Episode 290 – The security of the Matrix

Josh and Kurt talk about the security of the Matrix movie series. There was a new Matrix trailer that made us want to discuss some of the security themes. We talk about how the movie is very focused on computing in the 90s. How Neo probably ran Linux and they used a real ssh exploit.Continue reading “Episode 290 – The security of the Matrix”

Episode 288 – Linux Kernel compiler warnings considered dangerous

Josh and Kurt talk about some happenings in the Linux Kernel. There are some new rules around how to submit patches that goes against how GitHub works. They’re also turning all compiler warnings into errors. It’s really interesting to understand what these steps mean today, and what they could mean in the future. Show NotesContinue reading “Episode 288 – Linux Kernel compiler warnings considered dangerous”

Episode 286 – Open source supply chain with Google’s Dan Lorenc

Josh and Kurt talk to Dan Lorenc from Google about supply chain security. What’s currently going on in this space and what sort of new thing scan we look forward to? We discuss Google’s open source use, Project Sigstore, the SLSA framework and more. Show Notes Dan’s Twitter Sigstore SLSA Framework

Episode 282 – The security of Rust: who left all this awesome in here?

Josh and Kurt talk about a story from Microsoft declaring Rust the future of safe programming, replacing C and C++. We discuss how tooling affects progress and why this isn’t always obvious when you’re in the middle of progress. Show Notes Microsoft: Rust Is the Industry’s ‘Best Chance’ at Safe Systems Programming Josh’s devopsdays talkContinue reading “Episode 282 – The security of Rust: who left all this awesome in here?”

Episode 266 – The future of security scanning with Debricked

Josh and Kurt talk to Emil Wåreus from Debricked about the future of security scanners. Debricked is doing some incredibly cool things to avoid relying on humans for vulnerability identification and cataloging. Learn what the future of security scanning is going to look like. Show Notes Debricked Emil’s Linkedin

It’s time to fix CVE

The late, great, John Lewis is well known for a quote about getting into trouble. Never, ever be afraid to make some noise and get in good trouble, necessary trouble. It’s time to start some good trouble. Anyone who knows me, reads this blog, or follows me on Twitter, is well aware I have beenContinue reading “It’s time to fix CVE”

The Titanic of security

I listen to a lot of podcasts. A lot of podcasts. I was listening to the Dave and Gunnar Show podcast episode 212 with guest David A. Wheeler. The Titanic was used as an example of changing process after a security incident. This opened up a flood of thoughts to me, but not for theContinue reading “The Titanic of security”

Episode 253 – Defenders only need to be right once

Josh and Kurt talk about this idea that seems to exist in security of “attackers only need to be right once” which is silly. The reality is attackers have to get everything right, defenders really only need to get it right once. But “defenders only need to be right once” isn’t going to sell anyContinue reading “Episode 253 – Defenders only need to be right once”