What's in the SOSS? An OpenSSF Podcast

In this episode of Big Thoughts, Open Sources, host CRob sits down with Jamie Thomas, IBM Enterprise Security Executive and OpenSSF Governing Board Member (former Chair!), to tackle the vital shifting dynamics of enterprise open source engagement. From IBM's historical "billion-dollar bet" on Linux to modern supply chain wake-up calls like SolarWinds and Log4j, Jamie pulls back the curtain on what it truly means to move from accidental consumption to intentional stewardship. Tune in to discover how active participation in neutral foundations like the OpenSSF acts as a fast track for engineering career trajectories, why soft skills like "the art of influence" are critical for upstream collaboration, and how organizations can protect their crown jewels while implementing a powerful "give-back strategy."
Chapters:
00:00 – Intro Music + Promo Clip
00:21 – Introduction & Welcoming Luminary Jamie Thomas
01:32 – Wearing the Enterprise Security Hat at IBM
02:10 – Supply Chain Wake-up Calls: From SolarWinds to Log4j
03:14 – Unlocking Open Ecosystems: IBM’s Early History with Java and Linux
05:21 – Mainframe Debates and Portability: The Evolution of Open Source Adoption
06:24 – The Red Hat Acquisition and Monetizing the Developer Ecosystem
08:20 – The Myth of "Free" Software: Securing Regulated Enterprise Deployment
10:15 – Why a Seat at the Table Matters: The Value of Neutral Foundations
11:29 – The Art of Influence: Upstream Contributions as a Career Catalyst
13:50 – Moving Innovation from Open Source Kernels to Commercial Value
16:12 – Storming, Norming, and Conversation: Lessons from the Kubernetes Era
17:38 – Pitching Upstream Time: Helping Developers Sell Open Source to Management
19:30 – Beyond Code: Bringing Domain Expertise and Soft Skills Upstream
21:40 – Conquering the Chasm: Automating CI/CD Pipelines and Testing at Scale
23:00 – Consuming with Intent: Active Stewardship and the OpenSSF Scorecard
25:21 – Rapid Fire Round: Mainframes, AI-Generated Code, and Star Trek nostalgia
27:53 – Call to Action: Crafting Your Organization's "Give-Back Strategy"
Episode links:
Jamie Thomas’ LinkedIn page
Learn more about IBM’s Strong History and Commitment to Open Source
Red Hat
Eclipse Foundation
CNCF
Get involved with the OpenSSF
Learn more about the OpenSSF Governing Board
Subscribe to the OpenSSF Newsletter
Follow the OpenSSF on LinkedIn

In this episode of What’s in the SOSS, host CRob sits down with Isaac Wuest, Product Line Leader at HeroDevs, to explore the critical and often overlooked "gray area" of the software supply chain: End-of-Life (EOL) software. While the industry heavily relies on CVEs to track vulnerabilities, Isaac explains how maintainer abandonment creates a vacuum where risks are present but remain undiscovered and unreported. From the origins of HeroDevs supporting AngularJS to the nuances of the EU Cyber Resilience Act (CRA), this conversation provides a practical framework for distinguishing between inherent hazards and actual risk in your dependency tree.
Chapters:
00:04 - CRob welcomes Isaac Wuest from HeroDevs
00:45 - The HeroDevs origin story: How Google sunsetting AngularJS created a need for secure drop-in replacements.
02:44 - Isaac’s path to open source: Transitioning from product management to supporting maintainers.
04:06 - Exploring the "Gap" in CVEs: Why dictionary-based vulnerability tracking misses EOL and malicious packages.
07:03 - The challenge of "Maintainer Attestation": Why most open source projects lack a formal EOL calendar.
09:52 - Compliance and Risks: How EOL dependencies create blank spots for security professionals and auditors.
11:27 - The Shark in the Tank: Using a food regulation analogy to differentiate between hazard and risk.
13:22 - Navigating the EU Cyber Resilience Act: Preparing for increased manufacturer accountability in software.
14:08 - Maintainer Abandonment: Identifying the moment a project stops receiving patches without formal notice.
16:14 - Scanning for Gaps: Why standard industry tools currently struggle to provide a complete EOL picture.
18:49 - Practical Remediation: Recommendations for researching upgrade paths using tools like endoflife.date.
20:49 - Analyzing SBOMs: How engineers can leverage free datasets to identify and fix deep dependency risks.
23:00 - Rapid Fire: Coffee, Star Wars, spicy food, and the favorite apocalyptic robot.
25:01 - Final Thoughts: A call to action for educating yourself on your application's EOL exposure.

