What's in the SOSS? An OpenSSF Podcast

Join co-hosts CRob and Yesenia for a special season finale celebrating OpenSSF's fifth anniversary and recapping an incredible year of innovation in open source security! From launching three free educational courses on the EU Cyber Resilience Act, AI/ML security, and security for software development managers, to the groundbreaking DARPA AI Cyber Challenge where competitors achieved over 90% accuracy in autonomous vulnerability discovery, 2025 has been transformative. We reflect on standout interviews with new OpenSSF leaders Steve Fernandez and Stacey, deep dives into game-changing projects like the Open Source Project Security Baseline and AI model signing, and the vibrant community conversations around SBOM, supply chain security, and developer education. With nearly 12,000 total podcast downloads and exciting Season 3 plans including AI Cyber Challenge competitor interviews, CFP writing workshops, and expanded global community initiatives in Africa, we're just getting started. Tune in for behind-the-scenes insights, friendly competition stats on our most popular episodes, and a sneak peek at what's coming in 2026!

Chapters:
00:00 - Celebrating OpenSSF's Fifth Anniversary
02:52 - Educational Growth and New Initiatives
05:51 - Community Voices and Leadership Changes
08:45 - The Role of Community Manager
11:44 - Open Source Project Security Baseline
14:47 - AI and Machine Learning in Open Source
17:47 - Software Bill of Materials (SBOM) Discussions
20:34 - Podcast Highlights and Listener Engagement
22:26 - Looking Ahead to Season Three
Episode links:
Yesenia Yser on LinkedIn
Christopher Robinson on LinkedIn
OpenSSF Free Courses:LFD 125 - Security for Software Development Managers
LFEL 1001 - Understanding the EU Cyber Resilience Act
LFEL 1012 - Secure AI/ML Driven Development

OpenSSF What’s In The SOSS Podcast Episodes:Podcast #27 – S2E04 Enterprise to Open Source: Steve Fernandez’s Journey to the OpenSSF
Podcast #29 – S2E06 Showing Up Fully: Meet OpenSSF’s new Community Manager, Stacey Potter
Podcast #25 – S2E02 Empowering Security: Yesenia Yser on Open Source, AI, and Personal Branding
Podcast #44 – S2E21 A Deep Dive into the Open Source Project Security (OSPS) Baseline
Podcast #36 – S2E13 From Compliance to Community: Meeting CRA Requirements Together

On this episode of "What's in the SoSS," Yesenia Yser sits down with Justin Cappos, NYU professor and self-described "OG software supply chain guy" who's been working in this space since 2002. Justin reveals why most universities fail to teach fundamental security practices—from MFA to code signing—and how his groundbreaking software supply chain security course is creating some of the top 500 most qualified professionals in the world. We discuss the challenges of keeping curriculum current in a rapidly evolving field, the "throw them in the deep end" approach to teaching open source collaboration, and Justin's vision for transforming security education across institutions nationwide through the Linux Foundation's Academic Computing Acceleration Program.

Episode links:
Justin Cappos NYU Professor Page
NYU Tandon School of Engineering
Linux Foundation Academic Computing Accreditation
OpenSSF Education
CNCF Tag Security
Get involved with the OpenSSF
Subscribe to the OpenSSF newsletter
Follow the OpenSSF on LinkedIn

Chapters
00:24 - Introduction & Guest Welcome
01:49 - The SolarWinds Effect
02:01 - Aligning with Linux Foundation's Academic Program
04:06 - Critical Gaps in Traditional CS Education
06:35 - Teaching Open Source Culture
10:45 - Career Impact & Student Success
13:52 - Adapting to AI & Rapid Industry Change
16:30 - Vision for the Next 5-10 Years
19:52 - Rapid Fire Round
20:52 - Final Advice & Closing

Jay White, a leader in the open source ecosystem at Microsoft, discusses his journey into open source, focusing on AI and machine learning. He highlights his role in the Azure office of the CTO, working on open source, security, and AI standards. White emphasizes the importance of model signing and transparency in AI development, mentioning ongoing work in the OpenSSF and Coalition for Secure AI (CoSAI). He encourages community involvement, noting the need for standardization in AI supply chain security and the nuanced challenges of cultural representation in AI models. White also shares his passion for community building and the importance of continuous learning in AI and machine learning.

