In this episode I chat with the authors of a recent paper on open source security: Open Source, Open Threats? Investigating Security Challenges in Open-Source Software. I chat with Ali Akhavani and Behzad Ousat about their findings. There are interesting data points in the paper such as a 98% increase in reported vulnerabilities compared to a 25% growth in open source ecosystems. We discuss the challenges of maintaining security in a rapidly expanding digital landscape, and learn about the role of community engagement and automated tools in addressing these discrepancies. It’s a great paper and a fantastic discussion. ...

In this episode we discuss crates.io trusted publishing with Tobias Bieniek. We cover the steps crates.io is taking to enhance supply chain security through trusted publishing, a method that leverages short-lived tokens and GitHub actions to safeguard against unauthorized access. Tobias shares insights into the challenges of managing a large-scale open-source repository, offering a glimpse into the future of secure software distribution. Tune in to learn how these advancements are shaping the landscape of open-source development. ...

In this episode I chat with Patrick Garrity from VulnCheck. We discuss the chaos that has enveloped the CVE and NVD programs over the past two years. We cover some of the transparency and communication challenges with the existing program. What some of the new things that have started to emerge as well as why they seem to be struggling. We end on the note that the last 3 months haven’t been confidence inspiring. It’s likely in 6 months everyone will be scrambling to deal with a difficult situation. ...

In this episode I discuss GCVE and Vulnerability-Lookup with Alex and Cedric from CIRCL. GCVE offers a decentralized approach, allowing organizations to assign their own IDs and publish vulnerabilities independently. Vulnerability-Lookup is the tool that makes GCVE a reality. The flexibility addresses many of the limitations we see today with a single centralized ID system. The work happening by CIRCL on GCVE is very impressive, with all the current CVE turmoil, this is a project we should all be paying attention to. ...

In this episode, we dive into the Product Liability Directive and Cyber Resilience Act with Daniel Thompson, CEO of Crab Nebula. The EU’s new legislative framework impacts manufacturers in ways we don’t totally understand, but are going to bring substantial changes to how companies use and develop open source. Daniel explains the broader implications for software security and the future of digital products in the European market. Episode Links Daniel Crab Nebula This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

In this episode Jan Pleskac, CEO and co-founder of Tropic Square, shares insights on the challenges and innovations in creating open and auditable hardware. While most hardware is very closed, Tropic Square is working to change this. WE discuss how open source can enhance security, the complexities of integrating third-party technologies, and the future of secure computing devices. Episode Links Jan Pleskac Tropic Square Tropic Square GitHub This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

I’m joined by Philippe Ombredanne, creator of the Package URL (PURL), to discuss the surprisingly complex and messy problem of simply identifying open source software packages. We dive into how PURLs provide a universal, common-sense standard that is becoming essential for the future of SBOMs and securing the software supply chain. Episode Links Philippe AboutCode PURL AI-Generated Code Search This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

Thomas DePierre joins Open Source Security to discuss the central idea from his blog post, “You are all on the hobbyist maintainers turf now,” exploring the massive disconnect between the corporate world that consumes open source and the hobbyist community that actually produces it. The conversation reveals this isn’t a new problem, but a long-standing reality whose consequences for security, stability, and the future of software we are only now beginning to truly confront. ...

I chat with Aaron Lippold, creator of MITRE’s Security Automation Framework (SAF), to discuss how to escape the pain of manual STIG compliance. We explore the technical details of open-source tools like InSpec, Heimdall, and Vulcan that automate validation, normalize diverse security data, and streamline the entire security authoring process. Episode Links Aaron MITRE SAF This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...