Ga naar de inhoud
PodcastsTechnologieWhat's in the SOSS? An OpenSSF Podcast

What's in the SOSS? An OpenSSF Podcast

OpenSSF
What's in the SOSS? An OpenSSF Podcast
Nieuwste aflevering

66 afleveringen

  • What's in the SOSS? An OpenSSF Podcast

    Signing the Future: Securing AI and ML Artifacts with Mihai Maruseac

    14-07-2026 | 21 Min.
    In this episode of What’s in the SOSS?, host Yesenia Yser sits down with Mihai Maruseac, the lead of the OpenSSF AI/ML Working Group and Security and Privacy expert at OpenAI, to dive deep into the unique security challenges facing artificial intelligence. Unlike traditional software packages, AI models cannot simply be inspected for malware by looking at their weights – malicious code only exposes itself upon execution. Mihai outlines how the community is answering this threat through the evolution of the OpenSSF Model Signing (OMS) specification. Discover how OMS creates an unshakeable chain of custody for models, data sets, and agent workflows, the structural shift toward implementation-agnostic toolchains, and what the future looks like for a fully realized, end-to-end secure AI supply chain.
    Chapters:
    00:22 – Welcome: Yesenia introduces AI/ML Working Group lead Mihai Maruseac.
    00:51 – From TensorFlow to OpenAI: Mihai’s journey navigating open source security and AI.
    01:47 – Core Risks of Model Tampering: A look at hidden risks inside uninspectable model weights.
    03:27 – Establishing Chain of Custody: How cryptographic signatures verify file integrity from training to deployment.
    05:04 – Evolution of the OMS Spec: Why the community standardized on forward-compatible, framework-agnostic formats.
    07:17 – Tracking Iteration (v1.1 & v1.2): An overview of newly introduced security keys and community features.
    08:26 – Choosing Your PKI Tooling: Why the OMS specification remains highly flexible for users.
    10:22 – Real-World Integration: Early success stories with Kaggle, NVIDIA, and the path to PyTorch.
    12:42 – Looking Ahead to Version 2: Overcoming "attestation sprawl" by unifying multiple security claims.
    15:29 – The Ideal AI Supply Chain: Using signed artifacts with GUAC to automatically map vulnerabilities.
    17:09 – How to Get Involved: Immediate opportunities to contribute to signature format convergence.
    18:11 – Rapid Fire Segment: Mihai shares his favorite retro games, hiking, and love for Vim.
    19:37 – Final Words of Advice: Why contributors of all skill levels are welcome to join.
    Episode links:
    Mihai Maruseac’s LinkedIn Page
    OpenSSF Model Signing (OMS)
    OpenSSF Model Signing Spec GitHub Repo
    OpenSSF AI/ML Working Group
    OpenSSF Guide: Visualizing Secure MLOps (MLSecOps): A Practical Guide for Building Robust AI/ML Pipeline Security
    Graph for Understanding Artifact Composition (GUAC)
    Sigstore
    In-toto
    Ollama
    Get involved with the OpenSSF
    Subscribe to the OpenSSF newsletter
    Follow the OpenSSF on LinkedIn
  • What's in the SOSS? An OpenSSF Podcast

    The Heartbeat of the Kernel: Why Upstream is the Ultimate Security Strategy with Greg Kroah-Hartman

    30-06-2026 | 34 Min.
    What does it feel like to wake up and realize your weekend passion project is now the critical infrastructure powering the planet? In this episode of What’s in the SOSS?, CRob sits down with Linux kernel maintainer and open source icon Greg Kroah-Hartman. Greg takes us on a journey from his early days writing firmware for printer and hospital ATMs to managing the relentless, everyday engineering task of maintaining the Linux kernel over decades. He breaks down the realities of modern kernel security, dismantles the myth that maintainers know every single vulnerability exploit , and details how looming global regulations like the EU's Cyber Resilience Act (CRA) are shifting the compliance burden onto vendors. If your organization uses Linux, Greg has a simple, urgent message for you: stop fearing change, build your testing infrastructure, and update your systems. 
    Chapters:
    00:03 - Welcome: Host CRob introduces Linux kernel legend Greg Kroah-Hartman.
    01:04 - From Printers to Richard Stallman: Greg shares his origin story in embedded engineering and his introduction to free software.  
    02:00 - The Weekend Driver and the Dopamine Hit: How a quick weekend project turned Greg into a lifelong kernel contributor.
    04:20 - Realizing Linux is Critical Infrastructure: The moment the telcos and banks moved in, signaling that Linux was everywhere.
    05:28 - 2005: The Year the Kernel Grew Up: Implementing stable releases, the security team, and the rule to never break user space.
    07:05 - What People Get Wrong About Kernel Security: Linus's mantra that "a bug is a bug," and the reality of handling 35 fixes a day.
    09:32 - The Historic Fear of Updating: Why lagging behind for "stability" is actually incurring massive risk.
    12:17 - Global Regulation and the Cyber Resilience Act (CRA): How upcoming laws are changing vendor responsibility and why the open source community is exempt.
    13:51 - How OpenSSF is Reducing the Burden: Applauding the cross-ecosystem collaboration that protected maintainers from onerous drafts.
    17:05 - Pay Your Employees to Contribute: Greg’s best piece of advice for downstream enterprises relying on open source.
    18:39 - Inside the Kernel Security Alias: How the ad-hoc security team handles triage and assigns CVEs.
    21:11 - The CVE Numbers Game: Why the kernel ranks #2 in CVE creation and the trouble with automated severity scores.
    25:39 - We are Already There: AI Slop and Static Analysis: Greg addresses the recent surge of AI-generated bug reports and patches.
    31:20 - Rapid Fire Round: Spicy food, coffee, Star Wars, and the ultimate call to action. 
    Episode links:
    Greg Kroah-Hartman’s LinkedIn page
    The Linux Foundation CRA Stewards Playbook
    OpenSSF Global Cyber Policy Working Group
    The Linux Kernel Archive (Keep your systems current with the latest stable kernel releases)
    The Value of Open Source Software
    Additional Resources
    Get involved with the OpenSSF
    Subscribe to the OpenSSF newsletter
    Follow the OpenSSF on LinkedIn
  • What's in the SOSS? An OpenSSF Podcast

