Ecosyste.ms

I chat with Aaron Lippold, creator of MITRE’s Security Automation Framework (SAF), to discuss how to escape the pain of manual STIG compliance. We explore the technical details of open-source tools like InSpec, Heimdall, and Vulcan that automate validation, normalize diverse security data, and streamline the entire security authoring process. Episode Links Aaron MITRE SAF This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

I recently chatted with Andrew Nesbitt about his project, Ecosyste.ms. Ecosyste.ms catalogs open source projects by tracking packages, dependencies, repositories, and more. With this dataset Andrew is able to incredible insights into the world of open source. We chat all about how Ecosyste.ms works and how he manages to wrangle all this data. Episode Links Andrew Ecosyste.ms Open Collective OpenSSF Issue 101 This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

Josh and Kurt talk about what’s going on at the National Vulnerability Database. NVD suddenly stopped enriching vulnerabilities, and it’s sent shock-waves through the vulnerability management space. While there are many unknowns right now, the one thing we can count on is things won’t go back to the way they were. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_420_Whats_going_on_at_NVD.mp3 Show Notes Anchore’s Blog Grype Josh’s Cyphercon Talk Ecosyste.ms Episode 266 – The future of security scanning with Debricked

Josh and Kurt talk about Sonatype’s 9th Annual State of the Software Supply Chain. There’s a ton of data in the report, but the thing we want to talk about is the statistic that only 11% of open source is actually being maintained. Do we think that’s true? Does it really matter? https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_398_Is_only_11_of_open_source_mainted.mp3 Show Notes Sonatype report ecosyste.ms GNOME libcue flaw Reality 2.0 supply chain episode