A security podcast geared towards those looking to better understand security topics of the day. Hosted by Kurt Seifried and Josh Bressers covering a wide range of topics including IoT, application security, operational security, cloud, devops, and security news of the day. There is a special open source twist to the discussion often giving a unique perspective on any given topic.
Similar Podcasts
The Cynical Developer
A UK based Technology and Software Developer Podcast that helps you to improve your development knowledge and career,
through explaining the latest and greatest in development technology and providing you with what you need to succeed as a developer.
The FOSS Pod
From the creative geniuses behind Brad & Will Made a Tech Pod, The FOSS Pod is a show about the free and open source software that’s changing the world, and the developers who are making it happen.
ThunderCast
An inside look at the making of Mozilla Thunderbird, and community-driven conversations with our friends in the open-source software space.
Episode 455 - Wordpress plugin security
Josh and Kurt talk about the way Wordpress vets their plugins. While Wordpress has been in the news lately, they do some clever things to get plugins approved. There's a static analyzer that runs against new submissions. We discuss using static analysis, securing open source, contributing and more. Show Notes Linus Torvalds Lands A 2.6% Performance Improvement With Minor Linux Kernel Patch Kurt's Plugin
Episode 454 - The state of open source with Brian Fix from Sonatype and Donald Fischer from Tidelift
Josh and Kurt talk to Brian Fox from Sonatype and Donald Fischer from Tidelift about their recent reports as well as open source. There are really interesting connections between the two reports. The overall theme seems to be open source is huge, everywhere, and needs help. But all is no lost! There's some great ideas on what the future needs to look like. Show Notes Donald Fischer Brian Fox Tidelift Sonatype The 2024 Tidelift state of the open source maintainer report Sonatype State of the Software Supply Chain Anchore 2024 Software Supply Chain Security Report OpenSSF TAC issue 101
Episode 453 - Software Liability
Josh and Kurt talk about three government activities happening around security. CISA has a request for comment, and an international strategic plan around cybersecurity. These are both good ideas, and hopefully will help drive change. But we also discuss an EU proposal that brings liability rules to software which sounds like a great way to force change to happen. Show Notes Request for Comment on Product Security Bad Practices Guidance FY2025-2026 CISA International Strategic Plan EU brings product liability rules in line with digital age and circular economy CSA Cloud Controls Matrix
Episode 452 - All about Meshtastic
Josh and Kurt talk about the Meshtastic open source project. It's a really slick mesh radio system that runs on very cheap radio equipment. This episode isn't very security related (there are a few things), but it is very open source. Show Notes Meshtastic Heltec LoRa 32(V3) Radio 465 Rutgers University Confirmed: Meshtastic and LoRa are dangerous Meshtastic Routing Issues & Deployment Scenarios TC2-BBS-mesh The Comms Channel Josh's BBS Heltec T114 bug
Episode 451 - Python security with Seth Larson
Josh and Kurt talk to Seth Larson from the Python Software Foundation about security the Python ecosystem. Seth is an employee of the PSF and is doing some amazing work. Seth is showing what can be accomplished when we pay open source developers to do some of the tasks a volunteer might consider boring, but is super important work. Show Notes Seth Larson XKCD PGP Signature Seth's Blog Python and Sigstore Deprecating PGP - PEP 761 Python SBOMs
Episode 450 - What's Wrong With WordPress
Josh and Kurt talk about the current Wordpress / WP Engine mess. In what is certainly a supply chain attack, the Advanced Custom Fields forking. This whole saga is weird and filled with chaos and stupidity. We have no idea how it will end, but we do know that the blog platform you use shouldn't be this exciting. The bad sort of exciting. Show Notes WordPress.org’s latest move involves taking control of a WP Engine plugin Wordpress / WP Engine timeline Knorr German Recipes
Episode 449 - The CUPSpocalypse
Josh and Kurt talk about the recent CUPS issue. The vulnerability itself wasn't all that exciting, but the whole disclosure process was wild. There's a lot to talk about, many things didn't quite go as planned and it all leaked early. Let's talk about why and what it all means. Show Notes CUPS vulnerability Akamai report Wil Wheaton: being a nerd is not about what you love; it’s about how you love it
Episode 448 - What's wrong with CISA?
