What's in the SOSS? An OpenSSF Podcast

OpenSSF

What's in the SOSS? features the sharpest minds in security as they dig into the challenges and opportunities that create a recipe for success in making software more secure. Get a taste of all the ingredients that make up secure open source software (SOSS) and explore the latest trends at the intersection of AI and security, vulnerability management, and threat assessments. Each episode of What's in the SOSS? is packed with valuable insight designed to foster collaboration and promote stronger security practices for the open source software community.About Christopher Robinson (aka CRob), hostCRob is a 43rd level Dungeon Master and a 26th level Securityologist. He is a leader within several Open Source Security Foundation (OpenSSF) efforts and is a frequent speaker on cyber, application, and open source security. He enjoys hats, herding cats, and moonlit walks on the beach.

  1. FEB 10

    AIxCC Part 4 – Cyber Reasoning Systems: The Real-World Journey After AIxCC

    In this final episode of our AI Cyber Challenge (AIxCC) series, CRob and Jeff Diecks wrap-up the journey from DARPA's groundbreaking two-year competition to the exciting collaborative phase happening now. Discover how winning teams are taking their AI-powered vulnerability detection systems into the real world, finding actual bugs in projects like the Linux kernel and CUPS. Learn about the innovative OSS-CRS project that aims to create a standard infrastructure for mixing and matching the best components from different systems, and hear valuable lessons about how to responsibly introduce AI-generated security findings to open source maintainers. The competition may be over, but the real work—and collaboration—is just beginning. This episode is part 4 of a four-part series on AIxCC: AIxCC part 1: From Skepticism to Success: The AI Cyber Challenge (AIxCC) with Andrew CarneyAIxCC part 2: From Skeptics to Believers: How Team Atlanta Won AIxCC by Combining Traditional Security with LLMsAIxCC part 3: Buttercup's Hybrid Approach: Trail of Bits' Journey to Second Place in AIxCC Chapters: 00:00 - Welcome and Introduction to AICC 01:37 - OpenSSF's AI Security Mission: Two Lenses 03:54 - Competition Highlights: What the Teams Discovered 07:43 - Real-World Impact: From Research to Production 10:44 - Lessons Learned: Working with Open Source Maintainers 13:13 - OSS-CRS: Building a Standard Infrastructure 14:29 - Breaking Down Walls: Post-Competition Collaboration 15:39 - How to Get Involved Episode links: Jeff Diecks LinkedIn pageChristopher “CRob” Robinson LinkedIn pageAI Cyber Challenge (AIxCC)OSS-CRS ProjectOpenSSF AI/ML Security Working GroupCyber Reasoning Systems Special Interest Group (Slack)Get involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

    18 min

  2. FEB 10

    AIxCC Part 3 - Buttercup's Hybrid Approach: Trail of Bits' Journey to Second Place in AIxCC

    In the final episode of our AI Cyber Challenge (AIxCC) series, CRob sits down with Michael Brown, Principal Security Engineer at Trail of Bits, to discuss their runner-up cybersecurity reasoning system, Buttercup. Michael shares how their team took a hybrid approach - combining large language models with conventional software analysis tools like fuzzers - to create a system that exceeded even their own expectations. Learn how Trail of Bits made Buttercup fully open source and accessible to run on a laptop, their commitment to ongoing maintenance with prize winnings, and why they believe AI works best when applied to small, focused problems rather than trying to solve everything at once. This episode is part 3 of a four-part series on AIxCC: AIxCC part 1: From Skepticism to Success: The AI Cyber Challenge (AIxCC) with Andrew CarneyAIxCC part 2: From Skeptics to Believers: How Team Atlanta Won AIxCC by Combining Traditional Security with LLMsAIxCC part 4: Cyber Reasoning Systems: The Real-World Journey After AIxCCChapters: 00:04 - Introduction & Welcome 00:12 - About Trail of Bits & Open Source Commitment 03:16 - Buttercup: Second Place in AIxCC 04:20 - The Hybrid Approach Strategy 06:45 - From Skeptic to Believer 09:28 - Surprises & Vindication During Competition 11:36 - Multi-Agent Patching Success 14:46 - Post-Competition Plans 15:26 - Making Buttercup Run on a Laptop 18:22 - The Giant Check & DEF CON 18:59 - How to Access Buttercup on GitHub 21:37 - Enterprise Deployment & Community Support 22:23 - Closing Remarks Episode links: Michael Brown’s LinkedIn pageAI Cyber Challenge (AIxCC)Trail of BitsButtercup GitHub RepoOpenSSF AI/ML Security Working GroupCyber Reasoning Systems Special Interest Group (Slack)Get involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

