A security podcast geared towards those looking to better understand security topics of the day. Hosted by Kurt Seifried and Josh Bressers covering a wide range of topics including IoT, application security, operational security, cloud, devops, and security news of the day. There is a special open source twist to the discussion often giving a unique perspective on any given topic.
Similar Podcasts
Go Time: Golang, Software Engineering
Your source for diverse discussions from around the Go community. This show records LIVE every Tuesday at 3pm US Eastern. Join the Golang community and chat with us during the show in the #gotimefm channel of Gophers slack. Panelists include Mat Ryer, Jon Calhoun, Carmen Andoh, Johnny Boursiquot, Angelica Hill, Mark Bates, Kris Brandow, and Natalie Pistunovich. We discuss cloud infrastructure, distributed systems, microservices, Kubernetes, Docker… oh and also Go! Some people search for GoTime or GoTimeFM and can’t find the show, so now the strings GoTime and GoTimeFM are in our description too.
The FOSS Pod
From the creative geniuses behind Brad & Will Made a Tech Pod, The FOSS Pod is a show about the free and open source software that’s changing the world, and the developers who are making it happen.
The Real Python Podcast
A weekly Python podcast hosted by Christopher Bailey with interviews, coding tips, and conversation with guests from the Python community.
The show covers a wide range of topics including Python programming best practices, career tips, and related software development topics.
Join us every Friday morning to hear what's new in the world of Python programming and become a more effective Pythonista.
Sustaining Open VSX with Mike and Thabang
Josh welcomes Mike Milinkovich and Thabang Mashologu from the Eclipse Foundation to talk about their new managed Open VSX registry. This is the first open source package registry to create a commercial operation for large company users to help fund the registry. We discuss how we got here, what's actually going on, and why this commercial approach is working. Everyone knew this day would come, and it looks like the Eclipse Foundation got this one right. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-06-openvsx-mike-thabang/
Hacking your CI/CD with François Proulx
Josh welcomes back François Proulx to talk about the absolute madness in the CI/CD universe right now. We also learn about François' new project SmokedMeat which is a tool to help you hack your own CI/CD. When Josh spoke to François a year ago, the world was a very different place than it is today. François has a ton of knowledge about how we got here and what we can do moving forward. Boost Security has a bunch of amazing open source tools François built that can help keep CI/CD systems understood and locked down. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-06-françois-smoked-meat/
Open source verification with Sal Kimmich
Josh chats with Sal Kimmich about the current state of everything, and what we can expect next. Sal has some incredible insight into what we can expect to see due to the current wave of security bugs and incidents. There are some new features we will need in both our hardware and software to ward off the state of things. Since those features are years away, what we need in the short term is shoring up our SDLC programs. Sal has some really good medical examples and analogies for this one. It's a huge problem but not insurmountable. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-06-verification-sal-kimmich/
Vulnerability disclosure with Casey Ellis
Josh talks to Casey Ellis about why vulnerability disclosure is so hard, and also so important. Casey is one of the best in this space having been a Bugcrowd founder. There are few people with more experience and insight into how a security vulnerability should be handled, and why the explosion of AI is making all this much harder than it's ever been before. While finding vulnerabilities is easy, reporting them is still a lot of work. Casey is working on helping everyone better understand all this with his disclose.io project. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-05-vulnerability-disclosure-casey-ellis/
F-Driod the open app store with Hans
Josh talks to Hans-Christoph Steiner about F-Driod, the Free and Open Source Android App Repository. The way F-Driod works looks a lot like a Linux distribution which has some interesting security challenges, but also some great security benefits. Hans walks us through the current state of open app repositories and also what the future currently looks like. There are more open phones than ever before, but there are also more challenges than ever before. Hans breaks it all down in an easy to understand way. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-05-fdriod-hans-steiner/
Open source is critical infrastructure with Kat Cosgrove
Josh talks to Kat Cosgrove about a how companies should be treating open source more like their critical infrastructure than free stuff. Kat has a ton of knowledge about how the interactions between companies and open source communities can work well, or not work at all. Kat's time on the Kubernetes Release Team. We touch on how a project like Kubernetes is super successful, while another, Ingress NGINX, was not. It's a super insightful discussion with a ton of lessons and advice for everyone. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-05-open-source-infrastructure-kat/
