What's in the SOSS? An OpenSSF Podcast

In this inaugural episode of Big Thoughts and Open Sources, host Crob sits down with Brian Fox, Co-founder and CTO of Sonatype, to dissect the friction between rapid AI adoption and foundational software security. Brian shares insights from the 11th annual State of the Software Supply Chain Report, revealing the emergence of "slop squatting" and the high frequency of AI models recommending non-existent or vulnerable dependencies. The conversation explores how the Model Context Protocol (MCP) could revolutionize developer compliance and why the industry must fund the critical infrastructure supporting our trillion-dollar open source ecosystem.
Chapters:
00:23 – Welcome to the inaugural episode of Big Thoughts, Open Sources.
01:01 – Brian shares his journey from 2002 Apache Maven contributor to co-founding Sonatype and joining the OpenSSF board.
02:53 – The conversation shifts to the critical role of Maven Central in providing global visibility into the software supply chain.
03:26 – Brian reflects on a decade of security trends, noting that the "Log4Shell" pattern of using unpatched libraries has existed for years.
05:34 – The "Tribal Knowledge" problem is explored, highlighting how AI agents lack the undocumented context human developers share at lunch.
07:06 – Brian reveals findings from the 11th Annual State of the Software Supply Chain Report, including how AI models recommend non-existent code versions 30% of the time.
08:09 – The "Slop Squatting" phenomenon is explained, where attackers upload malicious packages to match common AI hallucinations.
10:03 – Brian discusses the Model Context Protocol (MCP) as a game-changer for turning security tools into expert systems for AI agents.
13:42 – The dialogue warns against ignoring sixty years of software engineering "physics" in the rush to adopt AI-generated code.
15:11 – Brian describes the "Vulcan Mind Meld" opportunity of injecting high-quality governance data directly into an AI agent’s decision-making process.
17:19 – The experts debate the risks and rewards of our "new robot overlords" and the need for ML SecOps discipline.
19:30 – Brian emphasizes that "inefficient code is still inefficient code" and warns against repeating the costly mistakes of early cloud migrations.
21:01 – Advice is given on building an "AI-native SDLC" that focuses on providing security information upfront during code creation.
24:18 – Brian addresses the sustainability crisis, noting that the cloud infrastructure required for modern, secure open source builds is no longer free.
27:17 – The episode concludes by highlighting the eight trillion dollars of economic value produced by open source and the need to fund its core infrastructure.
Episode links:
Brian Fox LinkedIn page
Sonatype website
Maven Central Repository
The State of the Software Supply Chain Report
Sonatype Blog
OpenSSF AI/ML Security Working Group
Whitepaper: Visualizing Secure MLOps (MLSecOps): A Practical Guide for Building Robust AI/ML Pipeline Security
Get involved with the OpenSSF
Subscribe to the OpenSSF newsletter
Follow the OpenSSF on LinkedIn

In this episode, CRob talks with Mike Lieberman from Kusari about the current state of open source security. They discuss the growing burden on maintainers from the "deluge" of noisy, low-quality vulnerability reports, often generated by AI tools, and the vital role of "a human in the loop." Mike introduces Kusari's tool, Inspector, explaining how it uses codified security expertise to process data from tools like OpenSSF Scorecard and SLSA, effectively filtering out false positives and giving maintainers only high-quality, actionable reports. They also dive into the design philosophy of "don't piss off the engineers" and share a vision for the future of security tooling that focuses on dramatically better user experience and building security primitives that are "secure by design.

Chapters:
00:06Introduction: The Biggest Challenge in Security Tooling
01:12Overwhelmed Maintainers: The Deluge of Low-Quality AI Reports
04:00Introducing Kusari's Inspector: How it Filters False Positives
08:40The Secret Sauce: Security Expertise and the Need for Reproducible Tests
12:03Meeting Engineers Where They Are: Design Choices to Reduce Maintainer Burden
18:16The Future of Open Source Security Tooling: Focusing on Better UX
22:19Call to Action: The Responsibility of Large Organizations

Episode links:
Michael Lieberman’s LinkedIn page
Learn more about Kusari Inspector
Get involved with the OpenSSF
Subscribe to the OpenSSF newsletter
Follow the OpenSSF on LinkedIn

In this episode of What’s in the SOSS? host Sally Cooper sits down with Yesenia Yser, co-lead of the OpenSSF Mentorship Program and the BEAR Working Group, and Kairo De Araujo, Open Source Software Engineer and mentor for rstuf. They dive into the success of the OpenSSF Mentorship Program, which focuses on bringing underrepresented voices into software security. Kairo shares an incredible outcome from the last cycle – where two out of three mentees became project maintainers – while Yesenia discusses the evolution of the BEAR Working Group (Belonging, Empowerment, Allyship, and Representation) mentorship program. Whether you are a potential mentor or a mentee looking to break into open source, this episode provides a roadmap for the upcoming paid mentorship cycle.

