POPULARITY
In the news, Coinbase deals with bribes and insider threat, the NCSC notes the cross-cutting problem of incentivizing secure design, we cover some research that notes the multitude of definitions for secure design, and discuss the new Cybersecurity Skills Framework from the OpenSSF and Linux Foundation. Then we share two more sponsored interviews from this year's RSAC Conference. With more types of identities, machines, and agents trying to access increasingly critical data and resources, across larger numbers of devices, organizations will be faced with managing this added complexity and identity sprawl. Now more than ever, organizations need to make sure security is not an afterthought, implementing comprehensive solutions for securing, managing, and governing both non-human and human identities across ecosystems at scale. This segment is sponsored by Okta. Visit https://securityweekly.com/oktarsac to learn more about them! At Mend.io, we believe that securing AI-powered applications requires more than just scanning for vulnerabilities in AI-generated code—it demands a comprehensive, enterprise-level strategy. While many AppSec vendors offer limited, point-in-time solutions focused solely on AI code, Mend.io takes a broader and more integrated approach. Our platform is designed to secure not just the code, but the full spectrum of AI components embedded within modern applications. By leveraging existing risk management strategies, processes, and tools, we uncover the unique risks that AI introduces—without forcing organizations to reinvent their workflows. Mend.io's solution ensures that AI security is embedded into the software development lifecycle, enabling teams to assess and mitigate risks proactively and at scale. Unlike isolated AI security startups, Mend.io delivers a single, unified platform that secures an organization's entire codebase—including its AI-driven elements. This approach maximizes efficiency, minimizes disruption, and empowers enterprises to embrace AI innovation with confidence and control. This segment is sponsored by Mend.io. Visit https://securityweekly.com/mendrsac to book a live demo! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-331
In the news, Coinbase deals with bribes and insider threat, the NCSC notes the cross-cutting problem of incentivizing secure design, we cover some research that notes the multitude of definitions for secure design, and discuss the new Cybersecurity Skills Framework from the OpenSSF and Linux Foundation. Then we share two more sponsored interviews from this year's RSAC Conference. With more types of identities, machines, and agents trying to access increasingly critical data and resources, across larger numbers of devices, organizations will be faced with managing this added complexity and identity sprawl. Now more than ever, organizations need to make sure security is not an afterthought, implementing comprehensive solutions for securing, managing, and governing both non-human and human identities across ecosystems at scale. This segment is sponsored by Okta. Visit https://securityweekly.com/oktarsac to learn more about them! At Mend.io, we believe that securing AI-powered applications requires more than just scanning for vulnerabilities in AI-generated code—it demands a comprehensive, enterprise-level strategy. While many AppSec vendors offer limited, point-in-time solutions focused solely on AI code, Mend.io takes a broader and more integrated approach. Our platform is designed to secure not just the code, but the full spectrum of AI components embedded within modern applications. By leveraging existing risk management strategies, processes, and tools, we uncover the unique risks that AI introduces—without forcing organizations to reinvent their workflows. Mend.io's solution ensures that AI security is embedded into the software development lifecycle, enabling teams to assess and mitigate risks proactively and at scale. Unlike isolated AI security startups, Mend.io delivers a single, unified platform that secures an organization's entire codebase—including its AI-driven elements. This approach maximizes efficiency, minimizes disruption, and empowers enterprises to embrace AI innovation with confidence and control. This segment is sponsored by Mend.io. Visit https://securityweekly.com/mendrsac to book a live demo! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-331
In the news, Coinbase deals with bribes and insider threat, the NCSC notes the cross-cutting problem of incentivizing secure design, we cover some research that notes the multitude of definitions for secure design, and discuss the new Cybersecurity Skills Framework from the OpenSSF and Linux Foundation. Then we share two more sponsored interviews from this year's RSAC Conference. With more types of identities, machines, and agents trying to access increasingly critical data and resources, across larger numbers of devices, organizations will be faced with managing this added complexity and identity sprawl. Now more than ever, organizations need to make sure security is not an afterthought, implementing comprehensive solutions for securing, managing, and governing both non-human and human identities across ecosystems at scale. This segment is sponsored by Okta. Visit https://securityweekly.com/oktarsac to learn more about them! At Mend.io, we believe that securing AI-powered applications requires more than just scanning for vulnerabilities in AI-generated code—it demands a comprehensive, enterprise-level strategy. While many AppSec vendors offer limited, point-in-time solutions focused solely on AI code, Mend.io takes a broader and more integrated approach. Our platform is designed to secure not just the code, but the full spectrum of AI components embedded within modern applications. By leveraging existing risk management strategies, processes, and tools, we uncover the unique risks that AI introduces—without forcing organizations to reinvent their workflows. Mend.io's solution ensures that AI security is embedded into the software development lifecycle, enabling teams to assess and mitigate risks proactively and at scale. Unlike isolated AI security startups, Mend.io delivers a single, unified platform that secures an organization's entire codebase—including its AI-driven elements. This approach maximizes efficiency, minimizes disruption, and empowers enterprises to embrace AI innovation with confidence and control. This segment is sponsored by Mend.io. Visit https://securityweekly.com/mendrsac to book a live demo! Show Notes: https://securityweekly.com/asw-331
In this episode, Michael Lieberman, Co-founder and CTO of Kusari, walks us through the intersection of open source software and security. We discuss Mike's extensive involvement in OpenSSF projects like SLSA and GUAC, which provide essential frameworks for securing the software development life cycle (SDLC) and managing software supply chains. He explains how these tools help verify software provenance and manage vulnerabilities. Additionally, we explore regulatory concerns such as the Cyber Resilience Act (CRA) and the vital role of the recently released Open SSF Security Baseline (OSPS Baseline) in helping organizations comply with such regulations. Mike also shares insights into the evolution of open source security practices, the importance of reducing complexity for developers, and the potential benefits of orchestrating security similarly to Kubernetes. We conclude with a look at upcoming projects and current pilots aiming to simplify and enhance open source security. 00:00 Introduction and Guest Welcome 00:19 Mike's Background and Role in Open Source 01:35 Exploring SLSA and GUAC Projects 04:57 Cyber Resiliency Act Overview 06:54 OpenSSF Security Baseline 11:29 Encouraging Community Involvement 18:39 Final Thoughts Resources: OpenSSF's OSPS Baseline GUAC SLSA KubeCon Keynote: Cutting Through the Fog: Clarifying CRA Compliance in C... Eddie Knight & Michael Lieberman Guest: Michael Lieberman is co-founder and CTO of Kusari where he helps build transparency and security in the software supply chain. Michael is an active member of the open-source community, co-creating the GUAC and FRSCA projects and co-leading the CNCF's Secure Software Factory Reference Architecture whitepaper. He is an elected member of the OpenSSF Governing Board and Technical Advisory Council along with CNCF TAG Security Lead and an SLSA steering committee member.
