הפודקאסטים הטובים ביותר ב-Open Source Security (2025)

1
Talos Linux security with Andrey Smirnov 38:04

7d ago38:04

38:04

In this episode, I discuss into the security features of Talos Linux with Andrey Smirnov. Andrey explains how Talos focuses on its immutability and minimal attack surface. Discover how these enhancements fortify your systems against vulnerabilities, ensuring a secure and resilient infrastructure. Join us as we explore the security advancements that…

1
Discussing the Open Source, Open Threats? paper with Behzad and Ali 34:59

14d ago34:59

34:59

In this episode I chat with the authors of a recent paper on open source security: Open Source, Open Threats? Investigating Security Challenges in Open-Source Software. I chat with Ali Akhavani and Behzad Ousat about their findings. There are interesting data points in the paper such as a 98% increase in reported vulnerabilities compared to a 25% g…

1
crates.io trusted publishing with Tobias Bieniek 25:39

21d ago25:39

25:39

In this episode we discuss crates.io trusted publishing with Tobias Bieniek. We cover the steps crates.io is taking to enhance supply chain security through trusted publishing, a method that leverages short-lived tokens and GitHub actions to safeguard against unauthorized access. Tobias shares insights into the challenges of managing a large-scale …

1
CVE update with Patrick Garrity 32:25

28d ago32:25

32:25

In this episode I chat with Patrick Garrity from VulnCheck. We discuss the chaos that has enveloped the CVE and NVD programs over the past two years. We cover some of the transparency and communication challenges with the existing program. What some of the new things that have started to emerge as well as why they seem to be struggling. We end on t…

1
GCVE with Cédric Bonhomme and Alexandre Dulaunoy 31:38

1M ago31:38

31:38

In this episode I discuss GCVE and Vulnerability-Lookup with Alex and Cedric from CIRCL. GCVE offers a decentralized approach, allowing organizations to assign their own IDs and publish vulnerabilities independently. Vulnerability-Lookup is the tool that makes GCVE a reality. The flexibility addresses many of the limitations we see today with a sin…

1
EU Regulations will change everything with Daniel Thompson 31:57

1M ago31:57

31:57

In this episode, we dive into the Product Liability Directive and Cyber Resilience Act with Daniel Thompson, CEO of Crab Nebula. The EU's new legislative framework impacts manufacturers in ways we don't totally understand, but are going to bring substantial changes to how companies use and develop open source. Daniel explains the broader implicatio…

1
OSINT AI Tech Predicts Global Threats and Powers Risk Strategies - SEERIST's John Goolgasian 1:14:55

2M ago1:14:55

1:14:55

Open Source Intelligence powered by Artificial Intelligence to track global security threats, empower military intelligence operations, mitigate environmental disasters, and predict operational risks. John Goolgasian, President of SEERIST federal shares his journey from the intelligence community with Geospark Analytics and leading innovation at Se…

1
Open source microprocessors with Jan Pleskac 30:51

2M ago30:51

30:51

In this episode Jan Pleskac, CEO and co-founder of Tropic Square, shares insights on the challenges and innovations in creating open and auditable hardware. While most hardware is very closed, Tropic Square is working to change this. WE discuss how open source can enhance security, the complexities of integrating third-party technologies, and the f…

1
Package URLs with Philippe Ombredanne 36:48

3M ago36:48

36:48

I'm joined by Philippe Ombredanne, creator of the Package URL (PURL), to discuss the surprisingly complex and messy problem of simply identifying open source software packages. We dive into how PURLs provide a universal, common-sense standard that is becoming essential for the future of SBOMs and securing the software supply chain. The show notes a…

1
Hobbyist Maintainers with Thomas DePierre 49:03

3M ago49:03

49:03

Thomas DePierre joins Open Source Security to discuss the central idea from his blog post, "You are all on the hobbyist maintainers turf now," exploring the massive disconnect between the corporate world that consumes open source and the hobbyist community that actually produces it. The conversation reveals this isn't a new problem, but a long-stan…

