Open Source Security

• Open Source Malware with Brian Fox

  Brian Fox discusses findings from a recent Sonatype report about the growing challenge of malicious packages in open source repositories. At the time of recording there are now over 820,000 malware packages in public repositories. Brian explains why certain ecosystems are more vulnerable than others and how behavioral detection methods can identify suspicious packages, and the challenge in solving this problem. The blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-03-oss_malware_brian_fox/

  --------  

  30:18
• Open Source Foundations with Kelley Misata of Suricata

  In this episode Open Source Security talks to Dr. Kelly Masada about the Open Information Security Foundation (OISF). The way OISF is managing Suricata through a foundation is super interesting. There are a lot of lessons in this one for both open source projects and existing open source foundations.   The blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-03-oss_foundations_kelley_misata/

  --------  

  31:45
• Forking Open Source Projects with Sheogorath

  In this episode Open Source Security chats with Sheogorath about HedgeDoc project's journey from HackMD to CodiMD and finally to HedgeDoc. We learn what forking a project looks like, including license changes (MIT to AGPL), security vulnerability management across different codebases, naming challenges, and infrastructure migrations. The conversation goes through to journey from HackMD to CodiMD and all the lessons learned along the way. And there are many lessons. The blog post for this episode can be found at  https://opensourcesecurity.io/2025/2025-02-fork_open_source_sheogorath/

  --------  

  22:14
• Patching EOL Open Source with Aaron Frost

  In this episode, Open Source Security chats with Aaron Frost, CEO of Hero Devs about the world of maintaining end-of-life open source software. Aaron explains how EOL versions of open source work and how backporting security fixes can help maintaining compliance. In the discussion we cover the "just upgrade" mentality, how backporting works, why it's hard, and why it matters. We also cover some oddities the world of CVE brings to the discussion. The blog post for this episode can be found at  https://opensourcesecurity.io/2025/2025-02-patching_EOL_OSS_aaron_frost/

  --------  

  22:53
• Why do we keep ignoring CI security with François Proulx

  François Proulx, a supply chain security researcher at Boost Security, discusses how continuous integration (CI) and build pipeline security represents a critical and overlooked hole in our supply chain security. It seems like most supply chain compromises are actually from CI system breaches rather than direct code compromise, yet we seem to obsess over everything on either side of the CI system. François has a bunch of really good practical suggestions for how we can start to improve our CI security today.   The blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-02-ignoring_ci_security_francois_proulx/

  --------  

  23:38

Weitere Technologie Podcasts

Trending Technologie Podcasts

Über Open Source Security