How to actually test a disaster plan with David Bernstein
Josh and David finish up the disaster recovery and emergency planning trilogy. In this one David tells us how to test the plan he told us how to build in the last episode. There are some great ideas in this one about how to test the process not the people. How to construct the plan, and even some tips to go from a plan to some actual real world testing. It's another episode filled with great and practical advice. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-05-testing-the-plan-david-bernstein/
Open Source Pledge with Vlad-Stefan Harbuz
Josh has a discussion with Vlad-Stefan Harbuz about the Open Source Pledge as well as his recent FOSDEM talk. The Open Source Pledge is all about trying to build a sustainable universe for open source maintainers. This ties into Vlad's FOSDEM talk which was all about the challenge of just knowing what open source you are using. The importance of trying to make open source sustainable is a really important topic, but it's also a really hard topic. Vlad helps explain all of this as well as some ideas for the solving this in the future. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-04-open-source-pledge-vlad/
Building a plan for disaster with David Bernstein
Josh welcomes back David Bernstein to talk about creating a disaster recover plan. It's a very timely topic given all the current events. There are more supply chain attacks and compromises than ever before. There are some great resources for this planning, but as David tells us, it's really not that hard to put some plans together. It's easy to over-plan, David gives some great tips on getting started with our planning for an eventual incident. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-04-disaster-planning-david-bernstein/
Open Source Malware with Paul McCarty
Josh talks to Paul McCarty of Open Source Malware about ... open source malware. Paul explains why there aren't many good open source malware datasets. We discuss why the existing data is lacking for many use cases. We of course touch on AI and the malware in skills problems and challenges. It's a fun discussion with a lot of new and interesting problems we all have to deal with. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-04-open-source-malware-paul-mccarty/
Package management challenges with Andrew Nesbitt
Josh welcomes back Andrew Nesbitt to discuss some recent blog posts he wrote about the challenges of new ecosystems as well as challenges of no ecosystems like C. There aren't very many people who look at multiple ecosystems in the way Andrew does. He has thoughts on why it's so hard to create a new ecosystem as well as some of the reasons we don't see a C language ecosystem. Andrew has a ton of interesting ideas and insight for us about both existing, new, and nonexistent ecosystems. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-04-ecosystems-andrew/
Open Source Security at scale with Michael Wisner
Josh talks to Michael Wisner about a talk he gave at FOSDEM as well as his work on Alpha Omega at the Linux Foudnation. Michael is approaching open source security in a way that nobody has ever tried before. What if we could fund some really big, really hard projects? It's not cheap or easy, but he's getting it done. We spend a lot of the time discussing package registries, which are a huge topic. Michael is doing some amazing work helping package registries which is the first step in a very long journey. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-03-michael-wisner/
2026 State of the Software Supply Chain with Brian Fox
Josh chats with Brian Fox from Sonatype about their 2026 State of the Software Supply Chain report. Most of the number continue to grow at alarming rates, but there's some new interesting findings in this one. We discuss end of life and open source which is tough to define. We touch on what using AI with open source dependencies looks like (and why it's broken), and we discuss the challenge of upgrading your open source dependencies in a way that doesn't break everything. It's a great report and great discussion. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-03-SOTSSC-Brian-Fox/
MCP and Agent security with Luke Hinds
Josh talks to Luke Hinds, CEO of Always Further, about MCP and agent security. We start out talking about Luke's new tool, nono which is a sandboxing tool that has AI agents in mind as a use case. We explain what MCP and agents are doing as well as why it's so hard to secure them. It's not impossible, but it's not simple either. We end the show by discussing some of the more human aspects to security and how history may be repeating itself with security folks laughing at new users who don't know any better. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-03-mcp-agent-luke/
The State of OpenSSL for pyca/cryptography with Alex Gaynor and Paul Kehrer
Josh talks to Paul Kehrer and Alex Gaynor, from the Python Cryptographic Authority. Alex and Paul recently published a statement discuss the challenges posed by modern OpenSSL. We discuss the statement and their relationship with OpenSSL. We chat about some of the current features in cryptography, as well as some of what's coming in the future. It's a fun conversation that hits on a lot of great points. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-03-cryptography-alex-paul/