    Consuming with Intent: Driving Enterprise Security and Career Growth Through Open Source with Jamie Thomas (IBM)

    16-06-2026 | 29 Min.
    In this episode of Big Thoughts, Open Sources, host CRob sits down with Jamie Thomas, IBM Enterprise Security Executive and OpenSSF Governing Board Member (former Chair!), to tackle the vital shifting dynamics of enterprise open source engagement. From IBM's historical "billion-dollar bet" on Linux to modern supply chain wake-up calls like SolarWinds and Log4j, Jamie pulls back the curtain on what it truly means to move from accidental consumption to intentional stewardship. Tune in to discover how active participation in neutral foundations like the OpenSSF acts as a fast track for engineering career trajectories, why soft skills like "the art of influence" are critical for upstream collaboration, and how organizations can protect their crown jewels while implementing a powerful "give-back strategy."
    Chapters:
    00:00 – Intro Music + Promo Clip
    00:21 – Introduction & Welcoming Luminary Jamie Thomas
    01:32 – Wearing the Enterprise Security Hat at IBM
    02:10 – Supply Chain Wake-up Calls: From SolarWinds to Log4j
    03:14 – Unlocking Open Ecosystems: IBM’s Early History with Java and Linux
    05:21 – Mainframe Debates and Portability: The Evolution of Open Source Adoption
    06:24 – The Red Hat Acquisition and Monetizing the Developer Ecosystem
    08:20 – The Myth of "Free" Software: Securing Regulated Enterprise Deployment
    10:15 – Why a Seat at the Table Matters: The Value of Neutral Foundations
    11:29 – The Art of Influence: Upstream Contributions as a Career Catalyst
    13:50 – Moving Innovation from Open Source Kernels to Commercial Value
    16:12 – Storming, Norming, and Conversation: Lessons from the Kubernetes Era
    17:38 – Pitching Upstream Time: Helping Developers Sell Open Source to Management
    19:30 – Beyond Code: Bringing Domain Expertise and Soft Skills Upstream
    21:40 – Conquering the Chasm: Automating CI/CD Pipelines and Testing at Scale
    23:00 – Consuming with Intent: Active Stewardship and the OpenSSF Scorecard
    25:21 – Rapid Fire Round: Mainframes, AI-Generated Code, and Star Trek nostalgia
    27:53 – Call to Action: Crafting Your Organization's "Give-Back Strategy"
    Episode links:
    Jamie Thomas’ LinkedIn page
    Learn more about IBM’s Strong History and Commitment to Open Source
    Red Hat
    Eclipse Foundation
    CNCF
    Get involved with the OpenSSF
    Learn more about the OpenSSF Governing Board
    Subscribe to the OpenSSF Newsletter
    Follow the OpenSSF on LinkedIn
  • What's in the SOSS? An OpenSSF Podcast

    The Ghost in the Dependency Tree: Navigating Open Source End-of-Life with HeroDevs