Episode links:
Jautau “Jay” White LinkedIn page
OpenSSF AI/ML Working Group
Coalition for Secure AI (CoSAI)
Get involved with the OpenSSF
Subscribe to the OpenSSF newsletter
Follow the OpenSSF on LinkedIn

Chapters:
Introduction & Jay’s Background (00:19)
Jay’s Journey into Open Source (02:29)
AI & Machine Learning Working Group (06:32)
Supply Chain Security & Model Signing (09:17)
Joining & Contributing to Open Source Efforts (13:16)
Challenges and Opportunities in AI Security (15:39)
Building Inclusive & Diverse AI Systems (18:30)
Rapid Fire & Final Thoughts (21:18)

Stephanie Domas, Canonical's Chief Security Officer, returns to What's in the SOSS to discuss critical open source challenges. She addresses the issues of third-party security patch versioning, the rise of software sovereignty, and how custom patches break SBOMs. Domas also explains why geographic code restrictions contradict open source principles and what the EU's Cyber Resilience Act (CRA) means for enterprises. She highlights Canonical's work integrating memory-safe components like sudo-rs into the next Ubuntu LTS. This episode challenges assumptions about supply chain security, software trust, and the future of collaborative development in a regulated world.
Chapters:
00:00 - Welcome
01:49 - Memory safety revolution
02:00 - Black Hat reflections
03:48 - The SBOM versioning crisis
06:23 - Semantic versioning falls apart
10:06 - Software sovereignty exposed
12:33 - Trust through transparency
14:02 - The insider threat parallel
17:04 - EU CRA impact
18:50 - The manufacturer gray area
21:08 - The one-maintainer problem
22:51 - Will regulations kill open source adoption?
24:43 - Call to action
Episode links:
Stephanie Domas LinkedIn page
Canonical
Ubuntu
OpenSSF Global Cyber Policy Working Group (CRA & policy/standards resources)
WiTS Podcast #18 - Canonical’s Stephanie Domas and Security Insight from a Self-Described “Tinkerer”
Get involved with the OpenSSF
Subscribe to the OpenSSF newsletter
Follow the OpenSSF on LinkedIn

In this episode of "What's in the SOSS," CRob, Ben Cotton, and Eddie Knight discuss the Open Source Project Security Baseline. This baseline provides a common language and control catalog for software security, enabling maintainers to demonstrate their project's security posture and fostering confidence in open source projects. They explore its integration with other OpenSSF projects, real-world applications like the GUAC case study, and its value to maintainers and stakeholders. The role of documentation in security is emphasized, ensuring secure software deployment. The effectiveness of the baseline is validated through real-world applications and refined by community feedback, with future improvements focusing on better tooling and compliance mapping.

Episode Chapters
00:00 - Welcome & Introductions
02:40 - Understanding the Open Source Project Security Baseline
05:54 - The Importance of Defining a Security Baseline
08:49 - Integrating Baseline with Other OpenSSF Projects
11:42 - Real-World Applications: The Glock Case Study
14:21 - Value for Maintainers and Other Stakeholders
17:29 - The Role of Documentation in Security
20:37 - Future Directions for the Baseline and Orbit
23:26 - Community Engagement and Feedback

Episode links:
Ben Cotton’s LinkedIn page
Eddie Knight’s LinkedIn page
OSPS Baseline website
OSPS Baseline github
OSPS Baseline slack
OSPS ORBIT Working Group
OpenSSF Tech Talk: How to use the OSPS Baseline to Better Navigate Standards and Regulations
Gemara project
GUAC project
Get involved with the OpenSSF
Subscribe to the OpenSSF newsletter
Follow the OpenSSF on LinkedIn