In this episode, we hear from Megan Knight, Director of Software Communities at Arm. Megan shares her experiences with open source projects, particularly focusing on the Yocto project which helps build custom Linux distributions. She discusses the challenges of community management, maintaining contributor motivation, and the impact of policy changes on open source projects. The discussion also touches on the importance of corporate support in sustaining open source contributions. 00:00 Introduction and Welcome 00:52 The Yocto Project: Building Custom Linux Distributions 01:33 Managing Open Source Communities 04:20 Motivations and Challenges in Open Source Contributions 05:18 Conflict Resolution in Open Source Projects 06:59 Unexpected Use Cases in Open Source 10:03 Sustainability and Training in Open Source 18:07 The Future of Open Source in Automotive 19:18 Conclusion Guest: Megan Knight is the Director of Software Communities at Arm where she delightfully works with the upstream. She holds various positions on project boards including Yocto Project, UXL Foundation, Zephyr Project, and OpenSSF. Prior to Arm, she led the IoT and Automotive open source engagement portfolio at Amazon Web Services and served as the Amazon representative on critical dependency open source project boards. She got her start in open source working at The Linux Foundation with the Linux Kernel and Linux Plumbers communities.
Nesse episódio trouxemos as notícias e novidades do mundo da programação que nos chamaram atenção dos dias 08/03 a 14/03.
Nesse episódio trouxemos as notícias e novidades do mundo da programação que nos chamaram atenção dos dias 08/03 a 14/03.
Thank you to the folks at Sustain (https://sustainoss.org/) for providing the hosting account for CHAOSSCast! CHAOSScast – Episode 97 In this episode of CHAOSScast, Harmony Elendu hosts a discussion with Emily Fox from Red Hat and Dawn Foster, the Director of Data Science at CHAOSS. Today, they explore the new Security Practitioner Guide created to help maintainers, who may lack deep security backgrounds, get started with essential security practices. Emily and Dawn highlight actionable steps, key trends, and simplifications to adopt in maintaining a secure project. They also touch on challenges like vulnerability reporting and the importance of consistent monitoring and updating. Additionally, the guide's flexibility, allowing customization and improvement over time, and the significance of community support are emphasized. Press download now to hear more! [00:02:02] Dawn starts out with providing an overview of CHAOSS Project's Practitioner Guides, which helps newcomers to open source understand key metrics and mentions the current focus on the Security Guide. [00:03:24] Dawn gives us an overview of the Security Practitioner Guide as she describes it as a starting point for maintainers, particularly those without a security background. [00:04:10] Emily emphasizes that many maintainers struggle with starting security practices and shares the two primary security focuses on open source: project security design and repository security. [00:05:38] Harmony notes the importance of project design and patterns, asking about security trends and considerations in open source projects. Dawn mentions the Libyears (dependency freshness) and Release Frequency as key security metrics, and Emily adds that OpenSSF best practices contribute to project quality and maturity. [00:08:32] Harmony asks for insights on how contributors can interpret these metrics. Emily suggests various resources and communities, such as CNCF's tag-security, for maintainers looking to improve security. [00:11:39] Emily discusses common issues with vulnerability reporting and the importance of having a process in place, with community resources available for support. Dawn emphasizes the importance of having basic security policies in place early on in a project and suggests starting out with a simple security.md file to outline how to handle vulnerability reports. [00:15:47] Dawn suggests consulting the Practitioners Guide's “Make Improvements” section, which included adding a security.md file and implementing automation to track outdated dependencies and Emily cautions that metrics are only as effective as their relevance, recommending incremental steps for improvement. [00:18:53] Dawn highlights the importance of the OpenSSF scorecard, which helps both maintainers and OSPOs assess project security. [00:20:29] Emily and Dawn simplify the Practitioner Guides into basic steps and Emily reiterates that projects should define their own security goals and commit to them for consistent improvements. [00:23:56] Harmony emphasizes the importance of documentation for continuity in project security and Dawn reminds us that the Practitioner Guides are MIT-licensed and customizable for different projects. [00:25:11] Dawn and Emily explain where you can ask questions or how to implement things in your project using the Practitioner's Guide. Adds (Picks) of the week: [00:26:55] Dawn's pick is 3D printing and learning how to design new things. [00:28:02] Emily's pick is taking a break from the internet and doing something outside. [00:28:45] Harmony's pick is creating personalized templates to help with document preparation and tasks. Panelists: Harmony Elendu Dawn Foster Guest: Emily Fox Links: CHAOSS (https://chaoss.community/) CHAOSS Project X (https://twitter.com/chaossproj?lang=en) CHAOSScast Podcast (https://podcast.chaoss.community/) podcast@chaoss.community (mailto:podcast@chaoss.community) Harmony Elendu X (https://x.com/ogaharmony) Dawn Foster X (https://twitter.com/geekygirldawn?lang=en) Emily Fox LinkedIn (https://www.linkedin.com/in/themoxiefox/) CHAOSS Practitioner Guides (https://chaoss.community/about-chaoss-practitioner-guides/) CHAOSS Practitioner Guide: Security (https://chaoss.community/practitioner-guide-security/) Libyears (https://chaoss.community/kb/metric-libyears/#:~:text=Libyears%20measure%20the%20cumulative%20age,pre%2Drelease%20or%20draft%20versions.) Release Frequency (https://chaoss.community/kb/metric-release-frequency/#:~:text=A%20higher%20frequency%20of%20releases,release%20frequency%20is%20highly%20variable.) Cloud Native Contributors Security Guidelines for New Projects (https://contribute.cncf.io/maintainers/security/security-guidelines/?__hstc=14121576.4fb61b7546863875121fa3925ca0436f.1730700856190.1730700856190.1730744858650.2&__hssc=14121576.1.1730744858650&__hsfp=3331628428) GitHub Docs-Adding a security policy to your repository (https://contribute.cncf.io/maintainers/security/security-guidelines/?__hstc=14121576.4fb61b7546863875121fa3925ca0436f.1730700856190.1730700856190.1730744858650.2&__hssc=14121576.1.1730744858650&__hsfp=3331628428) OpenSSF Scorecard (https://scorecard.dev/) OpenSSF-Source Code Management Platform Configuration Best Practices (https://best.openssf.org/SCM-BestPractices/?__hstc=14121576.4fb61b7546863875121fa3925ca0436f.1730700856190.1730700856190.1730744858650.2&__hssc=14121576.1.1730744858650&__hsfp=3331628428) CNCF tag-security: Self-assessment (https://github.com/cncf/tag-security/blob/main/community/assessments/guide/self-assessment.md) CHAOSScast Podcast-Episode 85: Introducing CHAOSS Practitioner Guides: #1 Responsiveness (https://podcast.chaoss.community/85) CHAOSScast Podcast-Episode 88: Practitioner Guides: #2 Contributor Sustainability (https://podcast.chaoss.community/88) CHAOSScast Podcast-Episode 89: Practitioner Guides: #3 Organizational Participation (https://podcast.chaoss.community/89) CHAOSScast Podcast-Episode 93: Guest Episode-Sustain meets CHAOSScast to talk about Practitioner Guides (https://podcast.chaoss.community/93) Dawn Foster- Maker World (https://makerworld.com/en/@user_3491927221) Special Guest: Emily Fox.