    23 min

  3. FEB 10

    AIxCC Part 2 - From Skeptics to Believers: How Team Atlanta Won AIxCC by Combining Traditional Security with LLMs

    In this 2nd episode in our series on DARPA's AI Cyber Challenge (AIxCC), CRob sits down with Professor Taesoo Kim from Georgia Tech to discuss Team Atlanta's journey to victory. Kim shares how his team - comprised of academics, world-class hackers, and Samsung engineers - initially skeptical of AI tools, underwent a complete mindset shift during the competition. He shares how they successfully augmented traditional security techniques like fuzzing and symbolic execution with LLM capabilities to find vulnerabilities in large-scale open source projects. Kim also reveals exciting post-competition developments, including commercialization efforts in smart contract auditing and plans to make their winning CRS accessible to the broader security community through integration with OSS-Fuzz. This episode is part 2 of a four-part series on AIxCC: AIxCC part 1: From Skepticism to Success: The AI Cyber Challenge (AIxCC) with Andrew CarneyAIxCC part 3: Buttercup's Hybrid Approach: Trail of Bits' Journey to Second Place in AIxCCAIxCC part 4: Cyber Reasoning Systems: The Real-World Journey After AIxCCChapters: 00:00 - Introduction 00:37 - Team Atlanta's Background and Competition Strategy 03:43 - The Key to Victory: Combining Traditional and Modern Techniques 05:22 - Proof of Vulnerability vs. Finding Bugs 06:55 - The Mindset Shift: From AI Skeptics to Believers 09:46 - Overcoming Scalability Challenges with LLMs 10:53 - Post-Competition Plans and Commercialization 12:25 - Smart Contract Auditing Applications 14:20 - Making the CRS Accessible to the Community 16:32 - Student Experience and Research Impact 20:18 - Getting Started: Contributing to the Open Source CRS 22:25 - Real-World Adoption and Industry Impact 24:54 - The Future of AI-Powered Security Competitions Episodes Links: Taesoo Kim’s LinkedIn pageAI Cyber Challenge (AIxCC)OSS-Fuzz ProjectOpenSSF AI/ML Security Working GroupCyber Reasoning Systems Special Interest Group (Slack)Get involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

    28 min

  4. FEB 10

    AIxCC Part 1 - From Skepticism to Success: The AI Cyber Challenge (AIxCC) with Andrew Carney

    This episode of What’s in the SOSS features Andrew Carney from DARPA and ARPA-H, discussing the groundbreaking AI Cyber Challenge (AIxCC). The competition was designed to create autonomous systems capable of finding and patching vulnerabilities in open source software, a crucial effort given the pervasive nature of open source in the tech ecosystem. Carney shares insights into the two-year journey, highlighting the initial skepticism from experts that ultimately turned into belief, and reveals the surprising efficiency of the competing teams, who collectively found over 80% of inserted vulnerabilities and patched nearly 70%, with remarkably low compute costs. The discussion concludes with a look at the next steps: integrating these cyber reasoning systems into the open source community to support maintainers and supercharge automated patching in development workflows. This episode is part 1 of a four-part series on AIxCC: AIxCC part 2: From Skeptics to Believers: How Team Atlanta Won AIxCC by Combining Traditional Security with LLMsAIxCC part 3: Buttercup's Hybrid Approach: Trail of Bits' Journey to Second Place in AIxCCAIxCC part 4: Cyber Reasoning Systems: The Real-World Journey After AIxCCChapters: 00:00 - Introduction and Guest Welcome  00:59 - Guest Background: Andrew Carney's Role at DARPA/ARPA-H 02:20 - Overview of the AI Cyber Challenge (AIxCC) 03:48 - Competition History and Structure 04:44 - The Value of Skepticism and Surprising Learnings 07:11 - Surprising Efficiency and Low Compute Costs 08:15 - Major Competition Highlights and Results 13:09 - What's Next: Integrating Cyber Reasoning Systems into Open Source 16:55 - A Favorite Tale of "Robots Gone Bad" 18:37 - Call to Action and Closing Thoughts Episode links: Andrew Carney’s LinkedIn pageAI Cyber Challenge (AIxCC)OpenSSF AI/ML Security Working GroupCyber Reasoning Systems Special Interest Group (Slack)Get involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

