What's in the SOSS? An OpenSSF Podcast

OpenSSF
  • 5.0 (1)
  • TECHNOLOGY
  • UPDATED BIWEEKLY

What's in the SOSS? features the sharpest minds in security as they dig into the challenges and opportunities that create a recipe for success in making software more secure. Get a taste of all the ingredients that make up secure open source software (SOSS) and explore the latest trends at the intersection of AI and security, vulnerability management, and threat assessments. Each episode of What's in the SOSS? is packed with valuable insight designed to foster collaboration and promote stronger security practices for the open source software community.About Christopher Robinson (aka CRob), hostCRob is a 43rd level Dungeon Master and a 26th level Securityologist. He is a leader within several Open Source Security Foundation (OpenSSF) efforts and is a frequent speaker on cyber, application, and open source security. He enjoys hats, herding cats, and moonlit walks on the beach.

  1. DEC 16

    Teaching the Next Generation: Software Supply Chain Security in Academia with Justin Cappos

    On this episode of "What's in the SoSS," Yesenia Yser sits down with Justin Cappos, NYU professor and self-described "OG software supply chain guy" who's been working in this space since 2002. Justin reveals why most universities fail to teach fundamental security practices—from MFA to code signing—and how his groundbreaking software supply chain security course is creating some of the top 500 most qualified professionals in the world. We discuss the challenges of keeping curriculum current in a rapidly evolving field, the "throw them in the deep end" approach to teaching open source collaboration, and Justin's vision for transforming security education across institutions nationwide through the Linux Foundation's Academic Computing Acceleration Program. Episode links: Justin Cappos NYU Professor PageNYU Tandon School of EngineeringLinux Foundation Academic Computing AccreditationOpenSSF EducationCNCF Tag SecurityGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn Chapters 00:24 - Introduction & Guest Welcome 01:49 - The SolarWinds Effect 02:01 - Aligning with Linux Foundation's Academic Program 04:06 - Critical Gaps in Traditional CS Education 06:35 - Teaching Open Source Culture 10:45 - Career Impact & Student Success 13:52 - Adapting to AI & Rapid Industry Change 16:30 - Vision for the Next 5-10 Years 19:52 - Rapid Fire Round 20:52 - Final Advice & Closing

    22 min

  2. DEC 2

    Securing the Future: AI, Open Source, and Collaboration with Jay White (Microsoft)

    Jay White, a leader in the open source ecosystem at Microsoft, discusses his journey into open source, focusing on AI and machine learning. He highlights his role in the Azure office of the CTO, working on open source, security, and AI standards. White emphasizes the importance of model signing and transparency in AI development, mentioning ongoing work in the OpenSSF and Coalition for Secure AI (CoSAI). He encourages community involvement, noting the need for standardization in AI supply chain security and the nuanced challenges of cultural representation in AI models. White also shares his passion for community building and the importance of continuous learning in AI and machine learning. Episode links: Jautau “Jay” White LinkedIn pageOpenSSF AI/ML Working GroupCoalition for Secure AI (CoSAI)Get involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn Chapters: Introduction & Jay’s Background (00:19)Jay’s Journey into Open Source (02:29)AI & Machine Learning Working Group (06:32)Supply Chain Security & Model Signing (09:17)Joining & Contributing to Open Source Efforts (13:16)Challenges and Opportunities in AI Security (15:39)Building Inclusive & Diverse AI Systems (18:30)Rapid Fire & Final Thoughts (21:18)

    26 min

  3. NOV 19

    SBOM Chaos and Software Sovereignty: The Hidden Challenges Facing Open Source with Stephanie Domas (Canonical)

    Stephanie Domas, Canonical's Chief Security Officer, returns to What's in the SOSS to discuss critical open source challenges. She addresses the issues of third-party security patch versioning, the rise of software sovereignty, and how custom patches break SBOMs. Domas also explains why geographic code restrictions contradict open source principles and what the EU's Cyber Resilience Act (CRA) means for enterprises. She highlights Canonical's work integrating memory-safe components like sudo-rs into the next Ubuntu LTS. This episode challenges assumptions about supply chain security, software trust, and the future of collaborative development in a regulated world. Chapters: 00:00 - Welcome 01:49 - Memory safety revolution 02:00 - Black Hat reflections 03:48 - The SBOM versioning crisis 06:23 - Semantic versioning falls apart 10:06 - Software sovereignty exposed 12:33 - Trust through transparency 14:02 - The insider threat parallel 17:04 - EU CRA impact 18:50 - The manufacturer gray area 21:08 - The one-maintainer problem 22:51 - Will regulations kill open source adoption? 24:43 - Call to action Episode links: Stephanie Domas LinkedIn pageCanonicalUbuntuOpenSSF Global Cyber Policy Working Group (CRA & policy/standards resources)WiTS Podcast #18 - Canonical’s Stephanie Domas and Security Insight from a Self-Described “Tinkerer”Get involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

