Josh and Kurt talk about open source and autonomy. This is even related to some recent return to office news. The conversation weaves between a few threads, but fundamentally there’s some questions about why do people do what they do, especially in the world of open source. This also is a problem we see in security, security people love to tell developers what to do. Developers don’t like being told what to do. ...
Josh and Kurt talk to Joylynn Kirui about DevSecOps in the Microsoft universe. Joylynn gives us an overview of the current state of devops and tells us about some of the tools Microsoft has made available to the open source universe. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_363_Joylynn_Kirui_from_Microsoft_on_De_SecOps.mp3 Show Notes Joylynn Kirui Joylynn on DVT Tech Insights Episode 174 - a chat with GitHub about CodeQL S2C2F Azure Open Source Day
Josh and Kurt talk about Microsoft creating a policy of not allowing anyone to charge for open source in their app store. This policy was walked back quickly, but it raises some questions about how fair or unfair open source really is. It’s mostly unfair to developers if you look at the big picture. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_333_Open_Source_is_unfair.mp3 Show Notes Syft Grype Microsoft bans and unbans open source Tidelift survey Bruce Perens - What comes after open source
Josh and Kurt talk about recent events around Apple and Microsoft disclosing security vulnerabilities. Microsoft usually does a good job, but Apple has a long history of not having a great bug bounty or vulnerability disclosure policy. None of this is simple, but hopefully you’ll have some fun and learn a bit about the whole vulnerability disclosure process. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_291_Everyone_sucks_at_vulnerability_disclosure.mp3 Show Notes Apple 0days Microsoft Exchange flaw THIS IS HOW THEY TELL ME THE WORLD ENDS Linux Foundation Vulnerability Disclosure Timezone problem
Josh and Kurt talk about what happens when you lose access to your Single Sign On provider. These providers have become critical to many of us, if we lose access to our SSO account we will lose access to many services. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_280_The_perils_of_Single_Sign_On.mp3 Show Notes Postbank
Josh and Kurt talk about how terrible daylight savings is. GitHub yanking some exploit code. And the Linux Foundation new project to sign all the things. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_263_GitHub_pulls_exploits_LinuxFoundation_sign_all_the_things.mp3 Show Notes Researcher Publishes Code to Exploit Microsoft Exchange Vulnerabilities on Github GitHub content restrictions Reproducing the Microsoft Exchange Proxylogon Exploit Chain
Josh and Kurt talk about Chromium sending traffic to root DNS servers. Telemetry watching what we do. Cryptocurrency scams and a few other random topics. Also pandas. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_212_Grab_Bag_The_Security_We_Deserve_Edition.mp3 Show Notes Blanket rack Chromium DNS traffic Ubuntu MOTD Microsoft telemetry YAM coin implodes Panda Cubs
Josh and Kurt talk about the Microsoft 2 year old signature bug and GitLab no longer processing MFA resets for free users. Signing things is hard, but trying to manage users and infrastructure at scale is even harder. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_211_The_only_thing_harder_than_signing_files_is_managing_users.mp3 Show Notes Microsoft signed jar bug GitLab Support is no longer processing MFA resets for free users Someone Is Hijacking Tor Exit Nodes to Conduct MITM Attacks
Josh and Kurt talk about CVSSv3 and how it’s broken. We started with a blog post to explain why the NVD CVSS scores are so wrong, and we ended up researching CVSSv3 and found out it’s far more broken than any of us expected in ways we didn’t expect. NVD isn’t broken, CVSSv3 is. How did we get here? Are there any options that work today? Where should we go next? ...