Important Dates for the 2026 Mentorship Cycle:
Applications Open: March 24, 2026
Applications Close: April 12, 2026
Selection Period: April 13 – April 30, 2026
Notification Date: May 1, 2026
Onboarding: May 5 – May 29, 2026
Mentorship Period: June 1 – August 21, 2026
Chapters:
00:01 – Welcome
01:43 – Kairo on his work with the Repository Service for TUF (RSTUFF).
02:30 – Yesenia on the BEAR Working Group and making open source accessible.
04:30 – The "Why" behind mentorship: Solving the barrier to entry for security beginners.
07:28 – Success strategies: Working as a team across time zones with multiple mentees.
09:28 – The ultimate goal: Moving mentees from learners to official project maintainers.
10:58 – Challenges and growing pains: Managing deadlines and interview chaos.
13:48 – Advice for Mentors: The importance of clear communication and flexibility.
15:02 – Advice for Mentees: Don't be afraid to join; focus on "pre-onboarding".
17:13 – Key Dates for the 2026 Mentorship Cycle.
20:15 – Call to Action: Get to know this year’s participating projects (gittuf, rstuf, SBOMit, Minder) and how to get involved.

Episode links:
Yesenia Yser LinkedIn page
Kairo De Araujo LinkedIn page
LFX Mentorships
BEAR Working Group
OpenSSF Participating Projects for 2026 Mentorship ProgramRepository Service for TUF (rstuf)
gittuf
SBOMit
Minder

BEAR Working Group Welcome Calls YouTube Playlist
Get involved with the OpenSSF
Subscribe to the OpenSSF newsletter
Follow the OpenSSF on LinkedIn

Hannah Braswell and Jenn Power, security engineers from Red Hat and contributors to the OpenSSF, join host Sally Cooper to discuss the Gemara project. Gemara, an acronym for GRC Engineering Model for Automated Risk Assessment, is a seven-layer logical model that aims to solve the problem of incompatibility in the GRC (Governance, Risk, and Compliance) stack. By outlining a separation of concerns, the project seeks to enable engineers to build secure and compliant systems without needing to be compliance experts. The speakers explain how Gemara grew organically to seven layers and connects with other open source initiatives like the OpenSSF Security Baseline and Finos Common Cloud Controls. They also touch on the ecosystem of tools being built, including Queue schemas and a Go SDK, and how new people can get involved.
Chapters:
00:00 Welcome music + promo clip
00:22 Introductions
02:17 What is Gemara and what problem does it address?
03:58 Why do we need a model for GRC engineering?
05:50 The seven-layer structure of Gemara
07:40 How Gemara connects to other open source projects
10:14 Tools available to help with Gemara model adoption
11:39 How to get involved in the Gemara projects
13:59 Rapid Fire
16:03 Closing thoughts and call to action
Episode links:
Jenn Power LinkedIn page
Hannah Braswell LinkedIn page
Gemara Website
Blog: Introducing the Gemara Model
Publication: Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment
OpenSSF OSPS Baseline
Finos Common Cloud Controls
Privateer
Cyber Resilience Act (CRA) Brief Guide for OSS Developers
LFEL1001: Understanding the EU Cyber Resilience Act (CRA) (Education/Training) 
Get involved with the OpenSSF
Subscribe to the OpenSSF newsletter
Follow the OpenSSF on LinkedIn

In this final episode of our AI Cyber Challenge (AIxCC) series, CRob and Jeff Diecks wrap-up the journey from DARPA's groundbreaking two-year competition to the exciting collaborative phase happening now. Discover how winning teams are taking their AI-powered vulnerability detection systems into the real world, finding actual bugs in projects like the Linux kernel and CUPS. Learn about the innovative OSS-CRS project that aims to create a standard infrastructure for mixing and matching the best components from different systems, and hear valuable lessons about how to responsibly introduce AI-generated security findings to open source maintainers. The competition may be over, but the real work—and collaboration—is just beginning.
This episode is part 4 of a four-part series on AIxCC:
AIxCC part 1: From Skepticism to Success: The AI Cyber Challenge (AIxCC) with Andrew Carney
AIxCC part 2: From Skeptics to Believers: How Team Atlanta Won AIxCC by Combining Traditional Security with LLMs
AIxCC part 3: Buttercup's Hybrid Approach: Trail of Bits' Journey to Second Place in AIxCC

Chapters:
00:00 - Welcome and Introduction to AICC
01:37 - OpenSSF's AI Security Mission: Two Lenses
03:54 - Competition Highlights: What the Teams Discovered
07:43 - Real-World Impact: From Research to Production
10:44 - Lessons Learned: Working with Open Source Maintainers
13:13 - OSS-CRS: Building a Standard Infrastructure
14:29 - Breaking Down Walls: Post-Competition Collaboration
15:39 - How to Get Involved

Episode links:
Jeff Diecks LinkedIn page
Christopher “CRob” Robinson LinkedIn page
AI Cyber Challenge (AIxCC)
OSS-CRS Project
OpenSSF AI/ML Security Working Group
Cyber Reasoning Systems Special Interest Group (Slack)
Get involved with the OpenSSF
Subscribe to the OpenSSF newsletter
Follow the OpenSSF on LinkedIn