    27 min

  4. NOV 4

    A Deep Dive into the Open Source Project Security (OSPS) Baseline

    In this episode of "What's in the SOSS," CRob, Ben Cotton, and Eddie Knight discuss the Open Source Project Security Baseline. This baseline provides a common language and control catalog for software security, enabling maintainers to demonstrate their project's security posture and fostering confidence in open source projects. They explore its integration with other OpenSSF projects, real-world applications like the GUAC case study, and its value to maintainers and stakeholders. The role of documentation in security is emphasized, ensuring secure software deployment. The effectiveness of the baseline is validated through real-world applications and refined by community feedback, with future improvements focusing on better tooling and compliance mapping. Episode Chapters 00:00 - Welcome & Introductions 02:40 - Understanding the Open Source Project Security Baseline 05:54 - The Importance of Defining a Security Baseline 08:49 - Integrating Baseline with Other OpenSSF Projects 11:42 - Real-World Applications: The Glock Case Study 14:21 - Value for Maintainers and Other Stakeholders 17:29 - The Role of Documentation in Security 20:37 - Future Directions for the Baseline and Orbit 23:26 - Community Engagement and Feedback Episode links: Ben Cotton’s LinkedIn pageEddie Knight’s LinkedIn pageOSPS Baseline websiteOSPS Baseline githubOSPS Baseline slackOSPS ORBIT Working GroupOpenSSF Tech Talk: How to use the OSPS Baseline to Better Navigate Standards and RegulationsGemara projectGUAC projectGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

    33 min

  5. OCT 21

    Building Trust in Open Source: Seth Larson's Journey from Maintainer to Security Leader

    In this episode of What’s in the SOSS, host Yesenia Yser sits down with Seth Larson, Security Developer in Residence at the Python Software Foundation, as he shares his unique perspective on open source security. From his Minneapolis base, Seth discusses his journey from urllib3 maintainer to leading security initiatives across the Python ecosystem. In this episode, we explore how public documentation shapes security work, the importance of supporting maintainers both technically and emotionally, and the art of building trust in open source communities. Seth also shares insights on engaging with academic communities, the evolution of secure-by-default practices, and his approach to making security accessible without disrupting existing workflows. Plus, don't miss our rapid-fire segment where Seth reveals his love for retro Nintendo games and PyCharm over traditional editors! Episode Chapters 00:00Introduction & Seth's Background 02:30The Power of Public Documentation 07:00Supporting Open Source Maintainers  12:00Engaging Academic Communities  18:00Seth's 10-Year Open Source Journey  22:00Rapid Fire Round 25:00Closing Advice Episode links: Seth Larson’s LinkedIn pagePython Software FoundationSeth’s Security BlogGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

    22 min

  6. OCT 16

    New Education Course: Secure AI/ML-Driven Software Development (LFEL1012) with David A. Wheeler

    In this episode of “What’s In The SOSS,” Yesenia interviews David A. Wheeler, the Director of Open Source Supply Chain Security at the Linux Foundation. They discuss the importance of secure software development, particularly in the context of AI and machine learning. David shares insights from his extensive experience in the field, emphasizing the need for both education and tools to ensure security. The conversation also touches on common misconceptions about AI, the relevance of digital badges for developers, and the structure of a new course aimed at teaching secure AI practices. David highlights the evolving nature of software development and the necessity for continuous learning in this rapidly changing landscape. Chapters:  00:00 Introduction to Open Source and Security 02:31 The Journey to Secure AI and ML Development 08:28 Understanding AI's Impact on Software Development 12:14 Myths and Misconceptions about AI in Security 18:24 Connecting AI Security to Open Source and Closed Source 20:29 The Importance of Digital Badges for Developers 24:31 Course Structure and Learning Outcomes 28:18 Final Thoughts on AI and Software Security Episode links: David A. Wheeler’s LinkedIn pageSecure AI/ML-Driven Software Development (LFEL1012)OpenSSF EducationGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