    02-06-2026 | 26 Min.
    In this episode of What’s in the SOSS, host CRob sits down with Isaac Wuest, Product Line Leader at HeroDevs, to explore the critical and often overlooked "gray area" of the software supply chain: End-of-Life (EOL) software. While the industry heavily relies on CVEs to track vulnerabilities, Isaac explains how maintainer abandonment creates a vacuum where risks are present but remain undiscovered and unreported. From the origins of HeroDevs supporting AngularJS to the nuances of the EU Cyber Resilience Act (CRA), this conversation provides a practical framework for distinguishing between inherent hazards and actual risk in your dependency tree.
    Chapters:
    00:04 - CRob welcomes Isaac Wuest from HeroDevs
    00:45 - The HeroDevs origin story: How Google sunsetting AngularJS created a need for secure drop-in replacements.
    02:44 - Isaac’s path to open source: Transitioning from product management to supporting maintainers.
    04:06 - Exploring the "Gap" in CVEs: Why dictionary-based vulnerability tracking misses EOL and malicious packages.
    07:03 - The challenge of "Maintainer Attestation": Why most open source projects lack a formal EOL calendar.
    09:52 - Compliance and Risks: How EOL dependencies create blank spots for security professionals and auditors.
    11:27 - The Shark in the Tank: Using a food regulation analogy to differentiate between hazard and risk.
    13:22 - Navigating the EU Cyber Resilience Act: Preparing for increased manufacturer accountability in software.
    14:08 - Maintainer Abandonment: Identifying the moment a project stops receiving patches without formal notice.
    16:14 - Scanning for Gaps: Why standard industry tools currently struggle to provide a complete EOL picture.
    18:49 - Practical Remediation: Recommendations for researching upgrade paths using tools like endoflife.date.
    20:49 - Analyzing SBOMs: How engineers can leverage free datasets to identify and fix deep dependency risks.
    23:00 - Rapid Fire: Coffee, Star Wars, spicy food, and the favorite apocalyptic robot.
    25:01 - Final Thoughts: A call to action for educating yourself on your application's EOL exposure.

    Episode links:
    Isaac Wuest’s LinkedIn page
    HeroDevs
    Free Tool: End of Life Data Set
    Community Resource: endoflife.date
    Get involved with the OpenSSF
    Subscribe to the OpenSSF newsletter
    Follow the OpenSSF on LinkedIn
  • What's in the SOSS? An OpenSSF Podcast

    Beginner to Builder: Shaping the Conversation in Open Source Security

    19-05-2026 | 25 Min.
    In this episode of What's in the SOSS, Yesenia Yser interviews cybersecurity analyst Ejiro Oghenekome about her journey from UI/UX design to becoming a key contributor to the OpenSSF. Ejiro shares the inspiration behind her public "100 Days of Cybersecurity" challenge, which has helped her maintain discipline and consistency while making the field less intimidating for beginners. She discusses how connecting with the OpenSSF community led her to the BEAR Working Group, where her authorship of the "Beginner to Builder" blog series has allowed her to move from consuming content to actively shaping the open source security conversation. Ejiro also offers advice to the next generation, emphasizing that open source contribution is not just about coding but is a welcoming space for anyone to learn and grow, regardless of their current expertise.
    Episode links:
    Ejiro (Sonia) Oghenekome LinkedIn page
    Ejiro’s GitHub page
    BEAR Working Group
    Ejiro’s OpenSSF Beginner to Builder Blog Series:Blog #1: From Beginner to Builder: Understanding OpenSSF Community and Working Groups
    Blog #2: From Beginner to Builder: Your First Code Contribution
    Blog #3: From Beginner to Builder: Free OpenSSF and Linux Foundation Education Courses

    Get involved with the OpenSSF
    Subscribe to the OpenSSF newsletter
    Follow the OpenSSF on LinkedIn
    Chapters:
    00:00 - Music, Promo clip, & Welcome
    01:11 - Ejiro details her transition from UI/UX design to cybersecurity and connecting with OpenSSF.
    03:39 - Ejiro explains her motivation for starting the 100-day challenge, including receiving advice to learn publicly and a previous rejection from an internship.
    06:49 - Ejiro shares that she is currently on day 44 and expects to complete the challenge around April.
    07:50 - Ejiro discusses her biggest personal lesson: understanding consistency and discipline, and learning from the community.
    10:45 - Ejiro describes her authorship of the "Beginner to Builder" blog series, which shifted her from consuming content to shaping the open source conversation.
    15:47 - Ejiro shares the impact of her work, noting that it has made cybersecurity feel less intimidating for beginners and helped her grow in confidence.
    18:22 - Rapid Fire Questions: Ejiro shares her preferences on books, cooking, social media, and more.
    21:13 - Ejiro offers advice to the next generation, emphasizing that open source is welcoming, not just about coding, and provides great opportunities for learning and growth.
    24:46 - Yesenia concludes the interview, thanking Ejiro for her time and contributions
Meer Technologie podcasts
Over What's in the SOSS? An OpenSSF Podcast
What's in the SOSS? features the sharpest minds in security as they dig into the challenges and opportunities that create a recipe for success in making software more secure. Get a taste of all the ingredients that make up secure open source software (SOSS) and explore the latest trends at the intersection of AI and security, vulnerability management, and threat assessments. Each episode of What's in the SOSS? is packed with valuable insight designed to foster collaboration and promote stronger security practices for the open source software community.About Christopher Robinson (aka CRob), hostCRob is a 43rd level Dungeon Master and a 26th level Securityologist. He is a leader within several Open Source Security Foundation (OpenSSF) efforts and is a frequent speaker on cyber, application, and open source security. He enjoys hats, herding cats, and moonlit walks on the beach.
Podcast website

Luister naar What's in the SOSS? An OpenSSF Podcast, Cryptocast | BNR en vele andere podcasts van over de hele wereld met de radio.net-app

Ontvang de gratis radio.net app

  • Zenders en podcasts om te bookmarken
  • Streamen via Wi-Fi of Bluetooth
  • Ondersteunt Carplay & Android Auto
  • Veel andere app-functies