Vulnerabilities

In this episode Seth Larson gives us a cornucopia of topics relating to Python security. Seth discusses the Python Software Foundation’s decision to reject a significant grant NSF. Diversity is a big deal to python, so this was a no brainier. We discuss the upcoming PyCon US conference, featuring a new security track that fosters collaboration between developers and security experts. Josh is a huge fan of having a security track at developer conferences. And we close on a paper about zip and tar archives Seth wrote. It seems like we should have zip and tar security figured out by now, but we don’t. Thankfully Seth is working on it. ...

I chat with Joshua Rogers about a blog post he wrote as well as some bugs he submitted to the curl project. Joshua explains how he went searching for some AI tools to help find security bugs, and found out they can work, if you’re a competent human. We discuss the challenges of finding effective tools, the importance of human oversight in triaging vulnerabilities, and how to submit those bugs to open source projects responsibly. It’s a very sane and realistic conversation about what AI tools can and can’t do, and how humans should be interacting with these things. ...

In this episode I chat with the authors of a recent paper on open source security: Open Source, Open Threats? Investigating Security Challenges in Open-Source Software. I chat with Ali Akhavani and Behzad Ousat about their findings. There are interesting data points in the paper such as a 98% increase in reported vulnerabilities compared to a 25% growth in open source ecosystems. We discuss the challenges of maintaining security in a rapidly expanding digital landscape, and learn about the role of community engagement and automated tools in addressing these discrepancies. It’s a great paper and a fantastic discussion. ...

Josh and Kurt talk about the question will we ever fix all the vulnerabilities? The question came from Reddit and is very reasonable, but it turns out this is REALLY hard to discuss. The answer is of course “no”, but why it is no is very complicated. Far more complicated than either of us thought it would be. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_304_Will_we_ever_fix_all_the_vulnerabilities.mp3 Show Notes Will cyber security vulnerabilities ever “stop existing” ?