Josh and Kurt finish up the leftpad discussion. We spent a lot of time talking about how the market will respond to these sort of events, and the market did indeed speak; very little has changed. There is an aspect of all these security events where we need to understand the cost vs benefit justContinue reading “Episode 375 – The market forces of left-pad, Episode 77 remaster part 2”
Tag Archives: npm
Episode 374 – The event we called left-pad, Episode 77 remaster part 1
Josh and Kurt revisit Episode 77, which was named “npm and the supply chain” but was a discussion about the incident we all know now as “leftpad”. We didn’t understand what was happening at the time, but this would become an event we talk about for years to come. It’s shocking how many of theContinue reading “Episode 374 – The event we called left-pad, Episode 77 remaster part 1”
Episode 370 – Open Source is bigger than you can imagine
Josh and Kurt talk about some data on the size of NPM. Josh wrote a blog post and a report about the amount of SEO spam in NPM was released. Open source is enormous, and it’s mostly one person. It’s hard to imagine how this all works sometimes and this lack of understanding can createContinue reading “Episode 370 – Open Source is bigger than you can imagine”
Episode 353 – Jill Moné-Corallo on GitHub’s bug bounty program
Josh and Kurt talk to Jill Moné-Corallo about GitHub’s bug bounty and product security team. It’s a treat to discuss bug bounties with someone who is managing a very large bug bounty for one of the most important web sites in the world of software today. Show Notes
Episode 342 – Programming languages are the new operating system
Josh and Kurt talk about programming language ecosystems tracking and publishing security advisory details. We are at a point in the language ecosystems where they are giving us services that have historically been reserved for operating systems. Show Notes
Episode 332 – PyPI: 2FA or not 2FA, that is the question
Josh and Kurt talk about PyPI mandating two factor authentication for the top 1% of projects. It feels like a simple idea, but it’s not when you start to think about it. What problems does 2FA solve? How common are these attacks? What are the second and third order effects of mandating 2FA? This episodeContinue reading “Episode 332 – PyPI: 2FA or not 2FA, that is the question”
Episode 317 – The lack of compromise in security
Josh and Kurt talk about the binary nature of security. Many of our ideas are yes or no, there’s not much in the middle. The conversation ends up derailed due to a Twitter thread about pinning dependencies. This gives you an idea how contentious of a topic pinning is. The final takeaway is not toContinue reading “Episode 317 – The lack of compromise in security”
Episode 316 – You have to use open source
Josh and Kurt talk about the latest NPM backdoored package. It feels like this keeps happening. We talk about why this is and why it’s probably OK. Kurt fixes Linus’ Law, in open source the superpower isn’t bugs are shallow (they’re not), the superpower is security bugs in open source can’t be ignored. Show NotesContinue reading “Episode 316 – You have to use open source”
Episode 309 – The bright future of open source secuirty
Josh and Kurt talk about NPM requiring 2FA for the top 100 packages. We discuss the new Alpha and Omega projects from the OpenSSF and what it could mean for the future of open source security. Then we end on a note about the new Samba critical vulnerability. Show Notes NPM requires 2FA OpenSSF Alpha and Omega DavidContinue reading “Episode 309 – The bright future of open source secuirty”
Episode 306 – Open source isn’t broken, it’s an experience
Josh and Kurt talk about the faker and colors NPM events. There is a lot of discussion around open source being broken or somehow failing because of these events. The real answer is open source is an experience. How we interact with our dependencies determines what the experience looks like. Show Notes Developer corrupts colors and faker WillContinue reading “Episode 306 – Open source isn’t broken, it’s an experience”
Open Source Security 