1
STIG automation with Aaron Lippold 33:28

3M ago33:28

33:28

I chat with Aaron Lippold, creator of MITRE's Security Automation Framework (SAF), to discuss how to escape the pain of manual STIG compliance. We explore the technical details of open-source tools like InSpec, Heimdall, and Vulcan that automate validation, normalize diverse security data, and streamline the entire security authoring process. The s…

1
Ecosyste.ms with Andrew Nesbitt 35:38

3M ago35:38

35:38

I recently chatted with Andrew Nesbitt about his project, Ecosyste.ms. Ecosyste.ms catalogs open source projects by tracking packages, dependencies, repositories, and more. With this dataset Andrew is able to incredible insights into the world of open source. We chat all about how Ecosyste.ms works and how he manages to wrangle all this data. The s…

1
Curl vs AI with Daniel Stenberg 34:23

3M ago34:23

34:23

Daniel Stenberg, the maintainer of Curl, discusses the increase in AI security reports that are wasting the time of maintainers. We discuss Curl's new policy of banning the bad actors while establishing some pretty sane AI usage guidelines. We chat about how this low-effort, high-impact abuse pattern is a denial-of-service attack on the curl projec…

1
Repository signing with Kairo De Araujo 33:29

4M ago33:29

33:29

I recently had a chat with Kairo about a project he maintains called Repository Service for TUF (RSTUF). We explain why TUF is tough (har har har), what RSTUF can do, and some of the challenges around securing repositories. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-05-rstuf-with-kairo-de-a…

1
Securing GitHub Actions with William Woodruff 31:50

4M ago31:50

31:50

William Woodruff discussed his project, Zizmor, a security linter designed to help developers identify and fix vulnerabilities within their GitHub Actions workflows. This tool addresses inherent security risks in GitHub Actions, such as injection vulnerabilities, permission issues, and mutable tags, by providing static analysis and remediation guid…

1
Embedded Security with Paul Asadoorian 34:24

4M ago34:24

34:24

Recently, I had the pleasure of chatting with Paul Asadoorian, Principal Security Researcher at Eclypsium and the host of the legendary Paul's Security Weekly podcast. Our conversation dove into the often-murky waters of embedded systems and the Internet of Things (IoT), sparked by a specific vulnerability discussion on Paul's show concerning refer…

1
tj-actions with Endor Lab's Dimitri Stiliadis 32:39

4M ago32:39

32:39

Dimitri Stiliadis, CTO from Endor Labs, discusses the recent tj-actions/changed-files supply chain attack, where a compromised GitHub Action exposed CI/CD secrets. We explore the impressive multi-stage attack vector and the broader often-overlooked vulnerabilities in our CI/CD pipelines, emphasizing the need to treat these build systems with produc…

1
Syft, Grype, and Grant with Alan Pope 31:04

5M ago31:04

31:04

I chat with Alan Pope about the open source security tools Syft, Grype, and Grant. These tools help create Software Bills of Materials (SBOMs) and scan for vulnerabilities. Learn why generating and storing SBOMs is crucial for understanding your software supply chain and quickly responding to new threats like Log4Shell. The show notes and blog post…

1
CVE for EOL with Aaron Frost 30:00

5M ago30:00

30:00

Aaron Frost explores the overly complex world of vulnerability identifiers for end of life software. We discuss how incomplete CVE reporting creates blind spots for users while arming attackers with knowledge. The conversation uncovers the ethical tensions between resource constraints and security transparency, highlighting why the "vulnerable unti…

1
cargo-semver-checks with Predrag Gruevski 33:35

5M ago33:35

33:35

Cargo Semver Checks is a Rust tool by Predrag Gruevski that is tackling the problem of broken dependencies that cost developers time when trying to upgrade dependencies. Predrag's work shows how automated checks can catch breaking changes before they're released, potentially saving projects from unexpected failures and making dependency updates les…