Josh and Kurt talk about a few things that have recently come out of CISA. They seem to be blaming the vendors for a lot of the problems, but there's also not any actionable advice telling the vendors what they should be doing. This feels like the classic case of "just security harder". We need CISA to be leading the way funding and defining security, not blaming vendors for giving the market what it demands. Show Notes iCloud Photos Downloader CISA boss: Makers of insecure software must stop enabling today's cyber villains A Security Market for Lemons CISA and FBI Release Secure by Design Alert on Eliminating Cross-Site Scripting Vulnerabilities CISA Secure by Design Pledge Railroad Newsletter CISA Secure Software Development Attestation Form
Episode 447 - The Tidelift 2024 open source maintainer report
Josh and Kurt talk about the 2024 Tidelift maintainer report. The report is pretty big and covers a ton of ground. We focus in a few of the statistics that should worry anyone who uses open source. We've known for a while developers are struggling, and the numbers back that up. This one feels like the old "we've tried nothing and we're all out of ideas". Show Notes THE 2024 TIDELIFT STATE OF THE OPEN SOURCE MAINTAINER REPORT Canadian passport Changelog Interviews #433 Pandas CVE
Episode 446 - Researchers took over .MOBI TLD
Josh and Kurt talk about some security researchers sort of taking over the .MOBI whois server. The story is a bit sensational, but we ask if it really matters? There are a lot of interesting possible attacks, but turning something like this into a good attack is really hard, maybe impossible. The researchers presented the findings in a very reasonable way. Show Notes We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI Heinz says sorry for ketchup QR code that links to porn site
Episode 445 - EPSS with Jay Jacobs
Josh and Kurt talk to Jay Jacobs about Exploit Prediction Scoring System (EPSS). EPSS is a new way to view vulnerabilities. It's a metric for the likelyhood that a vulnerability will be exploited in the next 30 days. Jay explains how EPSS got to where it is today, how the scoring works, and how we can start to think about including it in our larger risk equations. It's a really fun discussion. Show Notes Jay Jacobs on LinkedIn EPSS Jay's graph animation Cyentia's A Visual Exploration of Exploits in the Wild
Episode 444 - Open Source and End of Life
Josh and Kurt talk about Chrome unexpectedly going EOL on Ubuntu 18. Keeping old things alive is really hard to do, and in open source it's becoming more common to just run the latest version rather than trying to keep old versions alive for long periods of time. Show Notes Chrome dumped support for Ubuntu 18.04 – but it'll be back Linus Torvalds talks AI, Rust adoption, and why the Linux kernel is 'the only thing that matters' Pidgin backdoor
Episode 443 - The Supply Chain Security Crisis
Josh and Kurt talk about a story that discusses a story from Black Hat that references supply chains. There's a ton of doom and gloom around our software supply chains and much of the advice isn't realistic. If we want to take this seriously we need to stop obsessing over the little problems and focus on some big problems. Show Notes Black Hat USA 2024: Key Takeaways from the Premier Cybersecurity Event The Reason Train Design Changed After 1948
Episode 442 - The foundation of society, TLS certificates are a mess
Josh and Kurt talk about a few stories around the TLS CA certificate world. It's all pretty dire sounding. There's not a lot of organization or process in the space, and the root CAs are literally the foundation of modern society, everything needs them to function. There's not a lot of positive ideas here, it's mostly a show where Kurt explains to Josh what's going on, because Josh doesn't want to care (and will continue to ignore all of this going forward). Show Notes Firefox's Mozilla follows Google in losing trust in Entrust's TLS certificates DigiCert Revocation Incident (CNAME-Based Domain Validation) List of Trust Lists
Episode 441 - Is CWE useful?
Josh and Kurt talk about CWE. What is it, and why does it matter. We cover some history, some shortcomings, and some ideas on how CWE could be used to make security a lot better. We frame the future discussion around the OWASP top 10 list. We should be putting more effort into removing removing entire classes of vulnerabilities. Show Notes CWE Episode 360 – Memory safety and the NSA Inside 22,734 Steam games