    23 min

  5. FEB 3

    Demystifying the CFP Process with KubeCon North America Keynote Speakers

    Ever wondered what it takes to get your talk accepted at a major open source tech conference – or even land a keynote slot? Join What’s in the Sauce new co-host Sally Cooper, as she sits down with Stacey Potter and Adolfo “Puerco” García Veytia, fresh off their viral KubeCon keynote "Supply Chain Reaction." In this episode, they pull back the curtain on the CFP review process, share what makes a strong proposal stand out, and offer honest advice about overcoming imposter syndrome. Whether you're a first-time speaker or a seasoned presenter, you'll learn practical tips for crafting compelling abstracts, avoiding common pitfalls, and why your unique voice matters more than you think. Chapters: 00:00 - Introduction and Guest Welcome 01:40 - Meet the Keynote Speakers 05:27 - Why CFPs Matter for Open Source Communities 08:29 - Inside the Review Process: What Reviewers Look For 14:29 - Crafting a Strong Abstract: Dos and Don'ts 21:05 - From Regular Talk to Keynote: What Changed 25:24 - Conquering Imposter Syndrome 29:11 - Rapid Fire CFP Tips 30:45 - Upcoming Speaking Opportunities 33:08 - Closing Thoughts Episode links: Adolfo García Veytia LinkedIn pageStacey Potter LinkedIn pageKubeCon North America Keynote: Supply Chain Reaction: A Cautionary Tale in K8s SecurityOpenSSF Slack CFP Announce channel (#cfp-nnounce)Open Source Summit North America - CFP Closes February 9OpenSSF Community Day North America - CFP Closes February 15Open Source Summit Europe - CFP opens end of April or early MayOpenSSF Community Day Europe - CFP opens early MayGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

    33 min

  6. JAN 27

    Why Marketing Matters in Open Source: Introducing Co-Host Sally Cooper

    In this special episode, the What's in the SOSS podcast welcomes Sally Cooper as an official co-host. Sally, who leads OpenSSF's marketing efforts, shares her journey from hands-on technical roles in training and documentation to becoming a bridge between complex technology and everyday understanding. The conversation explores why marketing matters in open source, how personal branding connects to community building, and the importance of personas in serving diverse stakeholders. Sally also reveals OpenSSF's 2026 marketing themes and explains how newcomers can get involved in the community, whether through Slack, working groups, or contributing content. Chapters: 00:09 - Welcoming Sally Cooper as Co-Host 01:28 - From Technical Training to Marketing Leadership 03:54 - Bridging Technology and Understanding 06:19 - Why Marketing Makes Open Source Uncomfortable 08:11 - Personal Branding and Career Growth 10:42 - Understanding Community Personas 12:33 - Getting Started with OpenSSF 14:44 - OpenSSF's 2026 Marketing Themes 16:18 - Rapid Fire Round 17:09 - How to Get Involved Episode links: Sally Cooper’s LinkedIn pageGet involved with the OpenSSFA Software Developer’s Journey with the OpenSSFAn Open Source Program Office’s Journey with OpenSSFThe Marketing Journey with OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedInOpenSSF Slack InviteOpenSSF BlogReach out to the OpenSSF Marketing TeamBEAR Working GroupOpenSSF Tech TalksOpenSSF Case Studies

