More The Secure Disclosure episodes
Published 9 Mar 2026
Duration: 00:25:38
Security oversights in AI/MCP server development, mirroring historical flaws like SQL injection, include unsafe practices such as `eval` usage and weak authorization, risking remote code execution and data leaks, while stressing the need for layered defenses against AI-amplified exploits in untested ecosystems.
Were back in the wild west only this time, the apps can be social engineered at machine speed. Live from CactusCon, Brooks McMillin breaks down malici...
The podcast discusses recurring security issues in AI and related technologies, drawing parallels between modern challenges and historical vulnerabilities such as SQL injection and broken access control. It emphasizes that lessons from past mistakeslike insecure APIs or misconfigurationshave not been adequately applied to new systems, such as MCP (Malicious Model Context Protocol) servers, which act as intermediaries for LLMs to interact with backend tools. Concerns are raised about the vulnerabilities in MCP servers, including the use of insecure practices (e.g., eval on third-party input) leading to risks like remote code execution and inadequate access control, which could allow unauthorized manipulation of data or permissions. The discussion also highlights the persistent problem of broken access control, a long-standing issue that remains critical in AI systems despite repeated warnings.
A central theme is the amplification of security flaws by AI and LLMs, which can exploit vulnerabilities faster and more creatively than humans, effectively serving as "magnifying glasses" for existing gaps. Prompt injection is identified as a novel threat akin to SQL injection but harder to mitigate due to its reliance on social engineering. The podcast underscores the need for robust security measures, such as logical controls, anomaly detection, and strict authorization checks, while balancing innovation with caution. It stresses that AI integration requires careful implementationstarting with limited access and incorporating safeguards like multi-factor authentication, logging, and human verification for sensitive actions. However, the rapid deployment of tools like OpenClaw, without sufficient testing, and the prevalence of malicious packages in repositories highlight ongoing risks in the ecosystem.
The conversation also touches on the challenges of testing LLM-driven systems, including the unpredictability of their behavior and the limitations of traditional security frameworks. Solutions proposed include using LLMs themselves to simulate attacks, dynamic testing, and layered defenses. A recurring caution is the tension between the speed of innovation and the need for thorough security hardening, with a call for embedding security expertise in AI development. Ultimately, the dialogue reflects a concern that, despite the transformative potential of AI, the field risks repeating historical security missteps unless lessons from the past are systematically applied.
6 May 2026 AI Panic is Driving Shadow IT w/ Noora Ahmed-Moshe
AI's impact on employment and cybersecurity risks, driven by shadow AI, phishing, and emerging threats like prompt injection, require balancing workforce skills, security measures, and organizational trust.
29 Apr 2026 When AI Agents Change their Intent w/ Frank Vukovits
AI agents, autonomous non-human entities operating in enterprise systems without human oversight, pose security and governance challenges requiring updated access control frameworks, real-time monitoring, and intent-based governance to address risks like unauthorized access and shadow AI, paralleling historical tech challenges like Y2K.
22 Apr 2026 OWASP Top 10, Vibe Coding, and What Developers Miss w/ Tanya Janca
Gaps in cybersecurity education, persistent vulnerabilities like SQL injection, OWASP data limitations, evolving supply chain risks, high training costs, AI's contextual challenges, and the need for secure-by-design principles and collaboration highlight systemic challenges in addressing evolving cyber threats.
15 Apr 2026 The Future of Hacking is Agentic w/ Jason Haddix
Recommended: Security Testing will change, and might change quicker than this episode suggests. Keep Security Top of Mind during Development.
AI transforms security with automated penetration testing and threat detection, but requires human oversight to mitigate risks like prompt injection, ensure ethical use, and balance AI efficiency with creative problem-solving in an evolving threat landscape.
7 Apr 2026 Open Source Malware, Supply Chain Risk, and Contagious Interviews: w/ Paul McCarty and Jenn Gile
Cyberattacks exploit developers and non-technical roles via social engineering and malware, with inadequate detection systems, state-sponsored threats targeting open-source ecosystems, and proposed solutions like the Open Source Malware Initiative and registry reforms to enhance tracking, accountability, and threat intelligence sharing.