Podcast

Josh and Kurt talk about Sonatype’s 9th Annual State of the Software Supply Chain. There’s a ton of data in the report, but the thing we want to talk about is the statistic that only 11% of open source is actually being maintained. Do we think that’s true? Does it really matter? https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_398_Is_only_11_of_open_source_mainted.mp3 Show Notes Sonatype report ecosyste.ms GNOME libcue flaw Reality 2.0 supply chain episode

Josh and Kurt talk about a curl and glibc bug. The bugs themselves aren’t super interesting, but there are other conversations around the bugs that are interesting. Why don’t we just rewrite everything in Rust? Why can’t we just train developers to stop writing insecure code. How can AI solve this problem? It’s a marvelous conversation that ends on the very basic idea: we already have the security the market demands. Unless we change that demand, security won’t change. ...

Josh and Kurt talk about contributor license agreements (CLAs). CLAs used to be seen as a necessary evil, but they’re almost certainly bad now. We’re seeing CLAs being abused, it’s clear now anything controlled by a CLA won’t be open source forever. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_396_CLAs_are_bad_Mkay.mp3 Show Notes A Theory of Joint Authorship for Free and Open Source Software Projects Bruce Perens: What Comes After Open Source

Josh and Kurt talk about uncertainty. There are a bunch of stories in the news lately that really just boil down to uncertainty. Uncertainty is incredibly dangerous for everyone. We are afraid of uncertainty, and often don’t really understand why it is. Trust is like a currency and uncertainty erodes trust faster than almost anything else. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_395_Uncertainty_trust_and_security.mp3 Show Notes Unity’s license mess Godot Meta and Salesforce want to re-hire people they fired earlier this year U.S. Debt Credit Rating Downgraded, Only Second Time In Nation’s History

Josh and Kurt talk about filing bugs for software. There’s the old saying that anyone can file bugs and submit patches for open source, but the reality is most people can’t. Filing bugs for both closed and open source is nearly impossible in many instances. Even if you want to file a bug for an open source project, there are a lot of hoops before it’s something that can be actionable. ...

Josh and Kurt talk about the weird world we live in how where we can’t control a lot of our hardware. We don’t really have control over most devices we interact with on a daily basis. The conversation shifts into a question of how can we decide what to trust and where. It’s a very strange problem we experience now. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_393_Can_you_secure_something_you_dont_own.mp3 Show Notes Boots theory MGM cybersecurity issue shuts down slot machines and ATMs in Las Vegas casinos New York Fire Department Forcible Entry Reference Guide Request for Information on Open-Source Software Security: Areas of Long-Term Focus and Prioritization

Josh and Kurt talk about why CVE is making the news lately. Things are not well in the CVE program, and it’s not looking like anything will get fixed anytime soon. Josh and Kurt have a unique set of knowledge around CVE. There’s a lot of confusion and difficulty in understanding how CVE works. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_392_Curl_and_the_calamity_of_CVE.mp3 Show Notes Curl blog post Now it’s PostgreSQL’s turn to have a bogus CVE GitHub Advisory Database Josh’s “CVE tried to get me fired” story

Josh and Kurt talk about wordpress selling web services with a 100 year lifespan. Will WordPress still be around in 100 years? What would 100 years of disaster recovery look like? Most of us will never need to think about 100 years of disaster recovery. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_391_The_Wordpress_100_year_disaster_recovery_problem.mp3 Show Notes WordPress is now selling 100-year domains Danish ransomware 15-Minute City The Year Without Pants

Josh and Kurt talk about a blog post that explains how C and C++ compilers prioritize performance over correctness. This is the class story of security vs usability. Security is never the primary goal. If a security requirement doesn’t also enable other business goals it will fail. We also touch on the news of a Rust package containing binary files. It doesn’t really have anything to do with security, it’s all about convenience. ...

Josh and Kurt talk about the HashiCorp license change and copyright problems in open source. This isn’t the first and won’t be the last time we see this, but it’s very likely open source developers and communities will view any project that has a contributor license agreement as a problem moving forward. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_389_What_would_HashiCorp_do.mp3 Show Notes Josh’s BSidesLV talk Hacker News marked site as malware HashiCorp license change A Theory of Joint Authorship for Free and Open Source Software Projects