Nesse episódio trouxemos as notícias e novidades do mundo da programação que nos chamaram atenção dos dias 02/11 a 08/11.
Nesse episódio trouxemos as notícias e novidades do mundo da programação que nos chamaram atenção dos dias 02/11 a 08/11.
In this episode, we welcomed back Christopher Robinson, aka CRob, to discuss his extensive work in the Open Source Security Foundation (OpenSSF). We chatted about the importance of open source software security, detailing the various initiatives aimed at improving security standards. CRob shares insights into the working groups and projects within OpenSSF, focusing on their efforts to educate developers and security researchers. We also touched on the upcoming SOSS Fusion event, and its role in fostering community engagement and collaboration in open source security. We encourage listeners to join these endeavors and contribute to solving significant security challenges. 00:00 Welcome Back, CRob! 00:52 Diving into Open Source Security 01:20 Understanding the OpenSSF 04:18 Key Personas in Open Source Security 09:44 Educational Resources for Developers 12:17 Getting Involved with OpenSSF Projects 15:27 Upcoming Event: SOSS Fusion 17:47 The Value of Open Source Events 21:48 Final Thoughts and Future Plans Resources: OpenSSF SOSS Fusion Guest: Christopher Robinson (aka CRob) is the Director of Security Communications at Intel Product Assurance and Security. CRob is a 41st level Dungeon Master and a 24th level Securityologist. He has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals, and spent 6 years helping lead the Red Hat Product Security team as their Program Architect. CRob has been a featured speaker at Gartner's Identity and Access Management Summit, RSA, BlackHat, DefCon, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He holds a Certified Information Systems Security Professional (CISSP) certification, Certified Secure Software Lifecycle Professional (CSSLP) certification, and The Open Group Architecture Framework (TOGAF) certification. He is heavily involved in the Forum for Incident Response and Security Teams (FIRST) PSIRT SIG, collaborating in writing the FIRST PSIRT Services Framework, as well as the PSIRT Maturity Assessment framework. CRob is also the lead/facilitator of the Open Source Security Foundation (OpenSSF) Vulnerability Disclosures and OSS Developer Best Practices working groups as well as a Technical Advisory Committee (TAC) member. He enjoys hats, herding cats, and moonlit walks on the beach.
In this session SecurityWeek speaks to Bennett Pursell, Ecosystem Strategist at the Open Source Security Foundation (OpenSSF) about OpenSSF Siren, a community data-sharing initiative aimed at bolstering the defenses of open source projects worldwide. In this fireside chat, Pursell discusses the origins and goals of OpenSSF Siren, exploring transparent access to data that can help small- and medium-sized businesses during active incidents. Pursell also shares insights on the value of threat intelligence, the shelf life of IOC (indicators of compromise) and how businesses with limited resources can mitigate exposure to risk.(Recorded at SecurityWeek's 2024 Threat Detection & Incident Response Summit)Follow SecurityWeek on LinkedIn
In this episode, John Kjell, Director of Open Source at TestifySec, discusses his involvement in various open source projects and the intricacies of maintaining such projects. John sheds light on his work with the CNCF and OpenSSF, and the impact of tools like Witness, Archivista, and SLSA. He outlines the challenges maintainers face, especially around security, and offers insights into balancing professional and personal responsibilities. John also explores the significance of community, inclusivity, and a secure developer identity in open source ecosystems. 00:00 Introduction and Guest Background 01:20 Maintainer Burnout and Security Challenges 04:41 Balancing Multiple Projects and Personal Life 07:15 Security Risks in Smaller Projects 10:13 Developer Identity and Reputation 19:37 Open Source Origin Story and Community Involvement 24:11 Optimism for the Future of Open Source Security Resources: Enhancing Open Source Security: Introducing Siren by OpenSSF – Open Source Security Foundation Security at Every Step: Why Software Supply Chains Are Critical Guest: John Kjell is responsible for open source at TestifySec, a software supply chain security startup. He is a maintainer for the Witness and Archivista sub-projects under in-toto. Additionally, John is an active contributor to CNCF's TAG Security and multiple projects within the OpenSSF. Before TestifySec, John was an engineering leader at VMware, helping to bring supply chain security features to the Tanzu Application Platform.
