Thomas DePierre joins Open Source Security to discuss the central idea from his blog post, “You are all on the hobbyist maintainers turf now,” exploring the massive disconnect between the corporate world that consumes open source and the hobbyist community that actually produces it. The conversation reveals this isn’t a new problem, but a long-standing reality whose consequences for security, stability, and the future of software we are only now beginning to truly confront. ...

I chat with Aaron Lippold, creator of MITRE’s Security Automation Framework (SAF), to discuss how to escape the pain of manual STIG compliance. We explore the technical details of open-source tools like InSpec, Heimdall, and Vulcan that automate validation, normalize diverse security data, and streamline the entire security authoring process. Episode Links Aaron MITRE SAF This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

I recently chatted with Andrew Nesbitt about his project, Ecosyste.ms. Ecosyste.ms catalogs open source projects by tracking packages, dependencies, repositories, and more. With this dataset Andrew is able to incredible insights into the world of open source. We chat all about how Ecosyste.ms works and how he manages to wrangle all this data. Episode Links Andrew Ecosyste.ms Open Collective OpenSSF Issue 101 This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

Daniel Stenberg, the maintainer of Curl, discusses the increase in AI security reports that are wasting the time of maintainers. We discuss Curl’s new policy of banning the bad actors while establishing some pretty sane AI usage guidelines. We chat about how this low-effort, high-impact abuse pattern is a denial-of-service attack on the curl project (and other open source projects too). Episode Links Daniel Curl Curl project founder snaps over deluge of time-sucking AI slop bug reports Curl AI usage guide This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

I recently had a chat with Kairo about a project he maintains called Repository Service for TUF (RSTUF). We explain why TUF is tough (har har har), what RSTUF can do, and some of the challenges around securing repositories. Episode Links Kairo RSTUF TUF RSTUF OpenSSF Slack Channel This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. The Update Framework (TUF) Fundamentals TUF has been around for a long time now, starting out as research at New York University. At its core, TUF has a goal of letting clients securely fetch artifacts from package repositories. This sounds simple, or at least not super hard, but it’s actually a really hard problem. TUF provides a framework for signing packages that enables much stronger security guarantees than the traditional approach of curl piped to bash. ...

William Woodruff discussed his project, Zizmor, a security linter designed to help developers identify and fix vulnerabilities within their GitHub Actions workflows. This tool addresses inherent security risks in GitHub Actions, such as injection vulnerabilities, permission issues, and mutable tags, by providing static analysis and remediation guidance. Fresh off the heels of the tj-actions/changed-files backdoor, this is a great topic with some things everyone can do right away. Episode Links William Zizmor This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

Recently, I had the pleasure of chatting with Paul Asadoorian, Principal Security Researcher at Eclypsium and the host of the legendary Paul’s Security Weekly podcast. Our conversation dove into the often-murky waters of embedded systems and the Internet of Things (IoT), sparked by a specific vulnerability discussion on Paul’s show concerning reference code for the popular ESP32 microcontroller. Episode Links Paul Eclypsium Below the surface podcast RVAsec This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

Dimitri Stiliadis, CTO from Endor Labs, discusses the recent tj-actions/changed-files supply chain attack, where a compromised GitHub Action exposed CI/CD secrets. We explore the impressive multi-stage attack vector and the broader often-overlooked vulnerabilities in our CI/CD pipelines, emphasizing the need to treat these build systems with production-level security rigor instead of ignoring them. Episode Links Dimitri’s Linkedin Endor Labs Harden-Runner detection: tj-actions/changed-files action is compromised Unit 42 tj-actions analysis This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

I’m not a super expert in all this, but I know enough to be dangerous. If I make any mistakes, please let me know (there are many ways to contact me listed in the “Contact” menu). I will clearly mark any changes to the post due to errors, feel free to check back and see what I got wrong. Since the CVE people won’t tell us anything useful, let’s use Cunningham’s Law to our advantage. ...