Episoder
-
Dimitri Stiliadis, CTO from Endor Labs, discusses the recent tj-actions/changed-files supply chain attack, where a compromised GitHub Action exposed CI/CD secrets. We explore the impressive multi-stage attack vector and the broader often-overlooked vulnerabilities in our CI/CD pipelines, emphasizing the need to treat these build systems with production-level security rigor instead of ignoring them.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2025/2025-04-tjactions_with_dimitri_stiliadis/ -
I chat with Alan Pope about the open source security tools Syft, Grype, and Grant. These tools help create Software Bills of Materials (SBOMs) and scan for vulnerabilities. Learn why generating and storing SBOMs is crucial for understanding your software supply chain and quickly responding to new threats like Log4Shell.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2025/2025-04-syft-grype-grant-alan-pope/ -
Mangler du episoder?
-
Aaron Frost explores the overly complex world of vulnerability identifiers for end of life software. We discuss how incomplete CVE reporting creates blind spots for users while arming attackers with knowledge. The conversation uncovers the ethical tensions between resource constraints and security transparency, highlighting why the "vulnerable until proven otherwise" approach is the best path forward for end of life software.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2025/2025-04-cve_eol_aaron_frost/ -
Cargo Semver Checks is a Rust tool by Predrag Gruevski that is tackling the problem of broken dependencies that cost developers time when trying to upgrade dependencies. Predrag's work shows how automated checks can catch breaking changes before they're released, potentially saving projects from unexpected failures and making dependency updates less painful across the entire Rust ecosystem.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2025/2025-04-cargo-semver-checks-predrag-gruevski/ -
Lars Wirzenius discusses his innovative CI/CD system Ambient, which uses isolated virtual machines without network access to enhance security, and his work on Radicle, a peer-to-peer Git collaboration platform. Together, these projects offer a glimpse into a more distributed future for software development, addressing key challenges in current CI/CD systems like long wait times, security vulnerabilities, and centralized infrastructure limitations.
The blog post for this episode can be found at
https://opensourcesecurity.io/2025/2025-03-ambient-radicle-lars-wirzenius/ -
William Brown tells us all about how confusing and complicated the FIDO authentication universe is. He talks about WebAuthn implementation challenges to flaws in the FIDO metadata service that affect how hardware tokens are authenticated against. The conversation covers the spectrum of hardware security key quality, attestation mechanisms, and the barriers preventing open source developers from improving industry standards despite their expertise.
The blog post for this episode can be found at
https://opensourcesecurity.io/2025/2025-03-fido_auth_william_brown/ -
In this episode, open source legal expert Luis Villa breaks down what the EU's Cyber Resilience Act means for developers and businesses, exploring carve-outs for individual contributors and the complex relationship between security and sustainability. Luis provides practical guidance on navigating this evolving regulatory landscape while explaining why the CRA represents both a challenge and an opportunity for the open source ecosystem.
The blog post for this episode can be found at
https://opensourcesecurity.io/2025/2025-03-CRA_luis_villa/
-
Brian Fox discusses findings from a recent Sonatype report about the growing challenge of malicious packages in open source repositories. At the time of recording there are now over 820,000 malware packages in public repositories. Brian explains why certain ecosystems are more vulnerable than others and how behavioral detection methods can identify suspicious packages, and the challenge in solving this problem.
The blog post for this episode can be found at
https://opensourcesecurity.io/2025/2025-03-oss_malware_brian_fox/ -
In this episode Open Source Security talks to Dr. Kelly Masada about the Open Information Security Foundation (OISF). The way OISF is managing Suricata through a foundation is super interesting. There are a lot of lessons in this one for both open source projects and existing open source foundations.
The blog post for this episode can be found at
https://opensourcesecurity.io/2025/2025-03-oss_foundations_kelley_misata/ -
In this episode Open Source Security chats with Sheogorath about HedgeDoc project's journey from HackMD to CodiMD and finally to HedgeDoc. We learn what forking a project looks like, including license changes (MIT to AGPL), security vulnerability management across different codebases, naming challenges, and infrastructure migrations. The conversation goes through to journey from HackMD to CodiMD and all the lessons learned along the way. And there are many lessons.