Sarah Christoff discusses her experiences and challenges as an open source maintainer with a focus on her work with the Porter and Zarf projects. Sarah shares insights into the frustrations and isolation often felt by maintainers, and emphasizes the importance of community and human connections in navigating these roles. We chatted about of Porter and its function in simplifying complex DevOps tool integrations. Additionally, Sarah talks about Zarf, a project recently donated to the OpenSSF aimed at facilitating air-gapped Kubernetes deployments. 00:00 Introduction 01:29 Challenges of Being an Open Source Maintainer 03:12 The Human Element in Software Development 05:45 Advice for Aspiring Maintainers 08:42 The Porter Project 11:10 The Zarf Project 13:09 The Importance of Community in Open Source 15:31 Women in Tech and Role Models 21:45 Animal Rescue and Community Building 26:10 Final Thoughts and Hot Takes on Open Source Guest: Sarah Christoff is a software engineer at Defense Unicorns who loves making complex code more digestible. She is the self-proclaimed founder of the Leslie Lamport fan club. When she's not bugbusting, she is running her animal rescue and competing in triathlons. She believes code should be like cats: intelligent, fluffy, and easy to take care of.
- For those that don't know you or haven't come across you quite yet, can you tell us a bit about your background in tech/cyber and your role with GitHub?- What exactly is the GitHub Advisory Database and what is the mission of the team there?- There's been a big focus on vulnerability databases, especially lately with some of the challenges of the NVD. What role do you see among the other vulnerability databases in the ecosystem, including GHAD and how it fits into the ecosystem?- GitHub has a very unique position, being the most widely used development platform in the world, boasting millions of users. How do you all use that position and the insights from it to help drive vulnerability awareness across the ecosystem?- There's been a large focus on software supply chain security, including securing OSS. What are your thoughts on these trends and some ways we can combat these risks?- You're also involved with the CVE program, can you tell us about that?- We know you collaborate with another group, out of OpenSSF, known as the Vulnerability Disclosure Working Group. What does that group do and what role do you play?
Guests: Omkhar Arasaratnam, General Manager, OpenSSF [@openssf]On LinkedIn | https://www.linkedin.com/in/omkhar/Adrianne Marcum, Technical Project Manager, OpenSSF [@openssf]On LinkedIn | https://www.linkedin.com/in/adriannefranscinimarcumArun Gupta, VP/GM Open Ecosystem at Intel, Governing Board Chair, OpenSSF [@openssf]On LinkedIn | https://www.linkedin.com/in/arunpgupta/On Twitter | https://twitter.com/arunguptaChristopher Robinson, Chairperson of the Technical Advisory Council, OpenSSF [@openssf]On LinkedIn | https://www.linkedin.com/in/darthcrob/____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinView This Show's Sponsors___________________________Episode NotesIn a comprehensive exploration of software supply chain security within the open-source arena, the latest episode of the Redefining CyberSecurity Podcast, hosted by Sean Martin, convenes notable figures from the Open Source Security Foundation (OpenSSF).This discussion unveils the critical mission of OpenSSF, led by Omkhar Arasaratnam, the General Manager, emphasizing the foundation's endeavor to bolster security across open source software utilized in over 90% of commercial applications. Adrianne Marcum, OpenSSF's Technical Project Manager, and Arun Gupta, Vice President at Intel and the Governing Board Chair for OpenSSF, delve into the pioneering strategies for enhancing open source security, incident response, and the Essence of collaborative efforts bridging the gap between the private sector and public initiatives.Christopher Robinson, chairperson of the Technical Advisory Council, provides insight into the ubiquitous integration of open source in technology, from consumer electronics to critical infrastructure, underlining the universal stake in securing this landscape. The episode also spotlights the pressing need for community involvement in securing open source ecosystems, highlighting OpenSSF's initiatives in education, repository security, and the creation of standards for safer open source software deployment.The episode also touches on the collaborative efforts between private and public sectors to address security challenges in open source projects. Further discussions illuminate the initiative by OpenSSF to improve incident response and education within the open source community. There's even a shout-out to Allan Friedman and Bob Lord from the Cybersecurity and Infrastructure Security Agency (CISA).The call to action for listeners encapsulates the essence of contributing to a broader community effort, underscoring the pivotal role each individual plays in advancing the security and integrity of open source software worldwide. The group encourages listeners to join the OpenSSF's mission by contributing to their diverse projects and working groups, reinforcing the idea that securing open source software is not just critical but achievable through collective effort.Key Questions AddressedWhat is OpenSSF and its mission?How does OpenSSF address software supply chain security?What role does community engagement play in securing open source software?___________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
Guests: Omkhar Arasaratnam, General Manager, OpenSSF [@openssf]On LinkedIn | https://www.linkedin.com/in/omkhar/Adrianne Marcum, Technical Project Manager, OpenSSF [@openssf]On LinkedIn | https://www.linkedin.com/in/adriannefranscinimarcumArun Gupta, VP/GM Open Ecosystem at Intel, Governing Board Chair, OpenSSF [@openssf]On LinkedIn | https://www.linkedin.com/in/arunpgupta/On Twitter | https://twitter.com/arunguptaChristopher Robinson, Chairperson of the Technical Advisory Council, OpenSSF [@openssf]On LinkedIn | https://www.linkedin.com/in/darthcrob/____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinView This Show's Sponsors___________________________Episode NotesIn a comprehensive exploration of software supply chain security within the open-source arena, the latest episode of the Redefining CyberSecurity Podcast, hosted by Sean Martin, convenes notable figures from the Open Source Security Foundation (OpenSSF).This discussion unveils the critical mission of OpenSSF, led by Omkhar Arasaratnam, the General Manager, emphasizing the foundation's endeavor to bolster security across open source software utilized in over 90% of commercial applications. Adrianne Marcum, OpenSSF's Technical Project Manager, and Arun Gupta, Vice President at Intel and the Governing Board Chair for OpenSSF, delve into the pioneering strategies for enhancing open source security, incident response, and the Essence of collaborative efforts bridging the gap between the private sector and public initiatives.Christopher Robinson, chairperson of the Technical Advisory Council, provides insight into the ubiquitous integration of open source in technology, from consumer electronics to critical infrastructure, underlining the universal stake in securing this landscape. The episode also spotlights the pressing need for community involvement in securing open source ecosystems, highlighting OpenSSF's initiatives in education, repository security, and the creation of standards for safer open source software deployment.The episode also touches on the collaborative efforts between private and public sectors to address security challenges in open source projects. Further discussions illuminate the initiative by OpenSSF to improve incident response and education within the open source community. There's even a shout-out to Allan Friedman and Bob Lord from the Cybersecurity and Infrastructure Security Agency (CISA).The call to action for listeners encapsulates the essence of contributing to a broader community effort, underscoring the pivotal role each individual plays in advancing the security and integrity of open source software worldwide. The group encourages listeners to join the OpenSSF's mission by contributing to their diverse projects and working groups, reinforcing the idea that securing open source software is not just critical but achievable through collective effort.Key Questions AddressedWhat is OpenSSF and its mission?How does OpenSSF address software supply chain security?What role does community engagement play in securing open source software?