Josh and Kurt talk to Jill Moné-Corallo about GitHub’s bug bounty and product security team. It’s a treat to discuss bug bounties with someone who is managing a very large bug bounty for one of the most important web sites in the world of software today. Show Notes
Tag Archives: npm
Episode 342 – Programming languages are the new operating system
Josh and Kurt talk about programming language ecosystems tracking and publishing security advisory details. We are at a point in the language ecosystems where they are giving us services that have historically been reserved for operating systems. Show Notes
Episode 332 – PyPI: 2FA or not 2FA, that is the question
Josh and Kurt talk about PyPI mandating two factor authentication for the top 1% of projects. It feels like a simple idea, but it’s not when you start to think about it. What problems does 2FA solve? How common are these attacks? What are the second and third order effects of mandating 2FA? This episodeContinue reading “Episode 332 – PyPI: 2FA or not 2FA, that is the question”
Episode 317 – The lack of compromise in security
Josh and Kurt talk about the binary nature of security. Many of our ideas are yes or no, there’s not much in the middle. The conversation ends up derailed due to a Twitter thread about pinning dependencies. This gives you an idea how contentious of a topic pinning is. The final takeaway is not toContinue reading “Episode 317 – The lack of compromise in security”
Episode 316 – You have to use open source
Josh and Kurt talk about the latest NPM backdoored package. It feels like this keeps happening. We talk about why this is and why it’s probably OK. Kurt fixes Linus’ Law, in open source the superpower isn’t bugs are shallow (they’re not), the superpower is security bugs in open source can’t be ignored. Show NotesContinue reading “Episode 316 – You have to use open source”
Episode 309 – The bright future of open source secuirty
Josh and Kurt talk about NPM requiring 2FA for the top 100 packages. We discuss the new Alpha and Omega projects from the OpenSSF and what it could mean for the future of open source security. Then we end on a note about the new Samba critical vulnerability. Show Notes NPM requires 2FA OpenSSF Alpha and Omega DavidContinue reading “Episode 309 – The bright future of open source secuirty”
Episode 306 – Open source isn’t broken, it’s an experience
Josh and Kurt talk about the faker and colors NPM events. There is a lot of discussion around open source being broken or somehow failing because of these events. The real answer is open source is an experience. How we interact with our dependencies determines what the experience looks like. Show Notes Developer corrupts colors and faker WillContinue reading “Episode 306 – Open source isn’t broken, it’s an experience”
Open Source Security 