The blog post for this episode can be found at
https://opensourcesecurity.io/2025/2025-02-fork_open_source_sheogorath/ -
In this episode, Open Source Security chats with Aaron Frost, CEO of Hero Devs about the world of maintaining end-of-life open source software. Aaron explains how EOL versions of open source work and how backporting security fixes can help maintaining compliance. In the discussion we cover the "just upgrade" mentality, how backporting works, why it's hard, and why it matters. We also cover some oddities the world of CVE brings to the discussion.
The blog post for this episode can be found at
https://opensourcesecurity.io/2025/2025-02-patching_EOL_OSS_aaron_frost/ -
François Proulx, a supply chain security researcher at Boost Security, discusses how continuous integration (CI) and build pipeline security represents a critical and overlooked hole in our supply chain security. It seems like most supply chain compromises are actually from CI system breaches rather than direct code compromise, yet we seem to obsess over everything on either side of the CI system. François has a bunch of really good practical suggestions for how we can start to improve our CI security today.
The blog post for this episode can be found at
https://opensourcesecurity.io/2025/2025-02-ignoring_ci_security_francois_proulx/ -
In this discussion with Tremolo Security CTO Marc Boorshtein, we explore what modern day Single Sign-On (SSO) looks like. Everyone likes to talk about zero trust, but how does that work? We talk about some of the history of authentication that got us here, and some technical details on how you should be implementing authentication into your application. We finish up with some passkey details and realize every authentication discussion really just turns into complaining how hard identity is.
The blog post for this episode can be found at
https://opensourcesecurity.io/2025/2025-02-modern_day_authentication_with_marc_boorshtein/
-
Dick Brooks from Business Cyber Guardian discusses the landscape of federal software security requirements, we discuss frameworks like CISA's Software Acquisition Guide, Secure Software Development Framework, and the EU's Cyber Resilience Act. These regulations impact open source projects differently from commercial vendors, Dick helps explain what that means for the vendors as well as open source developers.
The accompaning blog can be found at
https://opensourcesecurity.io/2025/01-government_security_requirements_with_dick_brooks
CISA Software Acquisition Guide
CISA SAG Reader Project
NASA SSDF collaboration -
In this episode, Gary Kramlich, the lead developer of Pidgin discusses the challenges and strategies of maintaining a 26-year-old open source messaging client.Gary tell us all about how a small team manages technical debt, handles library dependencies, and makes decisions about rewrites versus incremental improvements while supporting a broader open source ecosystem.
The accompaning blog can be found at
https://opensourcesecurity.io/2025/01-open_source_maintenance_with_gary_kramlich/
-
In this episode of Open Source Security, Josh welcomes Thomas Depierre, a Site Reliability Engineer and open source maintainer, to discuss the intersection of safety and security. Thomas explains why safety is broader than security. While security often views people as the problem, Thomas explains that people are paradoxically the solution. Nothing should work, but it does, mostly due to people keeping things working.
The accompaning blog can be found at
https://opensourcesecurity.io/2025/01-safety_vs_security_with_thomas_depierre/
-
It’s a new year and time for some changes to the opensourcesecurity.io website.
It's time to retire the podcast, but that's to make way for something new and hopefully better. You can read the details in the blog post (the audio version is basically the same thing)
https://opensourcesecurity.io/posts/2025-01-the_future_of_open_source_security/
-
Josh and Kurt talk about new NIST password guidance. There's some really good stuff in this new document. Ideas like usability and equity show up (which is amazing). There's more strict guidance against rotating passwords and complex passwords. This new guidance gives us a lot to look forward to.
Show Notes Usagi Electric NIST proposes barring some of the most nonsensical password rules NIST SP 800-63(B) STRIDE threat model PASTA threat model -
Josh and Kurt talk about the supply chain of Santa. Does he purchase all those things? Are they counterfeit goods? Are they acquired some other way? And once he has all the stuff, the logistics of getting it to the sleigh is mind boggling. It's all very complex
Show Notes Project Gunman -
Josh and Kurt talk about a CWE Top 25 list from MITRE. The list itself is fine, but we discuss why the list looks the way it does (it's because of WordPress). We also discuss why Josh hates lists like this (because they never create any actions). We finish up running through the whole list with a few comments about the findings.
Show Notes 2024 CWE Top 25 Most Dangerous Software Weaknesses Set of 9 Unusual Odd Sided dice - D3, D5, D7, D9, D11, D13, D15, D17 & D19 - Se mer