___________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
The Cybercrime Magazine Podcast brings you daily cybercrime news on WCYB Digital Radio, the first and only 7x24x365 internet radio station devoted to cybersecurity. Stay updated on the latest cyberattacks, hacks, data breaches, and more with our host. Don't miss an episode, airing every half-hour on WCYB Digital Radio and daily on our podcast. Listen to today's news at https://soundcloud.com/cybercrimemagazine/sets/cybercrime-daily-news. Brought to you by our Partner, Evolution Equity Partners, an international venture capital investor partnering with exceptional entrepreneurs to develop market leading cyber-security and enterprise software companies. Learn more at https://evolutionequity.com
This week we are joined by Maria Varmazis, host of the N2K daily space show, T-Minus. Maria shares an interesting story from Canada on a gentleman who thought he was calling Best Buy's Geek Squad, but instead ended up getting scammed out of $25,000. Dave and Joe share quite a bit of listener follow up, the first one is from Raul who shares how they saw an infamous Facebook scam. The second one is from listener Alec who shares some thoughts on episode 286's catch of the day. Lastly, Paula shares some thoughts on a recent discussion on why people are on the phone when a flight gets cancelled. Joe brings back answers to an old scam featured on an episode back in January on toll scams, as well as sharing about how the OpenSSF and OpenJS Foundations have issued an alert for social engineering takeovers of open source projects. Dave shares updates from the ex-athletic director accused of framing principal with AI and how he was arrested at the airport with a gun. Our catch of the day comes from listener Kenneth who shares an email from a "doctor" who has puppies for sale. Please take a moment to fill out an audience survey! Let us know how we are doing! Links to the stories: An Ontario senior thought he called Geek Squad for help with his printer. Instead, he got scammed out of $25,000 Smishing Scam Regarding Debt for Road Toll Services Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects Ex-athletic director accused of framing principal with AI arrested at airport with gun You can hear more from the T-Minus space daily show here. Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com.
How can open source projects find a funding model that works for them? What are the implications with different sources of funding? Simon Bennetts talks about his stewardship of Zed Attack Proxy and its journey from OWASP to OpenSSF to an Open Source Fellowship with Crash Override. Mark Curphy adds how his experience with OWASP and the appsec community motivated him to create Crash Override and help projects like ZAP gain the support they deserve. Segment resources: https://crashoverride.com/blog/welcome-zap-to-the-open-source-fellowship https://www.zaproxy.org https://crashoverride.com/blog/are-there-too-many-bubbles-of-similar-security-efforts CISA chimes in on the XZ Utils backdoor, PuTTY's private keys and maintaining a secure design, LeakyCLI and maintaining secure secrets in CSPs, LLMs and exploit generation, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-282
How can open source projects find a funding model that works for them? What are the implications with different sources of funding? Simon Bennetts talks about his stewardship of Zed Attack Proxy and its journey from OWASP to OpenSSF to an Open Source Fellowship with Crash Override. Mark Curphy adds how his experience with OWASP and the appsec community motivated him to create Crash Override and help projects like ZAP gain the support they deserve. Segment resources: https://crashoverride.com/blog/welcome-zap-to-the-open-source-fellowship https://www.zaproxy.org https://crashoverride.com/blog/are-there-too-many-bubbles-of-similar-security-efforts Show Notes: https://securityweekly.com/asw-282
How can open source projects find a funding model that works for them? What are the implications with different sources of funding? Simon Bennetts talks about his stewardship of Zed Attack Proxy and its journey from OWASP to OpenSSF to an Open Source Fellowship with Crash Override. Mark Curphy adds how his experience with OWASP and the appsec community motivated him to create Crash Override and help projects like ZAP gain the support they deserve. Segment resources: https://crashoverride.com/blog/welcome-zap-to-the-open-source-fellowship https://www.zaproxy.org https://crashoverride.com/blog/are-there-too-many-bubbles-of-similar-security-efforts CISA chimes in on the XZ Utils backdoor, PuTTY's private keys and maintaining a secure design, LeakyCLI and maintaining secure secrets in CSPs, LLMs and exploit generation, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-282
How can open source projects find a funding model that works for them? What are the implications with different sources of funding? Simon Bennetts talks about his stewardship of Zed Attack Proxy and its journey from OWASP to OpenSSF to an Open Source Fellowship with Crash Override. Mark Curphy adds how his experience with OWASP and the appsec community motivated him to create Crash Override and help projects like ZAP gain the support they deserve. Segment resources: https://crashoverride.com/blog/welcome-zap-to-the-open-source-fellowship https://www.zaproxy.org https://crashoverride.com/blog/are-there-too-many-bubbles-of-similar-security-efforts Show Notes: https://securityweekly.com/asw-282
This week, we learn about the HashPack $PACK whitepaper, Swirlds Labs' new CEO, Hedera's new membership to OpenSSF, Dany Eid is back and thoughts on TPS. Plus, Uniswap vs SEC, HashPort funding, Bonzo Finance, SaucerSwap milestones, Billions in RWA's on Hedera and a community meetup? Stay tuned for big updates to the show... Live
Josh and Kurt talk about the recent events around XZ. It's only been a few days, and it's amazing what we already know. We explain a lot of the basics we currently know with the attitude much of these details will change quickly over the coming week. We can't fix this problem as it stands, we don't know where to start yet. But that's not a reason to lose hope. We can fix this if we want to, but it won't be flashy, it'll be hard work. Show Notes GossiTheDog's Blog Post fr0gger diagram OpenSSF Blog (archive) stb library
