A security podcast geared towards those looking to better understand security topics of the day. Hosted by Kurt Seifried and Josh Bressers covering a wide range of topics including IoT, application security, operational security, cloud, devops, and security news of the day. There is a special open source twist to the discussion often giving a unique perspective on any given topic.
Similar Podcasts
The Cynical Developer
A UK based Technology and Software Developer Podcast that helps you to improve your development knowledge and career,
through explaining the latest and greatest in development technology and providing you with what you need to succeed as a developer.
The FOSS Pod
From the creative geniuses behind Brad & Will Made a Tech Pod, The FOSS Pod is a show about the free and open source software that’s changing the world, and the developers who are making it happen.
ThunderCast
An inside look at the making of Mozilla Thunderbird, and community-driven conversations with our friends in the open-source software space.
Episode 320 - Security Twitter is not the real world
Josh and Kurt talk about a survey about a TuxCare patch management and vulnerability detection. Sometimes our security bubble makes us forget what it's like in the real world for the people who keep our infrastructure running. Patching isn't always immediate, automation doesn't fix everything, and accepting risk is very important. Show Notes State of Enterprise Vulnerability Detection and Patch Management CISA Known Exploited Vulnerabilities Catalog Google 0days
Episode 319 - Patch Tuesday with a capital T
Josh and Kurt talk about a lot of security vulnerabilities in this month's Patch Tuesday. There's also a new Git vulnerability. This sparks the age old question of how fast to patch? The answer isn't binary, the right answer is whatever works best for you, not what someone tells you is best. Show Notes Patch Tuesday Git security update
Episode 318 - Social engineering and why zlib got a 2018 CVE ID
Josh and Kurt talk about hackers using emergency data requests to gain access to sensitive data. The argument that somehow backdoors can be protected falls under this problem. We don't yet have the technical or policy protections in place to actually protect this data. We also explain why this zlib issue got a 2018 CVE ID in 2022. Show Notes Hackers using fake emergency data requests CVE-2018-25032 Global Security Database
Episode 317 - The lack of compromise in security
Josh and Kurt talk about the binary nature of security. Many of our ideas are yes or no, there's not much in the middle. The conversation ends up derailed due to a Twitter thread about pinning dependencies. This gives you an idea how contentious of a topic pinning is. The final takeaway is not to let security turn into your identity, it ends up making a mess. Show Notes Josh's Twitter thread How to install week old npm packages
Episode 316 - You have to use open source
Josh and Kurt talk about the latest NPM backdoored package. It feels like this keeps happening. We talk about why this is and why it's probably OK. Kurt fixes Linus' Law, in open source the superpower isn't bugs are shallow (they're not), the superpower is security bugs in open source can't be ignored. Show Notes node-ipc protestware
Episode 315 - Who even makes all these terrible decisions?
Josh and Kurt talk about Microsoft accidentally letting us find out about ads in file explorer. Changing your clocks sucks. And touch on some of the security implications of the Russian invasion and sanctions. There are a lot of security lessons we can all learn. Mostly what not to do. Show Notes Ads in Windows Filemanager Russia running out of storage Russia threatens to nationalize industry Onagawa Nuclear Power Plant Cockcroft's Follies German government advises citizens to uninstall Kaspersky
Episode 314 - The Linux Dirty Pipe vulnerability
Josh and Kurt talk about the Linux Kernel Dirty Pipe security vulnerability. This bug is an amazing combination of amazing complexity, incredible simplicity, and a little bit of luck. The discovery is amazing, the analysis is enlightening. There's almost no way a bug like this could be found outside of open source. Show Notes Dirty Pipe Writeup
Episode 313 - Insecurity at scale
Josh and Kurt talk about the challenges of security at scale. Specifically we focus on why a lot of security starts to fall apart once you have to do something more than a few times. There's a lot of new thinking we need to push security forward. Show Notes Stable Linux Kernel and Machine Learning
Episode 312 - The Legend of the SBOM
Josh and Kurt talk about SBOMs. Not what they are, there's plenty about that. We talk about why everyone keeps claiming they're super important, and why we're starting to see some people question if we really need them. SBOMs are part of a future that's still being invented. Show Notes Questioning SBOMs Rezilion Log4j diagram David A Wheeler on CII Badges Using open source is communism
Episode 311 - Did you scan the QR code?
Josh and Kurt talk about the Coinbase Super Bowl ad. It was a QR code, lots of security people were aghast at how many people scanned the QR code. The reality is scanning QR codes isn't dangerous. What other security advice just won't go away? Show Notes Coinbase Ad Kurt's Twitter question QR code parking scam Mossad or not Mossad Kurt's talk
Episode 310 - Hayley Tsukayama from the EFF talks about privacy
Josh and Kurt talk to Hayley Tsukayama from the EFF about privacy. We all know privacy in the modern age is very complicated and difficult. Normal people don't have many allies when it comes to privacy. The EFF has been blazing the trail for digital rights for more than 30 years! This episode has a ton of amazing details, it's easy to see how the EFF became the jewel of the Internet. Show Notes Hayley's Twitter EFF How to Fix the Internet Episode 277 – Privacy and activism with Chris Weiland Washington State privacy bill Join the EFF (seriously, do this!)
Episode 309 - The bright future of open source security
Josh and Kurt talk about NPM requiring 2FA for the top 100 packages. We discuss the new Alpha and Omega projects from the OpenSSF and what it could mean for the future of open source security. Then we end on a note about the new Samba critical vulnerability. Show Notes NPM requires 2FA OpenSSF Alpha and Omega David A. Wheeler episode Linux Foundation LFX Samba Advisory
Episode 308 - Welcome to the jungle - How to talk about open source security
Josh and Kurt talk about how to get attention for security problems. Recent research around Twitter credentials checked into GitHub showed us how to get a lot of attention when compared to a problem like Log4Shell which took years before anyone really picked up on the problem. It's hard to talk about security sometimes. Show Notes Josh's computer vision code Twitter secrets Qualys pwnkit
Episode 307 - Got vulnerabilities? Introducing GSD
Josh and Kurt talk about the Global Security Database (GSD) project. This is a Cloud Security Alliance (CSA) effort to build community around vulnerability identifiers. Show Notes We rate dogs Racoons that heal your sadness Global Security Database Episode 261 – DWF is back! Welcome to community powered CVE GSD mailing list GSD Circle group GSD Database GSD Project Plan
Episode 306 - Open source isn't broken, it's an experience
Josh and Kurt talk about the faker and colors NPM events. There is a lot of discussion around open source being broken or somehow failing because of these events. The real answer is open source is an experience. How we interact with our dependencies determines what the experience looks like. Show Notes Developer corrupts colors and faker Will Wright Pee Internet Anonymity