A security podcast geared towards those looking to better understand security topics of the day. Hosted by Kurt Seifried and Josh Bressers covering a wide range of topics including IoT, application security, operational security, cloud, devops, and security news of the day. There is a special open source twist to the discussion often giving a unique perspective on any given topic.
Similar Podcasts
The Cynical Developer
A UK based Technology and Software Developer Podcast that helps you to improve your development knowledge and career,
through explaining the latest and greatest in development technology and providing you with what you need to succeed as a developer.
Changelog Master Feed
Your one-stop shop for all Changelog podcasts. Weekly shows about software development, developer culture, open source, building startups, artificial intelligence, shipping code to production, and the people involved. Yes, we focus on the people. Everything else is an implementation detail.
Go Time: Golang, Software Engineering
Your source for diverse discussions from around the Go community. This show records LIVE every Tuesday at 3pm US Eastern. Join the Golang community and chat with us during the show in the #gotimefm channel of Gophers slack. Panelists include Mat Ryer, Jon Calhoun, Carmen Andoh, Johnny Boursiquot, Angelica Hill, Mark Bates, Kris Brandow, and Natalie Pistunovich. We discuss cloud infrastructure, distributed systems, microservices, Kubernetes, Docker… oh and also Go! Some people search for GoTime or GoTimeFM and can’t find the show, so now the strings GoTime and GoTimeFM are in our description too.
Open Source Malware with Brian Fox
Brian Fox discusses findings from a recent Sonatype report about the growing challenge of malicious packages in open source repositories. At the time of recording there are now over 820,000 malware packages in public repositories. Brian explains why certain ecosystems are more vulnerable than others and how behavioral detection methods can identify suspicious packages, and the challenge in solving this problem. The blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-03-oss_malware_brian_fox/
Open Source Foundations with Kelley Misata of Suricata
In this episode Open Source Security talks to Dr. Kelly Masada about the Open Information Security Foundation (OISF). The way OISF is managing Suricata through a foundation is super interesting. There are a lot of lessons in this one for both open source projects and existing open source foundations. The blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-03-oss_foundations_kelley_misata/
Forking Open Source Projects with Sheogorath
In this episode Open Source Security chats with Sheogorath about HedgeDoc project's journey from HackMD to CodiMD and finally to HedgeDoc. We learn what forking a project looks like, including license changes (MIT to AGPL), security vulnerability management across different codebases, naming challenges, and infrastructure migrations. The conversation goes through to journey from HackMD to CodiMD and all the lessons learned along the way. And there are many lessons. The blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-02-fork_open_source_sheogorath/
Patching EOL Open Source with Aaron Frost
In this episode, Open Source Security chats with Aaron Frost, CEO of Hero Devs about the world of maintaining end-of-life open source software. Aaron explains how EOL versions of open source work and how backporting security fixes can help maintaining compliance. In the discussion we cover the "just upgrade" mentality, how backporting works, why it's hard, and why it matters. We also cover some oddities the world of CVE brings to the discussion. The blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-02-patching_EOL_OSS_aaron_frost/
Why do we keep ignoring CI security with François Proulx
François Proulx, a supply chain security researcher at Boost Security, discusses how continuous integration (CI) and build pipeline security represents a critical and overlooked hole in our supply chain security. It seems like most supply chain compromises are actually from CI system breaches rather than direct code compromise, yet we seem to obsess over everything on either side of the CI system. François has a bunch of really good practical suggestions for how we can start to improve our CI security today. The blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-02-ignoring_ci_security_francois_proulx/
Modern day authentication with Marc Boorshtein
In this discussion with Tremolo Security CTO Marc Boorshtein, we explore what modern day Single Sign-On (SSO) looks like. Everyone likes to talk about zero trust, but how does that work? We talk about some of the history of authentication that got us here, and some technical details on how you should be implementing authentication into your application. We finish up with some passkey details and realize every authentication discussion really just turns into complaining how hard identity is. The blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-02-modern_day_authentication_with_marc_boorshtein/