    19 min

  7. 12/30/2025

    2025 Year End Wrap Up: Celebrating 5 Years of Open Source Security Impact!

    Join co-hosts CRob and Yesenia for a special season finale celebrating OpenSSF's fifth anniversary and recapping an incredible year of innovation in open source security! From launching three free educational courses on the EU Cyber Resilience Act, AI/ML security, and security for software development managers, to the groundbreaking DARPA AI Cyber Challenge where competitors achieved over 90% accuracy in autonomous vulnerability discovery, 2025 has been transformative. We reflect on standout interviews with new OpenSSF leaders Steve Fernandez and Stacey, deep dives into game-changing projects like the Open Source Project Security Baseline and AI model signing, and the vibrant community conversations around SBOM, supply chain security, and developer education. With nearly 12,000 total podcast downloads and exciting Season 3 plans including AI Cyber Challenge competitor interviews, CFP writing workshops, and expanded global community initiatives in Africa, we're just getting started. Tune in for behind-the-scenes insights, friendly competition stats on our most popular episodes, and a sneak peek at what's coming in 2026! Chapters: 00:00 - Celebrating OpenSSF's Fifth Anniversary 02:52 - Educational Growth and New Initiatives 05:51 - Community Voices and Leadership Changes 08:45 - The Role of Community Manager 11:44 - Open Source Project Security Baseline 14:47 - AI and Machine Learning in Open Source 17:47 - Software Bill of Materials (SBOM) Discussions 20:34 - Podcast Highlights and Listener Engagement 22:26 - Looking Ahead to Season Three Episode links: Yesenia Yser on LinkedInChristopher Robinson on LinkedInOpenSSF Free Courses:LFD 125 - Security for Software Development ManagersLFEL 1001 - Understanding the EU Cyber Resilience ActLFEL 1012 - Secure AI/ML Driven DevelopmentOpenSSF What’s In The SOSS Podcast Episodes:Podcast #27 – S2E04 Enterprise to Open Source: Steve Fernandez’s Journey to the OpenSSFPodcast #29 – S2E06 Showing Up Fully: Meet OpenSSF’s new Community Manager, Stacey PotterPodcast #25 – S2E02 Empowering Security: Yesenia Yser on Open Source, AI, and Personal BrandingPodcast #44 – S2E21 A Deep Dive into the Open Source Project Security (OSPS) BaselinePodcast #36 – S2E13 From Compliance to Community: Meeting CRA Requirements Together

    28 min

  8. 12/16/2025

    Teaching the Next Generation: Software Supply Chain Security in Academia with Justin Cappos

    On this episode of "What's in the SoSS," Yesenia Yser sits down with Justin Cappos, NYU professor and self-described "OG software supply chain guy" who's been working in this space since 2002. Justin reveals why most universities fail to teach fundamental security practices—from MFA to code signing—and how his groundbreaking software supply chain security course is creating some of the top 500 most qualified professionals in the world. We discuss the challenges of keeping curriculum current in a rapidly evolving field, the "throw them in the deep end" approach to teaching open source collaboration, and Justin's vision for transforming security education across institutions nationwide through the Linux Foundation's Academic Computing Acceleration Program. Episode links: Justin Cappos NYU Professor PageNYU Tandon School of EngineeringLinux Foundation Academic Computing AccreditationOpenSSF EducationCNCF Tag SecurityGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn Chapters 00:24 - Introduction & Guest Welcome 01:49 - The SolarWinds Effect 02:01 - Aligning with Linux Foundation's Academic Program 04:06 - Critical Gaps in Traditional CS Education 06:35 - Teaching Open Source Culture 10:45 - Career Impact & Student Success 13:52 - Adapting to AI & Rapid Industry Change 16:30 - Vision for the Next 5-10 Years 19:52 - Rapid Fire Round 20:52 - Final Advice & Closing

    22 min
See All (55)

About

What's in the SOSS? features the sharpest minds in security as they dig into the challenges and opportunities that create a recipe for success in making software more secure. Get a taste of all the ingredients that make up secure open source software (SOSS) and explore the latest trends at the intersection of AI and security, vulnerability management, and threat assessments. Each episode of What's in the SOSS? is packed with valuable insight designed to foster collaboration and promote stronger security practices for the open source software community.About Christopher Robinson (aka CRob), hostCRob is a 43rd level Dungeon Master and a 26th level Securityologist. He is a leader within several Open Source Security Foundation (OpenSSF) efforts and is a frequent speaker on cyber, application, and open source security. He enjoys hats, herding cats, and moonlit walks on the beach.

Information