Open-Source

Josh and Kurt talk about a story that discusses a story from Black Hat that references supply chains. There’s a ton of doom and gloom around our software supply chains and much of the advice isn’t realistic. If we want to take this seriously we need to stop obsessing over the little problems and focus on some big problems. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_443_The_Supply_Chain_Security_Crisis.mp3 Show Notes Black Hat USA 2024: Key Takeaways from the Premier Cybersecurity Event The Reason Train Design Changed After 1948

Josh and Kurt talk about CWE. What is it, and why does it matter. We cover some history, some shortcomings, and some ideas on how CWE could be used to make security a lot better. We frame the future discussion around the OWASP top 10 list. We should be putting more effort into removing removing entire classes of vulnerabilities. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_441_Is_CWE_useful.mp3 Show Notes CWE Episode 360 – Memory safety and the NSA Inside 22,734 Steam games

Josh and Kurt talk about a presentation Josh recently gave that was supposed to be about how open source works. The talk was the wrong topic for a security crowd, but there’s a lot of interesting details in the questions and comments that emerged. It’s clear a lot of security people don’t really care about the fine details about what open source is, their primary goal is to help keep development secure. ...

Josh and Kurt talk about a story talking about the “graying” of open source. There doesn’t seem to be many young people working on open source, but we don’t really know why that is. There are many thoughts, but a better question is why should anyone get involved in open source anymore? The world has changed quite a lot since open source was created. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_439_Where_are_all_the_youth_in_open_source.mp3 Show Notes The graying open source community needs fresh blood OSPOs for Good 2024 Day 1 Part 1 Day 1 Part 2 Day 2 Part 1 Day 2 Part 2 FFmpeg bug JSON Editor Online https://rfc3339.com/

Josh and Kurt talk about two documents from the US government that discuss open source in very different ways. The CISA document lays out a way to measure open source, but we take issue with the idea of trying to measure which open source projects are “good”. The Whitehouse on the other hand takes an approach that is very open source, get involved. Trying to measure open source isn’t producing anything actionable, but getting involved is very actionable, and very much how open source works. ...

Josh and Kurt talk about a pretty big bug found in CocoPods ownership. We also touch on a paper that discusses the technical debt that open source should have. We discuss what the long term sustainability of open source. There aren’t any good solutions for open source today, but talking about these problems is important, we have to start to understand what’s going on before we can plausibly discuss solutions. If you’re an open source project that needs to put things on pause, or even walk way, that’s OK. ...

Josh and Kurt talk about the latest polyfill.io mess. Apparently someone took over a very popular project and started to serve malware. First XZ, now this. What does it mean for open source? We don’t have any answers, and it’s hard to even talk about this problem because it’s so big. The thing is though, even if we can’t fix open source, it’s here to stay. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_435_polyfill_io_open_source_is_too_big_to_fix.mp3 Show Notes Polyfill supply chain attack hits 100K+ sites OpenSSF Scorecard

Josh and Kurt talk about a Notepad++ fake website. It’s possibly not illegal, but it’s certainly ethically wrong. We also end up discussing why it seems like all these weird and wild things keep happening. It’s probably due to the massive size of open source (and everything) now. Things have gotten gigantic and we didn’t really notice. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_424_The_Notepad_Parasite_Website.mp3 Show Notes Help us to take down the parasite website Open Source is bigger than you can imagine Toronto Pearson International Airport heist

Josh and Kurt talk to Thomas Depierre about some of the European efforts to secure software. We touch on the CRA, MDA, FOSDEM, and more. As expected Thomas drops a huge amount of knowledge on what’s happening in open source. We close the show with a lot of ideas around how to move the needle for open source. It’s not easy, but it is possible. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_416_Thomas_Depierre_on_open_source_in_Europe.mp3 Show Notes Thomas Depierre I am not a supplier Open Source In The European Legislative Landscape devroom Cyber Resilience Act The 2023 Tidelift state of the open source maintainer report

Josh and Kurt talk about open source projects proving builds, and things nobody wants to pay for in open source. It’s easy to have unrealistic expectations for open source projects, but we have the open source that capitalism demands. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_414_The_exploited_ecosystem_of_open_source.mp3 Show Notes Open Source Doesn’t Require Providing Builds The things nobody wants to pay for Audacity privacy policy update has caused an outcry The History of X11