1
Distributed CI and Git with Lars Wirzenius 27:27

5M ago27:27

27:27

Lars Wirzenius discusses his innovative CI/CD system Ambient, which uses isolated virtual machines without network access to enhance security, and his work on Radicle, a peer-to-peer Git collaboration platform. Together, these projects offer a glimpse into a more distributed future for software development, addressing key challenges in current CI/C…

1
FIDO authentication with William Brown 29:26

6M ago29:26

29:26

William Brown tells us all about how confusing and complicated the FIDO authentication universe is. He talks about WebAuthn implementation challenges to flaws in the FIDO metadata service that affect how hardware tokens are authenticated against. The conversation covers the spectrum of hardware security key quality, attestation mechanisms, and the …

1
CRA with Luis Villa 25:46

6M ago25:46

25:46

In this episode, open source legal expert Luis Villa breaks down what the EU's Cyber Resilience Act means for developers and businesses, exploring carve-outs for individual contributors and the complex relationship between security and sustainability. Luis provides practical guidance on navigating this evolving regulatory landscape while explaining…

1
Open Source Malware with Brian Fox 30:18

6M ago30:18

30:18

Brian Fox discusses findings from a recent Sonatype report about the growing challenge of malicious packages in open source repositories. At the time of recording there are now over 820,000 malware packages in public repositories. Brian explains why certain ecosystems are more vulnerable than others and how behavioral detection methods can identify…

1
Open Source Foundations with Kelley Misata of Suricata 31:45

6M ago31:45

31:45

In this episode Open Source Security talks to Dr. Kelly Masada about the Open Information Security Foundation (OISF). The way OISF is managing Suricata through a foundation is super interesting. There are a lot of lessons in this one for both open source projects and existing open source foundations. The blog post for this episode can be found at h…

1
The UNTOLD Sacrifice of Law Enforcement (Extreme Violence & Scandals) | ATF Agent Peter Forcelli 1:25:11

6M ago1:25:11

1:25:11

Former ATF agent Peter Forcelli exposes government failures, corruption, and the reality of law enforcement operations. ✅ Subscribe here on YouTube From Operation Fast and Furious to the Parkland school shooting, Forcelli provides an insider’s perspective on some of the most controversial topics in U.S. law enforcement. 🔹 Topics Covered: The real r…

1
Forking Open Source Projects with Sheogorath 22:14

7M ago22:14

22:14

In this episode Open Source Security chats with Sheogorath about HedgeDoc project's journey from HackMD to CodiMD and finally to HedgeDoc. We learn what forking a project looks like, including license changes (MIT to AGPL), security vulnerability management across different codebases, naming challenges, and infrastructure migrations. The conversati…

1
Overcoming Adversity and Lifting Yourself Up with Joe O'Connor 1:08:14

7M ago1:08:14

1:08:14

Motivation and Inspiration from Joe O'Connor, mastering personal development and life lessons from defeating death and overcoming insurmountable obstacles. ✅Subscribe on YouTube In this powerful episode of The NDS Show, Joe O’Connor shares his incredible story of survival, resilience, and transformation. From dying three times at age 14 to breaking…

1
The MINDBLOWING Meaning behind the HEROIC Monuments of Austin Weishel 54:36

7M ago54:36

54:36

This is a very visual episode!!! Subscribe on YouTube Austin Weishel, a bronze sculptor, joins to discuss his art honoring gr beret special forces, military heroes, veterans, first responders like police officers & fire fighters, and Betty White! From sculpting the Trojan Horse monument for the 10th Special Forces Group to the Nevada State Firefigh…

1
Patching EOL Open Source with Aaron Frost 22:53

7M ago22:53

22:53

In this episode, Open Source Security chats with Aaron Frost, CEO of Hero Devs about the world of maintaining end-of-life open source software. Aaron explains how EOL versions of open source work and how backporting security fixes can help maintaining compliance. In the discussion we cover the "just upgrade" mentality, how backporting works, why it…

