Josh and Kurt talk about the security.txt file. It’s not new, but it’s not something we’ve discussed before. It’s a great idea, an easy format, and well defined. It’s not high on many of our todo lists, but it’s something worth doing. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_422_Do_you_have_a_securitytxt_file.mp3 Show Notes RFC 9116
Josh and Kurt talk about the new SSDF attestation form from CISA. The current form isn’t very complicated, and the SSDF has a lot of room for interpretation. But this is the start of something big. It’s going to take a long time to see big changes in supply chain security, but we’re confident they will come. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_421_CISA_new_SSDF_attestation_form.mp3 Show Notes Secure Software Development Attestation Form The U.S. Military Is Missing Six Nuclear Weapons NIST 800-218
Josh and Kurt talk about what’s going on at the National Vulnerability Database. NVD suddenly stopped enriching vulnerabilities, and it’s sent shock-waves through the vulnerability management space. While there are many unknowns right now, the one thing we can count on is things won’t go back to the way they were. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_420_Whats_going_on_at_NVD.mp3 Show Notes Anchore’s Blog Grype Josh’s Cyphercon Talk Ecosyste.ms Episode 266 – The future of security scanning with Debricked
Josh and Kurt talk about an attack against GitHub where attackers are creating malicious repositories then artificially inflating the number of stars and forks. This is really a discussion about how can we try to find signal in all the noise of a massive ecosystem like GitHub. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_419_Malicious_GitHub_repositories.mp3 Show Notes GitHub besieged by millions of malicious repositories in ongoing attack
Josh and Kurt talk about recent stories about data breaches, flipper zero banning, and realistic security. We have a lot of weird challenges in the world of security, but hard problems aren’t impossible problems. Sometimes we forget that. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_418_Being_right_all_the_time_is_hard.mp3 Show Notes Mon Dieu! Nearly half the French population have data nabbed in massive breach Feds move to ban auto theft tech device ‘Flipper Zero’ Gmail and Yahoo’s 2024 inbox protections and what they mean for your email program Vending machine error reveals secret face image database of college students
Josh and Kurt talk to GregKH about Linux Kernel security. We most focus on the topic of vulnerabilities in the Linux Kernel, and what being a CNA will mean for the future of Linux Kernel security vulnerabilities. The future of Linux Kernel security vulnerabilities is going to be very interesting. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_417_Linux_Kernel_security_with_Greg_K-H.mp3 Show Notes Greg K-H Linux Kernel is a CNA Machine learning and stable kernels Bug reporting for Linux
Josh and Kurt talk to Thomas Depierre about some of the European efforts to secure software. We touch on the CRA, MDA, FOSDEM, and more. As expected Thomas drops a huge amount of knowledge on what’s happening in open source. We close the show with a lot of ideas around how to move the needle for open source. It’s not easy, but it is possible. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_416_Thomas_Depierre_on_open_source_in_Europe.mp3 Show Notes Thomas Depierre I am not a supplier Open Source In The European Legislative Landscape devroom Cyber Resilience Act The 2023 Tidelift state of the open source maintainer report
Josh and Kurt talk about a blog post explaining how to create a very very small container image. Generally in the world of security less is more, but it’s possible to remove too much. A lot of today’s security tooling relies on certain things to exist in a container image, if we remove them we could actually result in worse security than leaving it in. It’s a weird topic, but probably pretty important. ...
Josh and Kurt talk about open source projects proving builds, and things nobody wants to pay for in open source. It’s easy to have unrealistic expectations for open source projects, but we have the open source that capitalism demands. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_414_The_exploited_ecosystem_of_open_source.mp3 Show Notes Open Source Doesn’t Require Providing Builds The things nobody wants to pay for Audacity privacy policy update has caused an outcry The History of X11
Josh and Kurt talk about an attack against PyTorch and NPM. The PyTorch attack shows the difficulty of operating a large open source project. The NPM situation continues to show the difficulty in trying to backdoor open source. Many people are watching, and it only takes one person to notice a problem and report it, and we all benefit. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_413_PyTorch_and_NPM_get_attacked_but_its_OK.mp3 Show Notes Peanut Butter the dog plays Gyromite The Wizard movie PyTorch supply chain attack npm Package Found Delivering Sophisticated RAT Deceptive Deprecation: The Truth About npm Deprecated Packages Changing a lightbulb Spelunking the Bitcoin Blockchain with Josh Bressers | CypherCon 4.0 Operation Triangulation - What You Get When Attack iPhones of Researchers 9th Annual State of the Software Supply Chain