I recently sat down with Brian Fox, CTO and co-founder of Sonatype, about a report they recently published about malware in open source ecosystems. This is something that’s not a surprise to anyone paying attention, but there are some things Sonatype is doing in this space that’s very clever. I’ve known Brian for a long time so it was a treat to catch up and see what they found, and what it means for the future. ...

In the world of open source software, we often celebrate the code, the contributors, and the collaboration. But beneath the surface lies a world unknown to most. It’s not a secret, it’s just not something most of us pay attention to, the foundations that drive some of the open source projects. I had the opportunity to discuss this with Dr. Kelly Masada, who has served as president of the Open Information Security Foundation (OISF) for over 12 years. OISF is the organization behind Suricata, the very capable and well known open source network analysis and threat detection software. ...

If you use GitHub, you probably have “forked” a repo more times than you can count. It’s super common and the ideal way you can interact with a git repository you don’t control. But the idea of forking in open source can have another meaning, a far more interesting meaning. It’s when you take the open source project, and create a new open source project based on the first. It’s not as simple as clicking a button. The process is complicated and is a ton of corner cases. ...

When I started Open Source Security HeroDevs reached out and asked if I wanted to have a chat. I was pretty interested in this discussion because the work HeroDevs does today is very similar to the work I did at Red Hat for a decade. While what they work on is a bit different than the sort of things we shipped in a Linux distribution, the basic idea is still the same. ...

When I started Open Source Security I knew one of those topics that could use more attention was the security of CI/CD systems. All the talk about securing the supply chain seems to almost exclusively focus on the development stage as well as the deployment stage. It seems like there’s not enough attention happening to the build stage (spoiler: most of the successful attacks have happened at this stage). When François Proulx reached out to chat about CD/CD systems, I couldn’t say yes fast enough. ...

When I thought doing an episode about authentication would be a good idea, Marc Boorshtein was the first person who came to mind for me. Marc knows more about authentication than anyone I know, and he’s really good at talking about it in a coherent way. Marc is the CTO of Tremolo Security, he’s been doing authentication for more than 20 years, long before many of us even knew this whole identity and authentication thing was something we should care about. ...

Very recently the Node.js project filed a few CVE IDs for end of life products. For vulnerability nerds this is exciting because historically EOL things didn’t get CVE IDs just for being EOL. And as one would expect, there are plenty of folks who think this is the best idea ever, and a bunch worried this will be the event that destroys modern civilized society. Today there’s not really a good place to track what is or isn’t end of life software. There are some datasets being worked on but they’re very new, and it’s “yet another dataset” we will all have to figure out. CVE could be a place to track details like this, but it’s not a simple conversation. ...

I had a discussion with Dick Brooks about government regulations and open source software security. The conversation covered the frameworks that affect enterprise software, users of open source, and open source developers. At the moment, all these regulations don’t mean a ton for open source developers, which is good news. Dick is the co-founder of Business Cyber Guardian and former enterprise architect at ISO New England. He’s a self proclaimed old school software engineer who worked at Digital Equipment Corporation. These days Dick is involved in working on secure development programs with governments around the world. ...

I met Gary Kramlich a few years ago at the CypherCon security conference and we now chat on signal about open source things. When I started Open Source Security I knew he was one of the people I wanted to talk to about what it looks like to keep a project, codebase, and community alive for more than a decade. Gary is the lead developer of the Pidgin chat program. You can find him at reaperworld.com ...