Episode links:
Isaac Wuest’s LinkedIn page
HeroDevs
Free Tool: End of Life Data Set
Community Resource: endoflife.date
Get involved with the OpenSSF
Subscribe to the OpenSSF newsletter
Follow the OpenSSF on LinkedIn

In this episode of What's in the SOSS, Yesenia Yser interviews cybersecurity analyst Ejiro Oghenekome about her journey from UI/UX design to becoming a key contributor to the OpenSSF. Ejiro shares the inspiration behind her public "100 Days of Cybersecurity" challenge, which has helped her maintain discipline and consistency while making the field less intimidating for beginners. She discusses how connecting with the OpenSSF community led her to the BEAR Working Group, where her authorship of the "Beginner to Builder" blog series has allowed her to move from consuming content to actively shaping the open source security conversation. Ejiro also offers advice to the next generation, emphasizing that open source contribution is not just about coding but is a welcoming space for anyone to learn and grow, regardless of their current expertise.
Episode links:
Ejiro (Sonia) Oghenekome LinkedIn page
Ejiro’s GitHub page
BEAR Working Group
Ejiro’s OpenSSF Beginner to Builder Blog Series:Blog #1: From Beginner to Builder: Understanding OpenSSF Community and Working Groups
Blog #2: From Beginner to Builder: Your First Code Contribution
Blog #3: From Beginner to Builder: Free OpenSSF and Linux Foundation Education Courses

Get involved with the OpenSSF
Subscribe to the OpenSSF newsletter
Follow the OpenSSF on LinkedIn
Chapters:
00:00 - Music, Promo clip, & Welcome
01:11 - Ejiro details her transition from UI/UX design to cybersecurity and connecting with OpenSSF.
03:39 - Ejiro explains her motivation for starting the 100-day challenge, including receiving advice to learn publicly and a previous rejection from an internship.
06:49 - Ejiro shares that she is currently on day 44 and expects to complete the challenge around April.
07:50 - Ejiro discusses her biggest personal lesson: understanding consistency and discipline, and learning from the community.
10:45 - Ejiro describes her authorship of the "Beginner to Builder" blog series, which shifted her from consuming content to shaping the open source conversation.
15:47 - Ejiro shares the impact of her work, noting that it has made cybersecurity feel less intimidating for beginners and helped her grow in confidence.
18:22 - Rapid Fire Questions: Ejiro shares her preferences on books, cooking, social media, and more.
21:13 - Ejiro offers advice to the next generation, emphasizing that open source is welcoming, not just about coding, and provides great opportunities for learning and growth.
24:46 - Yesenia concludes the interview, thanking Ejiro for her time and contributions

Host Sally Cooper is joined by Brandt Keller, a staff software engineer at Defense Unicorns and maintainer of the OpenSSF sandbox project, Zarf. Brandt discusses Zarf's origins as a tool designed to reliably package, transfer, and deploy software components (like container images and Helm charts) specifically for critical, air-gapped environments that lack internet connectivity. The conversation explores Zarf's evolution, highlighting its current role in introducing security gates, improving transparency, and consolidating various management and S-bomb tools into a single, declarative workflow. Finally, Brandt explains how Zarf's declarative manifest model is helping to secure open source software by reducing the cognitive burden on maintainers and giving integrators confidence in upstream artifacts

Chapters
00:01: Welcome and Introduction to Brandt Keller and Defense Unicorns
02:01: What is Zarf and its history: Solving the air-gapped use case
04:33: Zarf's critical function today: Security, transparency, and packaging
09:18: How Zarf has evolved: From niche tool to agnostic distribution and GitOps integration
12:07: Zarf’s role in OpenSSF and securing open source software
16:05: Rapid Fire and Call to Action (Zarf.dev)

Episode links:
Brandt Keller’s LinkedIn page
Zarf website
Zarf GitHub
CNCF Security Technical Advisory Group (TAG Security)
OpenSSF Software Supply Chain Integrity Working Group
OpenSSF Project GUAC
Defense Unicorns
Get involved with the OpenSSF
Subscribe to the OpenSSF newsletter
Follow the OpenSSF on LinkedIn

This episode features Prince Oforh Asiedu, discussing his inspiring journey into tech and open source, starting from a childhood fascination with computers in Ghana, self-learning to code despite financial and economic challenges, and making his first contributions through documentation. Prince shares the origin story of Open Source & Security Africa (OSSAfrica), revealing how the frustration of repeatedly being denied access to global conferences due to visa issues sparked the idea to build a local, Africa-rooted community to connect and empower African contributors globally. He outlines the vision for OSSAfrica to become a serious contributor to software supply chain security, aiming for African voices to be recognized as trusted collaborators and leaders in the ecosystem.

Chapters:
00:01  Introduction and Welcome to Prince
01:33  From Ghana's Internet Cafes to Learning Python: Prince's Early Journey
05:36  The Moment That Changed Everything: Starting with Open Source Documentation
10:46  The Frustration that Founded OSSAfrica: Structural Barriers and Visa Issues
16:42  OSSAfrica's Growth and Community of Communities
19:01  The Vision for 2026: Success for African Contributors
23:32  How to Get Involved with OSSAfrica
28:32  Advice for the Next Wave: Growth Compounds When You Are Not Alone

Episode links:
Prince (Oforh) Asiedu LinkedIn page
OSSAfrica website
OSSAfrica GitHub Org
OSSAfrica Roadmap
OSSAfrica discord
OSSAfrica LinkedIn
OpenSSF Slack channel OSSAfrica (#sig-ossafrica)
BEAR Working Group
FIRST VulnCon
Add any other applicable links related to the episode
Get involved with the OpenSSF
Subscribe to the OpenSSF newsletter
Follow the OpenSSF on LinkedIn