The GoFetch side channel in Apple CPUs, OpenSSF's plan for secure software developer education, fuzzing vs. formal verification as a security strategy, hard problems in InfoSec (and AppSec), and more! Show Notes: https://securityweekly.com/asw-278
One of the biggest failures in appsec is an attitude that blames users for security problems. A lot of processes and workflows break down because of an insecure design or insecure defaults. Benedek Gagyi chats with us about the impact of the user experience (UX) on security and why it's not only important to understand how to make a user's life easier, but in defining who that user is in the first place. Segment resources: https://www.usenix.org/conference/8th-usenix-security-symposium/why-johnny-cant-encrypt-usability-evaluation-pgp-50 The GoFetch side channel in Apple CPUs, OpenSSF's plan for secure software developer education, fuzzing vs. formal verification as a security strategy, hard problems in InfoSec (and AppSec), and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-278
One of the biggest failures in appsec is an attitude that blames users for security problems. A lot of processes and workflows break down because of an insecure design or insecure defaults. Benedek Gagyi chats with us about the impact of the user experience (UX) on security and why it's not only important to understand how to make a user's life easier, but in defining who that user is in the first place. Segment resources: https://www.usenix.org/conference/8th-usenix-security-symposium/why-johnny-cant-encrypt-usability-evaluation-pgp-50 The GoFetch side channel in Apple CPUs, OpenSSF's plan for secure software developer education, fuzzing vs. formal verification as a security strategy, hard problems in InfoSec (and AppSec), and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-278
The GoFetch side channel in Apple CPUs, OpenSSF's plan for secure software developer education, fuzzing vs. formal verification as a security strategy, hard problems in InfoSec (and AppSec), and more! Show Notes: https://securityweekly.com/asw-278
Thank you to the folks at Sustain (https://sustainoss.org/) for providing the hosting account for CHAOSSCast! CHAOSScast – Episode 77 In this episode of CHAOSScast, host Dawn Foster has a compelling discussion with three guests from Microsoft's Open Source Programs Office: Emma Irwin, James Siri, and Justin Gosses. The conversation includes how Microsoft measures the health of open source communities, their experiences with the CHAOSS Community, and the critical role of open source within the organization. Topics such as use of metrics, tackling security issues within scaling, and the future of metrics within the company were discussed. Also, they talk about the value of open source contributions within the business, the role of internal communities, and how they track and improve processes at Microsoft, emphasizing the importance of open source impact both externally and internally. Download this episode now to hear more! [00:00:24] Emma, James, and Justin share their backgrounds with us. [00:01:53] Emma discusses Microsoft's multi-tier approach to metrics, focusing on maintainers' value to products and communities, component intelligence, and engineering standards on GitHub. [00:04:06] James elaborates on his focus on GitHub metrics, the development of policy and tooling for security, and simplifying developers' workflow. [00:04:51] Justin categorizes metrics into those for maintainers, for management, and for developers making decisions on dependencies. He talks about challenges in managing the scale of data from 13,000 repositories and the importance of security metrics. [00:05:37] Emma discusses an experiment with the OpenSSF scorecard for repository security and the effort to motivate improvements in this area. She highlights the challenges of instilling these practices as part of the culture. [00:07:30] Justin sees opportunities to combine CHAOSS metrics with secure supply chain efforts, aiming to aid developers in making informed decisions about dependencies and warning them of potential risks. [00:09:11] Dawn asks about the challenges of scaling metrics and managing the vast number of dependencies. Justin responds by describing an experience focused on aiding developers at the start of a project, helping them make data-informed choices about a few key dependencies. [00:12:51] Emma adds that from the Open Source Programs Office (OSPO) perspective, having a dashboard to direct inquiries is very helpful. James mentions that the dashboard also provides an easy way to surface security guidance. [00:13:27] The conversation shifts to Dawn asking about the business aspect of open source within Microsoft and how they measure this impact. James responds that open source is integral to Microsoft's software development approach, aiming to build an internal community and avoid duplicating solutions. He also discusses the importance of Software Bill of Materials (SBOMs) for security and supply chain transparency. [00:16:00] Emma elaborates on the internal value of external open source contributions, sharing how they help maintainers demonstrate the business impact during reviews. [00:17:14] Dawn inquiries about the future direction for Microsoft regarding metrics and measurement. Justin touches on exploring the area of funding, aiming to improve conversations about financial contributions to open source projects and achieving better return on investment. [00:19:10] James mentions that their package selection work for developers has been inspired by CHAOSS metrics, suggesting that these insights be shared in OSPO working group meetings. Value Adds (Picks) of the week: [00:19:34] Dawn's pick is getting her permanent residency approval allowing her to live in the UK without any restrictions. [00:19:59] Emma's pick is taking a break over the holidays and being outside as much as possible. [00:20:33] Justin's pick is a book he enjoyed reading called, Elinor Ostrom: An Intellectual Biography. [00:21:19] James's pick is reconnecting with art and music as an avenue for self-expression. *Panelist: * Dawn Foster Guests: Emma Irwin Justin Gosses James Siri Links: CHAOSS (https://chaoss.community/) CHAOSS Project X/Twitter (https://twitter.com/chaossproj?lang=en) CHAOSScast Podcast (https://podcast.chaoss.community/) podcast@chaoss.community (mailto:podcast@chaoss.community) Georg Link Website (https://georg.link/) Dawn Foster X/Twitter (https://twitter.com/geekygirldawn?lang=en) Emma Irwin LinkedIn (https://www.linkedin.com/in/emmamirwin/) James Siri LinkedIn (https://www.linkedin.com/in/james-siri/) James Gosses LinkedIn (https://www.linkedin.com/in/justingosses/) Justin Gosses Website (https://justingosses.com/) OSS Project Viability: Compliance + Security (https://chaoss.community/kb/metrics-model-oss-project-viability-compliance-security/) Elinor Ostrom: An Intellectual Biography by Vlad Tarko (https://books.google.com/books/about/Elinor_Ostrom.html?id=01TysgEACAAJ) Special Guests: Emma Irwin, James Siri, and Justin Gosses.
Josh and Kurt talk about package identifiers. We break this down in the context of an OpenSSF response to a CISA paper on software identifications. The identifiers that get all the air time are purl, CPE, SWID, and OmniBOR. This is a surprisingly complex problem space. It feels easy, but it's not. Show Notes OpenSSF CISA response purl CPE OmniBOR SWID
Mark Esler is our special guest on the podcast this week to discuss the OpenSSF's Compiler Options Hardening Guide for C/C++ plus we cover vulnerabilities and updates for GIMP, FreeRDP, GStreamer, HAProxy and more.
