A lonely person

Open Source is one person

The Register recently published a story titled Putin on the code: DoD reportedly relies on utility written by Russian dev. They should be ashamed of this story. This poor open source developer is getting beat up now to score some internet points. It’s very upsetting. But anyway, let’s look at some receipts. If you’re not real smrt, it seems like pointing out an open source project is written by one person in a country you don’t like is a bad thing. It could be. But it also could be the software running THE WHOLE F*CKING PLANET is written by one person. In a country. But we have no idea which country. It’s not the same person mind you, but it’s one person. ...

August 28, 2025 · Josh Bressers
Books

Discussing the Open Source, Open Threats? paper with Behzad and Ali

In this episode I chat with the authors of a recent paper on open source security: Open Source, Open Threats? Investigating Security Challenges in Open-Source Software. I chat with Ali Akhavani and Behzad Ousat about their findings. There are interesting data points in the paper such as a 98% increase in reported vulnerabilities compared to a 25% growth in open source ecosystems. We discuss the challenges of maintaining security in a rapidly expanding digital landscape, and learn about the role of community engagement and automated tools in addressing these discrepancies. It’s a great paper and a fantastic discussion. ...

August 25, 2025 · Josh Bressers
A crate

crates.io trusted publishing with Tobias Bieniek

In this episode we discuss crates.io trusted publishing with Tobias Bieniek. We cover the steps crates.io is taking to enhance supply chain security through trusted publishing, a method that leverages short-lived tokens and GitHub actions to safeguard against unauthorized access. Tobias shares insights into the challenges of managing a large-scale open-source repository, offering a glimpse into the future of secure software distribution. Tune in to learn how these advancements are shaping the landscape of open-source development. ...

August 18, 2025 · Josh Bressers
Broken glass

CVE update with Patrick Garrity

In this episode I chat with Patrick Garrity from VulnCheck. We discuss the chaos that has enveloped the CVE and NVD programs over the past two years. We cover some of the transparency and communication challenges with the existing program. What some of the new things that have started to emerge as well as why they seem to be struggling. We end on the note that the last 3 months haven’t been confidence inspiring. It’s likely in 6 months everyone will be scrambling to deal with a difficult situation. ...

August 11, 2025 · Josh Bressers
GCVE Logo

GCVE with Cédric Bonhomme and Alexandre Dulaunoy

In this episode I discuss GCVE and Vulnerability-Lookup with Alex and Cedric from CIRCL. GCVE offers a decentralized approach, allowing organizations to assign their own IDs and publish vulnerabilities independently. Vulnerability-Lookup is the tool that makes GCVE a reality. The flexibility addresses many of the limitations we see today with a single centralized ID system. The work happening by CIRCL on GCVE is very impressive, with all the current CVE turmoil, this is a project we should all be paying attention to. ...

August 4, 2025 · Josh Bressers
EU Flag

EU Regulations will change everything with Daniel Thompson

In this episode, we dive into the Product Liability Directive and Cyber Resilience Act with Daniel Thompson, CEO of Crab Nebula. The EU’s new legislative framework impacts manufacturers in ways we don’t totally understand, but are going to bring substantial changes to how companies use and develop open source. Daniel explains the broader implications for software security and the future of digital products in the European market. Episode Links Daniel Crab Nebula This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

July 28, 2025 · Josh Bressers
A circuit board

Open source microprocessors with Jan Pleskac

In this episode Jan Pleskac, CEO and co-founder of Tropic Square, shares insights on the challenges and innovations in creating open and auditable hardware. While most hardware is very closed, Tropic Square is working to change this. WE discuss how open source can enhance security, the complexities of integrating third-party technologies, and the future of secure computing devices. Episode Links Jan Pleskac Tropic Square Tropic Square GitHub This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

July 21, 2025 · Josh Bressers
A collection of boxes with various names on them all

Package URLs with Philippe Ombredanne

I’m joined by Philippe Ombredanne, creator of the Package URL (PURL), to discuss the surprisingly complex and messy problem of simply identifying open source software packages. We dive into how PURLs provide a universal, common-sense standard that is becoming essential for the future of SBOMs and securing the software supply chain. Episode Links Philippe AboutCode PURL AI-Generated Code Search This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

June 23, 2025 · Josh Bressers
An artist working clay

Hobbyist Maintainers with Thomas DePierre

Thomas DePierre joins Open Source Security to discuss the central idea from his blog post, “You are all on the hobbyist maintainers turf now,” exploring the massive disconnect between the corporate world that consumes open source and the hobbyist community that actually produces it. The conversation reveals this isn’t a new problem, but a long-standing reality whose consequences for security, stability, and the future of software we are only now beginning to truly confront. ...

June 16, 2025 · Josh Bressers
An automation console

STIG automation with Aaron Lippold

I chat with Aaron Lippold, creator of MITRE’s Security Automation Framework (SAF), to discuss how to escape the pain of manual STIG compliance. We explore the technical details of open-source tools like InSpec, Heimdall, and Vulcan that automate validation, normalize diverse security data, and streamline the entire security authoring process. Episode Links Aaron MITRE SAF This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

June 9, 2025 · Josh Bressers