Government Security Requirements with Dick Brooks
Dick Brooks from Business Cyber Guardian discusses the landscape of federal software security requirements, we discuss frameworks like CISA's Software Acquisition Guide, Secure Software Development Framework, and the EU's Cyber Resilience Act. These regulations impact open source projects differently from commercial vendors, Dick helps explain what that means for the vendors as well as open source developers. The accompaning blog can be found at https://opensourcesecurity.io/2025/01-government_security_requirements_with_dick_brooks CISA Software Acquisition Guide CISA SAG Reader Project NASA SSDF collaboration
Open Source Maintenance with Gary Kramlich
In this episode, Gary Kramlich, the lead developer of Pidgin discusses the challenges and strategies of maintaining a 26-year-old open source messaging client.Gary tell us all about how a small team manages technical debt, handles library dependencies, and makes decisions about rewrites versus incremental improvements while supporting a broader open source ecosystem. The accompaning blog can be found at https://opensourcesecurity.io/2025/01-open_source_maintenance_with_gary_kramlich/
Safety vs Security with Thomas Depierre
In this episode of Open Source Security, Josh welcomes Thomas Depierre, a Site Reliability Engineer and open source maintainer, to discuss the intersection of safety and security. Thomas explains why safety is broader than security. While security often views people as the problem, Thomas explains that people are paradoxically the solution. Nothing should work, but it does, mostly due to people keeping things working. The accompaning blog can be found at https://opensourcesecurity.io/2025/01-safety_vs_security_with_thomas_depierre/
The Future of Open Source Security
It’s a new year and time for some changes to the opensourcesecurity.io website. It's time to retire the podcast, but that's to make way for something new and hopefully better. You can read the details in the blog post (the audio version is basically the same thing) https://opensourcesecurity.io/posts/2025-01-the_future_of_open_source_security/
Episode 461 - The new NIST password guidance
Josh and Kurt talk about new NIST password guidance. There's some really good stuff in this new document. Ideas like usability and equity show up (which is amazing). There's more strict guidance against rotating passwords and complex passwords. This new guidance gives us a lot to look forward to. Show Notes Usagi Electric NIST proposes barring some of the most nonsensical password rules NIST SP 800-63(B) STRIDE threat model PASTA threat model
Episode 460 - Santa's Supply Chain Security
Josh and Kurt talk about the supply chain of Santa. Does he purchase all those things? Are they counterfeit goods? Are they acquired some other way? And once he has all the stuff, the logistics of getting it to the sleigh is mind boggling. It's all very complex Show Notes Project Gunman
Episode 459 - CWE Top 25 List
Josh and Kurt talk about a CWE Top 25 list from MITRE. The list itself is fine, but we discuss why the list looks the way it does (it's because of WordPress). We also discuss why Josh hates lists like this (because they never create any actions). We finish up running through the whole list with a few comments about the findings. Show Notes 2024 CWE Top 25 Most Dangerous Software Weaknesses Set of 9 Unusual Odd Sided dice - D3, D5, D7, D9, D11, D13, D15, D17 & D19
Episode 458 - FBI endorses E2E encryption
Josh and Kurt talk about the FBI telling everyone to use end to end encrypted messengers. This is a pretty drastic deviation from messages in the past. The reason for this is it appears the US telephone networks are pwnt beyond repair at this point, which is concerning. The only real solution now is to treat the phone network as untrusted and encrypt all the traffic. Show Notes Salt Typhoon U.S. officials urge Americans to use encrypted apps amid unprecedented cyberattack LTT Hacked phone Security Cryptography Whatever Telegram Secure Messaging Apps Comparison
Episode 457 - The D-Link D-bacle
Josh and Kurt talk about a serious D-Link security vulnerability in a bunch of end of life products. The crux of the discussion focuses on D-Link, but the reality is almost all consumer gear you plug into the internet is terrible. And there's little hope it will get better anytime soon. Show Notes China has utterly pwned 'thousands and thousands' of devices at US telcos D-Link tells users to trash old VPN routers over bug too dangerous to identify D-Link YouTube explainer video