In the rapidly evolving landscape of application security, 2023 brought significant changes with the rise of generative AI tools and an increase in automated threats. In this discussion, Karl Triebes takes a deep dive into the major trends of the past year, examining their impact on the industry and shedding light on what security professionals can anticipate moving forward into 2024. This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them! CNCF's releases a handbook on fuzzing, OpenSSF and OWASP respond to CISA's Open Source Software Security RFI, 14 years of Go, lessons for today from an internet worm from 35 years ago, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-263
CNCF's releases a handbook on fuzzing, OpenSSF and OWASP respond to CISA's Open Source Software Security RFI, 14 years of Go, lessons for today from an internet worm from 35 years ago, and more! Show Notes: https://securityweekly.com/asw-263
In the rapidly evolving landscape of application security, 2023 brought significant changes with the rise of generative AI tools and an increase in automated threats. In this discussion, Karl Triebes takes a deep dive into the major trends of the past year, examining their impact on the industry and shedding light on what security professionals can anticipate moving forward into 2024. This segment is sponsored by Imperva. Visit https://securityweekly.com/imperva to learn more about them! CNCF's releases a handbook on fuzzing, OpenSSF and OWASP respond to CISA's Open Source Software Security RFI, 14 years of Go, lessons for today from an internet worm from 35 years ago, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-263
In this episode of the Open at Intel podcast, host Katherine Druckman sits down with Nithya Ruff, the head of Amazon's Open Source Program Office. They discuss the importance of upstream contributions, improving collective security posture, and the fast-paced world of AI. Nithya shares insights on how Amazon embraces open source across the company, making it easy for developers to work with open source and ensuring the platform is open source-friendly for customers. They also explore the concept of ownership in open source and the responsibilities that come with it. Nithya emphasizes the need for companies to be good citizens of the open source community and highlights the role of organizations like the OpenSSF in coordinating efforts and creating standards. They discuss the challenges of prioritizing resources for upstream work and share practical advice on how to approach it. The conversation also touches on the importance of security in open source, especially in the context of AI, and the need for collaboration and standardization in this rapidly evolving field. Throughout the episode, Nithya and Katherine express their enthusiasm for open source and their optimism in its ability to solve complex problems and drive innovation. Guest: Nithya A. Ruff is the Head of Amazon's Open Source Program Office. Open Source has proven to be one of the world's most prolific enablers of innovation and collaboration and Amazon's customers increasingly value open source innovation and the and cloud's role in helping them adopt and run important open source services. She drives open source culture and coordination inside of Amazon and engagement with external communities. Prior to Amazon, she started and grew Comcast and Western Digital's Open Source Program Offices. Open Source Program Offices are a critical part of a company's digital transformation and innovation journey. Nithya has been director-at-large on the Linux Foundation Board for the last 5 years and in 2019 was elected to be Chair of the influential Linux Foundation Board. She works actively to advance the mission of the Linux Foundation around building sustainable ecosystems that are built on open collaboration. She is a passionate advocate and a speaker for opening doors to new and diverse people in technology and can often be seen speaking and writing on this topic. Nithya graduated with an M.S. in Computer Science from NDSU and an MBA from the University of Rochester, Simon Business School and is an aspiring corporate board director and governance enthusiast. You can follow her on twitter @nithyaruff and you can find her on https://www.linkedin.com/in/nithyaruff/
Ahead of the AI Cyber Challenge (AIxCC) Open Track registration period, which begins later this year, this episode of Voices from DARPA features Perri Adams, DARPA's program manager for the competition. Over the next two years, AIxCC will challenge teams to develop AI-driven systems to automatically find and correctly fix the critical code that underpins daily life. Adams shares the backstory for the AIxCC, discusses who she wants to compete (and why), and what's at stake for cybersecurity. Adams is joined by AIxCC collaborators from the Open Source Security Foundation (OpenSSF), a project of the Linux Foundation, and OpenAI. OpenSSF's general manager Omkhar Arasratnam and OpenAI's head of security Matt Knight discuss their roles in the challenge and impart advice to potential competitors. For information on how to register to compete in the AI Cyber Challenge, visit AICyberChallenge.com.
What happens when a gaming enthusiast transitions into the world of tech, data science, and community management? That's the intriguing journey we explore with Chuck Ting Hall, a Community Manager at OpenSSF and prolific contributor to various tech libraries. From her early love for gaming, Chuck's passion for technology took a unique turn, leading her down a path that merges both the worlds of academia and business. Chuck Ting's story begins where most of us find ourselves, at crossroads. Trying to choose a career path is never easy, and her decision to delve into either Physics or Computer Science was no different. Listen in as she navigates the pressure of academia, shares her struggles of being a scientist in a business-centric place like Hong Kong, and candidly discusses how family expectations factored into her choices. Chuck also takes us through her experiences of working in odd places like an ad company and a theme park, before ultimately finding her niche in the tech world.As Chuck's narrative unfolds, she candidly discusses her first conference talk proposal, her battle with imposter syndrome, and the importance of community in honing professional skills. From submitting conference talk proposals, to transitioning her career from data science to community management, the challenges of visa applications, and becoming an active contributor in the tech community - Chuck's story is a testament to resilience, passion, and the power of community. So, whether you're a tech enthusiast, a student caught between choices, or someone seeking to transition careers, let Chuck Ting Hall's journey inspire and guide you to embrace your passion in technology.Support the show
Even as a developer or technologist, adopting a marketing mindset can help you create magic in your communities and projects. Open source marketing and community leader, Lori Lorusso, joins us to give us some tips for improving communication, getting the word out, and capturing that special sauce that leads to success. Guest: Lori Lorusso has a passion and enthusiasm for working with the developer community and has traveled across the globe speaking at and attending conferences and community events advocating on behalf of developers. Lori was elected 2023 Marketing Chair of the CNCF, appointed Chair of the CDF Outreach Committee, is the program chair of cdCon, and is active in the OpenSSF outreach committee. She is a co-organizer of VJUG and frequently volunteers to support other JUGs at virtual and in person events. She co-hosts the CD Pipeline on behalf of the CDF with TechstrongTV. She is committed to helping open source and other tech communities grow and adapt in our ever changing environment.