1
Why do we keep ignoring CI security with François Proulx 23:38

7M ago23:38

23:38

François Proulx, a supply chain security researcher at Boost Security, discusses how continuous integration (CI) and build pipeline security represents a critical and overlooked hole in our supply chain security. It seems like most supply chain compromises are actually from CI system breaches rather than direct code compromise, yet we seem to obses…

1
Modern day authentication with Marc Boorshtein 26:17

7M ago26:17

26:17

In this discussion with Tremolo Security CTO Marc Boorshtein, we explore what modern day Single Sign-On (SSO) looks like. Everyone likes to talk about zero trust, but how does that work? We talk about some of the history of authentication that got us here, and some technical details on how you should be implementing authentication into your applica…

1
Government Security Requirements with Dick Brooks 19:44

7M ago19:44

19:44

Dick Brooks from Business Cyber Guardian discusses the landscape of federal software security requirements, we discuss frameworks like CISA's Software Acquisition Guide, Secure Software Development Framework, and the EU's Cyber Resilience Act. These regulations impact open source projects differently from commercial vendors, Dick helps explain what…

1
Open Source Maintenance with Gary Kramlich 27:18

8M ago27:18

27:18

In this episode, Gary Kramlich, the lead developer of Pidgin discusses the challenges and strategies of maintaining a 26-year-old open source messaging client.Gary tell us all about how a small team manages technical debt, handles library dependencies, and makes decisions about rewrites versus incremental improvements while supporting a broader ope…

1
Scott Mann: A Green Beret's Personal WAR & WARNING to America 1:41:46

8M ago1:41:46

1:41:46

Retired Green Beret Scott Mann shares the story behind Task Force Pineapple, the real challenges of the Afghanistan withdrawal, and the ongoing fight to protect America's security. Follow Nick for the latest updates https://X.com/ndsshow Follow Scott X: https://x.com/rooftopleader YouTube: @TheScottMannPodcast 🌟 Key Takeaways: How storytelling can …

1
The REAL Story Behind Romania's 2024 Election with Claudiu Pândaru 20:08

8M ago20:08

20:08

Claudiu Pândaru founder of Republica, provides the full context behind Romania's Election Turmoil involving Russian interference and Calin Georgescu's presidential campaign. The recent elections in Romania, the impact of political dynamics, and the growing mistrust in government institutions. Our guest delves into the significance of voter behavior…

1
Safety vs Security with Thomas Depierre 21:23

8M ago21:23

21:23

In this episode of Open Source Security, Josh welcomes Thomas Depierre, a Site Reliability Engineer and open source maintainer, to discuss the intersection of safety and security. Thomas explains why safety is broader than security. While security often views people as the problem, Thomas explains that people are paradoxically the solution. Nothing…

1
The Future of Open Source Security 4:28

8M ago4:28

4:28

It’s a new year and time for some changes to the opensourcesecurity.io website. It's time to retire the podcast, but that's to make way for something new and hopefully better. You can read the details in the blog post (the audio version is basically the same thing) https://opensourcesecurity.io/posts/2025-01-the_future_of_open_source_security/…

1
Episode 461 - The new NIST password guidance 36:07

8M ago36:07

36:07

Josh and Kurt talk about new NIST password guidance. There's some really good stuff in this new document. Ideas like usability and equity show up (which is amazing). There's more strict guidance against rotating passwords and complex passwords. This new guidance gives us a lot to look forward to. Show Notes Usagi Electric NIST proposes barring some…

1
China's THREAT to the US: A MASTERCLASS with Glenn Tiffert 1:31:16

8M ago1:31:16

1:31:16

Follow on X! ▶️ https://X.com/ndsshow Glenn Tiffert joins the podcast to explore the evolving landscape of U.S.-China relations, technological competition, and the future of global power dynamics. Glenn shares his insights on how China's strategic ambitions intersect with American innovation, and what this means for the future of democracy and econ…

