Josh talks to Casey Ellis about why vulnerability disclosure is so hard, and also so important. Casey is one of the best in this space having been a Bugcrowd founder. There are few people with more experience and insight into how a security vulnerability should be handled, and why the explosion of AI is making all this much harder than it’s ever been before. While finding vulnerabilities is easy, reporting them is still a lot of work. Casey is working on helping everyone better understand all this with his disclose.io project. ...

Josh talks to Hans-Christoph Steiner about F-Droid, the Free and Open Source Android App Repository. The way F-Droid works looks a lot like a Linux distribution which has some interesting security challenges, but also some great security benefits. Hans walks us through the current state of open app repositories and also what the future currently looks like. There are more open phones than ever before, but there are also more challenges than ever before. Hans breaks it all down in an easy to understand way. ...

Josh talks to Kat Cosgrove about a how companies should be treating open source more like their critical infrastructure than free stuff. Kat has a ton of knowledge about how the interactions between companies and open source communities can work well, or not work at all. Kat’s time on the Kubernetes Release Team. We touch on how a project like Kubernetes is super successful, while another, Ingress NGINX, was not. It’s a super insightful discussion with a ton of lessons and advice for everyone. ...

Josh and David finish up the disaster recovery and emergency planning trilogy. In this one David tells us how to test the plan he told us how to build in the last episode. There are some great ideas in this one about how to test the process not the people. How to construct the plan, and even some tips to go from a plan to some actual real world testing. It’s another episode filled with great and practical advice. ...

There was recently a really good thread about the Copy Fail vulnerability between Will Dormann and Greg K-H. The TL;DR is that vulnerability reporting and disclosure is in a weird state of flux. This discussion got me wondering what’s going on, and I think we’re seeing the extremes emerging of how vulnerabilities have always worked. The middle of the bell curve has been removed. There are three groups in this story. The Security Researchers, the Companies, and Open Source developers. In the above discussion Will is a security research (one of the best I’ve ever seen). Greg is part of open source. There isn’t a great company representative, but that’s OK. ...

given enough eyeballs, all bugs are shallow – Linus’s Law A long time ago we thought Linus’s Law was a real thing and it was why open source was better than closed source. It seems pretty accepted now that Linus’s Law wasn’t ever really a thing. It’s far more likely the reason a lot of open source was pretty good is because the authors were worried someone WOULD look and judge them if the code looked like crap. We all have dark corners of private GitHub repos that are the code equivalent of a festering boil. ...

Josh has a discussion with Vlad-Stefan Harbuz about the Open Source Pledge as well as his recent FOSDEM talk. The Open Source Pledge is all about trying to build a sustainable universe for open source maintainers. This ties into Vlad’s FOSDEM talk which was all about the challenge of just knowing what open source you are using. The importance of trying to make open source sustainable is a really important topic, but it’s also a really hard topic. Vlad helps explain all of this as well as some ideas for the solving this in the future. ...

Josh welcomes back David Bernstein to talk about creating a disaster recover plan. It’s a very timely topic given all the current events. There are more supply chain attacks and compromises than ever before. There are some great resources for this planning, but as David tells us, it’s really not that hard to put some plans together. It’s easy to over-plan, David gives some great tips on getting started with our planning for an eventual incident. ...

Josh talks to Paul McCarty of Open Source Malware about … open source malware. Paul explains why there aren’t many good open source malware datasets. We discuss why the existing data is lacking for many use cases. We of course touch on AI and the malware in skills problems and challenges. It’s a fun discussion with a lot of new and interesting problems we all have to deal with. Episode Links Paul McCarty Open Source Malware Open Source Malware Blog This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...