Communication is a skill that doesn't appear on top 10 lists, rarely appears as a conference topic, and doesn't appear enough on job requirements. Yet communication is one of the critical ways that security teams influence developers, convey risk, and share knowledge with others. Even our own Security Weekly site falls a little short with only a podcast category for "Training" instead of more options around communication and collaboration. Lina shares her experience presenting to executives and boards in high-stress situations, as well as training incident responders on real-world scenarios. Segment resources https://training.xintra.org https://www.scmagazine.com/podcast-episode/2839-pointers-and-perils-for-presentations-josh-goldberg-asw-251 In the news segment, attackers impersonate Dependabot commits, an alg of "none" plagues a JWT, CISA calls for hardware bills of materials, OpenSSF lists its critical projects, Exim (finally! maybe?) has some patches, bug bounties and open source projects, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-257
Attackers impersonate Dependabot commits, an alg of "none" plagues a JWT, CISA calls for hardware bills of materials, OpenSSF lists its critical projects, Exim (finally! maybe?) has some patches, bug bounties and open source projects, and more! Show Notes: https://securityweekly.com/asw-257
Communication is a skill that doesn't appear on top 10 lists, rarely appears as a conference topic, and doesn't appear enough on job requirements. Yet communication is one of the critical ways that security teams influence developers, convey risk, and share knowledge with others. Even our own Security Weekly site falls a little short with only a podcast category for "Training" instead of more options around communication and collaboration. Lina shares her experience presenting to executives and boards in high-stress situations, as well as training incident responders on real-world scenarios. Segment resources https://training.xintra.org https://www.scmagazine.com/podcast-episode/2839-pointers-and-perils-for-presentations-josh-goldberg-asw-251 In the news segment, attackers impersonate Dependabot commits, an alg of "none" plagues a JWT, CISA calls for hardware bills of materials, OpenSSF lists its critical projects, Exim (finally! maybe?) has some patches, bug bounties and open source projects, and more! Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-257
The OpenSSF is doing invaulable work for the cybersecurity community. And their new managing director happens to be Omkhar Arasaratnam, whose appearance on the show a while back created one of our most popular episodes ever! Omkhar is back to talk about the OpenSSF: What is the OpenSSF and how does it relate to the Linux Foundation? What is the organization's mission? What is the organization's vision? What exciting projects are taking place (and a sneak peek about some upcoming announcements at Black Hat!) What mark do you want to leave on the OpenSSF as Managing Director? Omkhar is an expert in DevOps and CI/CD. He is an expert in security. His passion is supply chain security. You can see where all of this can come together in his new role and make amazing things happen for your industry. Y'all enjoy, and y'all be good now!
Josh and Kurt talk about some of the efforts to measure and understand open source. There are projects like the OpenSSF Scorecard. We want to measure open source for some idea of quality. Is AI generated code better than a random open source project found on GitHub? Can we track the countries contributors are from? These are all interesting problems that everyone will have to deal with soon. Show Notes OpenSSF Scorecard
Episode sponsors: Binarly (https://binarly.io) FwHunt (https://fwhunt.run) New General Manager of the Open Source Security Foundation (OpenSSF) Omkhar Arasaratnam joins Ryan for a candid conversation on the challenges surrounding open-source software security, lessons from the Log4j crisis, the value of SBOMs, and the U.S. government efforts at securing America's software supply chains.
Without visibility and continuous monitoring, dangerous threats expose our blind spots and create risk. Invicti, who brought together Acunetix and Netsparker, analyzes common web application vulns across thousands of assets yearly and releases the Invicti AppSec Indicator for a holistic view of vulnerability trends from automated scan results. In this talk, Invicti Director of Product Patrick Vandenberg shares a deep dive into the trends currently impacting AppSec programs and discusses some of the best practices that will help organizations achieve efficiencies in their programs. Segment Resources: - [AppSec Indicator Spring 2023 edition | Invicti](https://www.invicti.com/clp/appsec-indicator/?utm_medium=contentsyn&utm_source=sc_media&utm_campaign=i-syn_CRA-ASW-Jun2023&utm_content=230424-ga_spring-appsec-indicator&utm_term=brand) This segment is sponsored by Invicti. Visit [securityweekly.com/invicti](https://securityweekly.com/invicti) to learn more about them! In the news, two XSS vulns via postMessage methods in Azure, how to choose (and move on from) a web research topic, OpenSSF finances a security developer-in-residence for Python, more infosec myths, free cybersecurity training resources. Visit [securityweekly.com/asw](https://securityweekly.com/asw) for all the latest episodes! Follow us on Twitter: [@SecWeekly](https://www.twitter.com/secweekly) Like us on Facebook: [facebook.com/secweekly](https://www.facebook.com/secweekly) Visit https://securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-245
Two XSS vulns via postMessage methods in Azure, how to choose (and move on from) a web research topic, OpenSSF finances a security developer-in-residence for Python, more infosec myths, free cybersecurity training resources Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-245
You are now at the Open Source Security Foundation - but you have a ton of experience (even as a former IBMer) from Google, to JPMorgan, and financial institutions through architecture, management, and engineering. Can you talk a little bit about your leadership journey? Let's dig into OpenSSF a bit more - we're only seeing an increase in software supply chain attacks - what is driving the OpenSSF and any particular threats you're concerned with at the moment? We know the OpenSSF has focused heavily on securing OSS and the ecosystem and even launched the OSS Security Mobilization Plan. Are you able to talk a bit about that plan and what it hopes to accomplish?OpenSSF is obviously one of several organizations such as OWASP and others helping to provide valuable resources to the industry to tackle these challenges. Are you able to speak about any active collaborations with other organizations or institutions, academia etc. or how organizations can look to collaborate with the OpenSSF?You are also a Fellow at the Center for Cybersecurity at the NYU Tandon school. Both Chris and I are also Fellows (at different organizations) - can you talk a little bit about what a Fellow does and how you got involved? Where can organizations really start though? With so many vulnerabilities, libraries, dependencies, and managing software and infrastructure, it is incredibly cumbersome for organizations to get a handle to what to work on first. Where do software teams start? Coming off of Father's Day, I noticed your LinkedIn tagline leads with Dad and Husband. How have you found success in balancing those critical roles and responsibilities while still pursuing your professional endeavors and aspirations?What does cyber resiliency mean to you?