Episode 366 – Software liability is coming

Josh and Kurt talk about the number of dependencies that is now normal. Keeping track of thousands of dependencies used to be impressive, now it’s normal. In what instances should we know everything about our open source? The days of being able to ignore your software liability is looking like it’s coming to an end.Continue reading “Episode 366 – Software liability is coming”

Episode 365 – “I am not your supplier” with Thomas Depierre

Josh and Kurt talk to Thomas Depierre about his “I am not a supplier” blog post. We drink from the firehose on this one. Thomas describes the realities and challenges of being an open source maintainer. What open source and society owe each other. How safety can help describe what we see. There’s too manyContinue reading “Episode 365 – “I am not your supplier” with Thomas Depierre”

Episode 357 – Is open source being overexploited?

Josh and Kurt talk about how to think about open source in the context of society. Open source is more like a natural resource than a supplier. It’s common to think of open source projects as delivered to us, but it’s more like acquiring raw materials from the forest. The problem is we’re harvesting theContinue reading “Episode 357 – Is open source being overexploited?”

The perverse incentive of vulnerability counting

It seems like every few years the topic of counting vulnerabilities in products shows up. Last time the focus seemed to be around vulnerabilities in Linux distributions, which made distroless and very small container images popular. Today it seems to be around the vulnerabilities in open source dependencies. The general idea is you want toContinue reading “The perverse incentive of vulnerability counting”

Episode 338 – The government didn’t make vulnerabilities illegal. Yet.

Josh and Kurt talk about the recent National Defense Authorization Act that requires security vulnerabilities to be fixed. What does this mean for us, is it as bad as some people are claiming it is? It’s actually not a huge deal, for most of us it’s really just time to deal with product security. ShowContinue reading “Episode 338 – The government didn’t make vulnerabilities illegal. Yet.”

Episode 330 – The sliding scale of risk: seeing the forest for the trees

Josh and Kurt talk about the challenge of dealing with vulnerabilities at a large scale. We tend to treat every vulnerability equally when they are not equal at all. Some are trees we have to pay very close attention to, and some are part of a larger forest that can’t be treated as individual vulnerabilities.Continue reading “Episode 330 – The sliding scale of risk: seeing the forest for the trees”

Episode 320 – Security Twitter is not the real world

Josh and Kurt talk about a survey about a TuxCare patch management and vulnerability detection. Sometimes our security bubble makes us forget what it’s like in the real world for the people who keep our infrastructure running. Patching isn’t always immediate, automation doesn’t fix everything, and accepting risk is very important. Show Notes State of Enterprise Vulnerability DetectionContinue reading “Episode 320 – Security Twitter is not the real world”

Episode 318 – Social engineering and why zlib got a 2018 CVE ID

Josh and Kurt talk about hackers using emergency data requests to gain access to sensitive data. The argument that somehow backdoors can be protected falls under this problem. We don’t yet have the technical or policy protections in place to actually protect this data. We also explain why this zlib issue got a 2018 CVE ID in 2022.Continue reading “Episode 318 – Social engineering and why zlib got a 2018 CVE ID”