    39 min

  7. OCT 7

    The Remediation Revolution: How AI Agents Are Transforming Open Source Security with John Amaral of Root.io

    In this episode of What's in the SOSS, CRob sits down with John Amaral from Root.io to explore the evolving landscape of open source security and vulnerability management. They discuss how AI and LLM technologies are revolutionizing the way we approach security challenges, from the shift away from traditional "scan and triage" methodologies to an emerging "fix first" approach powered by agentic systems. John shares insights on the democratization of coding through AI tools, the unique security challenges of containerized environments versus traditional VMs, and how modern developers can leverage AI as a "pair programmer" and security analyst. The conversation covers the transition from "shift left" to "shift out" security practices and offers practical advice for open source maintainers looking to enhance their security posture using AI tools. Chapters: 00:25 - Welcome and introductions 01:05 - John's open source journey and Root.io's SIM Toolkit project 02:24 - How application development has evolved over 20 years 05:44 - The shift from engineering rigor to accessible coding with AI 08:29 - Balancing AI acceleration with security responsibilities 10:08 - Traditional vs. containerized vulnerability management approaches 13:18 - Leveraging AI and ML for modern vulnerability management 16:58 - The coming "remediation revolution" and fix-first approach 18:24 - Why "shift left" security isn't working for developers 19:35 - Using AI as a cybernetic programming and analysis partner 20:02 - Call to action: Start using AI tools for security today 22:00 - Closing thoughts and wrap-up Episode links: John Amaral’s LinkedIn pageRoot websiteGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

    23 min

  8. SEP 23

    From Manager to Open Source Security Pioneer: Kate Stewart's Journey Through SBOM, Safety, and the Zephyr Project

    In this episode of What’s in the SOSS, CRob has an inspiring conversation with Kate Stewart, a Linux Foundation veteran who took an unconventional path into open source as a manager rather than a developer, navigating complex legal challenges to get Motorola's contributions upstream. Now a decade into her tenure at the Linux Foundation, Kate leads critical initiatives in safety-critical open source software, including the Zephyr RTOS project and ELISA, while being instrumental in the evolution of SPDX and Software Bill of Materials (SBOM). She breaks down the different types of SBOMs, explains how the Zephyr project became a security exemplar with gold-level OpenSSF badging, and shares practical insights on navigating the European Union's Cyber Resilience Act (CRA). Whether you're interested in embedded systems, security best practices, or the evolving regulatory landscape for open source, this episode offers valuable perspectives from someone who's been shaping these conversations for years. Episode Chapters: 00:00 - Intro Music & Promo Clip00:00- Introduction and Welcome00:42- Kate's Current Work at Linux Foundation02:18- Origin Story: From Motorola Manager to Open Source Advocate06:38- Building Global Open Source Teams and SPDX Beginnings09:45- The Variety of Open Source Contributors10:57- Deep Dive: What is an SBOM and Why It Matters17:05- The Evolution of SBOM Types and Academic Understanding19:21- Cyber Resilience Act and Zephyr as a Security Exemplar26:46- Zephyr's Security Journey: From Badging to CNA Status31:05- Rapid Fire Questions32:19- Advice for Newcomers and Closing ThoughtsEpisode links: Kate Stewart LinkedIn pageZephyr ProjectSPDX (Software Package Data Exchange)ELISA ProjectGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

    35 min
See All (48)

About

What's in the SOSS? features the sharpest minds in security as they dig into the challenges and opportunities that create a recipe for success in making software more secure. Get a taste of all the ingredients that make up secure open source software (SOSS) and explore the latest trends at the intersection of AI and security, vulnerability management, and threat assessments. Each episode of What's in the SOSS? is packed with valuable insight designed to foster collaboration and promote stronger security practices for the open source software community.About Christopher Robinson (aka CRob), hostCRob is a 43rd level Dungeon Master and a 26th level Securityologist. He is a leader within several Open Source Security Foundation (OpenSSF) efforts and is a frequent speaker on cyber, application, and open source security. He enjoys hats, herding cats, and moonlit walks on the beach.

Information