like it or not) * Security as a team sport: breaking silos between engineering, HR, legal, physical security, and leadership * Why basic information sharing is the cheapest “upgrade” most companies aren’t doing * The Sony hack lesson: when the alerts won’t stop… and someone turns them off * “Humans be humans”: designing systems that assume mistakes will happen * Bake security in from the start vs. bolting it on after launch * Zero Trust explained in plain English and why it can accelerate innovation * Why table top exercises/war games separate resilient teams from chaotic ones * Planning for the least likely, most catastrophic scenario (and why it covers everything else) * Where to get government resources: fbi.gov, dni.gov, and National Counterintelligence and Security Center (NCSC) support for private sector About Jeff Fields Jeff Fields [https://www.linkedin.com/in/jeff-f-63736a173/] is a newly retired FBI leader, most recently serving as Assistant Special Agent in Charge of the FBI’s Counterintelligence Branch in San Francisco, with 20 years of experience spanning counterintelligence, national security, and the defense industrial base including emerging tech and the innovation ecosystem. Now advising VCs, startups, and universities, Jeff brings a rare operator’s perspective on how real-world adversaries move and how builders can design security that supports speed instead of fighting it. In addition to being a technical advisor, Jeff is also a Senior Fellow of Practice at the Berkeley Institute for Security and Governance where he serves as a “Hacking for Defense” (H4D) instructor. H4D teaches students how to work with the government to rapidly address the nation’s emerging threats and to solve mission-critical problems at the speed of a startup. In his free time Jeff enjoys hiking with his two Belgian Malinois, volunteering with the non-profit Girl Security, or checking out a live opera or hip-hop show. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit www.viaknowledgehub.com [https://www.viaknowledgehub.com?utm_medium=podcast&utm_campaign=CTA_1]