Security

egyptian-goose-7159820_1920

Episode 327 - The security of alert fatigue

Josh and Kurt talk about a funny GitHub reply that notified 400,000 people. It’s fun to laugh at this, but it’s an easy open to discussing alert fatigue and why it’s important to be very mindful of our communications. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_327_The_security_of_alert_fatigue.mp3 Show Notes GitHub 400K notifications Hacker News thread Reddit user TV Bluetooth

June 13, 2022
shipping-container-4245980_1920

Episode 326 - Big fat containers

Josh and Kurt talk about containers. There are a lot of opinions around what type of containers is best. Back when it all started there were only huge distro sized containers. Now we have a world with many different container types and sizes. Is one better? https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_326_Big_fat_containers.mp3 Show Notes Programming in the Apocalypse Bob Diachenko Paranoids Podcast

June 6, 2022
ad-1238450_1920

Episode 325 - Is one open source maintainer enough?

Josh and Kurt talk about a recent OpenSSF issue that asks the question how many open source maintainers should a project have that’s “healthy”? Josh did some research that shows the overwhelming majority of packages have one maintainer. What does that mean? https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_325_Is_one_open_source_maintainer_enough.mp3 Show Notes OpenSSF TAC Issue 101

May 30, 2022
wide-cheese-1100774_1920

Episode 324 - WTF is up with WFH

Josh and Kurt talk about the whole work from home debate. It seems like there are a lot of very silly excuses why working from home is bad. We’ve both been working from home for a long time and have a chat about the topic. There’s not much security in this one, but it is a fun discussion. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_324_WTF_is_up_with_WFH.mp3 Show Notes Boris Johnson blames cheese Apple and WFH

May 23, 2022
real-wide

Episode 323 - The fake 7-Zip vulnerability and SBOM

Josh and Kurt talk about a fake 7-Zip security report. It’s pretty clear that everyone is running open source all the time. We end on some thoughts around what SBOM is good for, and who should be responsible for them. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_323_The_fake_7Zip_vulnerability_and_SBOM.mp3 Show Notes Probably fake 7-Zip

May 16, 2022
lego-2539844_1920

Episode 322 - Adam Shostack on the security of Star Wars

Josh and Kurt talk to Adam Shostack about his new book “Threats: What Every Engineer Should Learn From Star Wars”. We discuss some of the lessons and threats in the Star Wars universe, it’s an old code I hear. We also discuss if Star Wars is a better than Star Trek for teaching security (it probably is). It’s a fun conversation and sounds like an amazing book. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_322_Adam_Shostack_on_the_security_of_Star_Wars.mp3 Show Notes Adam Shostack Adam’s Website The book

May 9, 2022
time-2825962_1920

Episode 321 - Relativistic Security: Project Zero on 0day

Josh and Kurt talk about the Google Project Zero blog post about 0day vulnerabilities in 2021. There were a lot more than ever before, but why? Part of the challenge is the whole industry is expanding while a lot of our security technologies are not. When the universe around you is expanding but you’re staying the same size, you are actually shrinking. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_321_Relativistic_Security_Project_Zero_on_0day.mp3 Show Notes Google Project Zero blog post Apple 0days Joint cyber advisory

May 2, 2022
virtual-reality-1802469_1920

Episode 320 - Security Twitter is not the real world

Josh and Kurt talk about a survey about a TuxCare patch management and vulnerability detection. Sometimes our security bubble makes us forget what it’s like in the real world for the people who keep our infrastructure running. Patching isn’t always immediate, automation doesn’t fix everything, and accepting risk is very important. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_320_Security_Twitter_is_not_the_real_world.mp3 Show Notes State of Enterprise Vulnerability Detection and Patch Management CISA Known Exploited Vulnerabilities Catalog Google 0days

April 25, 2022
pavement-2328289_1920

Episode 319 - Patch Tuesday with a capital T

Josh and Kurt talk about a lot of security vulnerabilities in this month’s Patch Tuesday. There’s also a new Git vulnerability. This sparks the age old question of how fast to patch? The answer isn’t binary, the right answer is whatever works best for you, not what someone tells you is best. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_319_Patch_Tuesday_with_a_capital_T.mp3 Show Notes Patch Tuesday Git security update

April 18, 2022
board-776688_1920

Episode 318 - Social engineering and why zlib got a 2018 CVE ID

Josh and Kurt talk about hackers using emergency data requests to gain access to sensitive data. The argument that somehow backdoors can be protected falls under this problem. We don’t yet have the technical or policy protections in place to actually protect this data. We also explain why this zlib issue got a 2018 CVE ID in 2022. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_318_Social_engineering_and_why_zlib_got_a_2018_CVE_ID.mp3 Show Notes Hackers using fake emergency data requests CVE-2018-25032 Global Security Database

April 11, 2022