1
Episode 460 - Santa's Supply Chain Security 43:29

9M ago43:29

43:29

Josh and Kurt talk about the supply chain of Santa. Does he purchase all those things? Are they counterfeit goods? Are they acquired some other way? And once he has all the stuff, the logistics of getting it to the sleigh is mind boggling. It's all very complex Show Notes Project Gunman

1
Episode 459 - CWE Top 25 List 36:01

9M ago36:01

36:01

Josh and Kurt talk about a CWE Top 25 list from MITRE. The list itself is fine, but we discuss why the list looks the way it does (it's because of WordPress). We also discuss why Josh hates lists like this (because they never create any actions). We finish up running through the whole list with a few comments about the findings. Show Notes 2024 CWE…

1
Episode 458 - FBI endorses E2E encryption 33:43

9M ago33:43

33:43

Josh and Kurt talk about the FBI telling everyone to use end to end encrypted messengers. This is a pretty drastic deviation from messages in the past. The reason for this is it appears the US telephone networks are pwnt beyond repair at this point, which is concerning. The only real solution now is to treat the phone network as untrusted and encry…

1
Episode 457 - The D-Link D-bacle 41:00

9M ago41:00

41:00

Josh and Kurt talk about a serious D-Link security vulnerability in a bunch of end of life products. The crux of the discussion focuses on D-Link, but the reality is almost all consumer gear you plug into the internet is terrible. And there's little hope it will get better anytime soon. Show Notes China has utterly pwned 'thousands and thousands' o…

1
Episode 456 - What if XZ happened to a company? The openness of open source 33:42

10M ago33:42

33:42

Josh and Kurt embark on a thought experiment to discuss how a commercial entity would handle something like the xz incident. It was very specific and difficult to understand. It's easy to claim just because source code being available doesn't matter. But the reality is when source code is needed, it can make a huge difference for everyone working t…

1
SUPERCHARGE Your Organization with SOFT SKILLS and Leadership Lessons from the CIA 1:59:05

10M ago1:59:05

1:59:05

In this episode, we dive into an inspiring conversation with CIA Leadership Executive Mike Mears, a seasoned leader with a fascinating background in intelligence, leadership development, and organizational transformation. Mike shares compelling stories from his career, explores the principles of effective leadership, and provides actionable advice …

1
Episode 455 - Wordpress plugin security 35:38

10M ago35:38

35:38

Josh and Kurt talk about the way Wordpress vets their plugins. While Wordpress has been in the news lately, they do some clever things to get plugins approved. There's a static analyzer that runs against new submissions. We discuss using static analysis, securing open source, contributing and more. Show Notes Linus Torvalds Lands A 2.6% Performance…

1
Episode 454 - The state of open source with Brian Fox from Sonatype and Donald Fischer from Tidelift 43:13

10M ago43:13

43:13

Josh and Kurt talk to Brian Fox from Sonatype and Donald Fischer from Tidelift about their recent reports as well as open source. There are really interesting connections between the two reports. The overall theme seems to be open source is huge, everywhere, and needs help. But all is no lost! There's some great ideas on what the future needs to lo…

1
Episode 453 - Software Liability 36:28

10M ago36:28

36:28

Josh and Kurt talk about three government activities happening around security. CISA has a request for comment, and an international strategic plan around cybersecurity. These are both good ideas, and hopefully will help drive change. But we also discuss an EU proposal that brings liability rules to software which sounds like a great way to force c…

1
Episode 452 - All about Meshtastic 39:29

10M ago39:29

39:29

Josh and Kurt talk about the Meshtastic open source project. It's a really slick mesh radio system that runs on very cheap radio equipment. This episode isn't very security related (there are a few things), but it is very open source. Show Notes Meshtastic Heltec LoRa 32(V3) Radio 465 Rutgers University Confirmed: Meshtastic and LoRa are dangerous …

פודקאסטים ששווה להאזין

פודקאסטים בנושא Open Source Security

פודקאסטים ששווה להאזין

מדריך עזר מהיר