What's in the SOSS? An OpenSSF Podcast

• Securing the Future: AI, Open Source, and Collaboration with Jay White (Microsoft)

  Jay White, a leader in the open source ecosystem at Microsoft, discusses his journey into open source, focusing on AI and machine learning. He highlights his role in the Azure office of the CTO, working on open source, security, and AI standards. White emphasizes the importance of model signing and transparency in AI development, mentioning ongoing work in the OpenSSF and Coalition for Secure AI (CoSAI). He encourages community involvement, noting the need for standardization in AI supply chain security and the nuanced challenges of cultural representation in AI models. White also shares his passion for community building and the importance of continuous learning in AI and machine learning.Episode links:Jautau “Jay” White LinkedIn pageOpenSSF AI/ML Working GroupCoalition for Secure AI (CoSAI)Get involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedInChapters:Introduction & Jay’s Background (00:19)Jay’s Journey into Open Source (02:29)AI & Machine Learning Working Group (06:32)Supply Chain Security & Model Signing (09:17)Joining & Contributing to Open Source Efforts (13:16)Challenges and Opportunities in AI Security (15:39)Building Inclusive & Diverse AI Systems (18:30)Rapid Fire & Final Thoughts (21:18)

  --------  

  25:32

  --------

  25:32
• SBOM Chaos and Software Sovereignty: The Hidden Challenges Facing Open Source with Stephanie Domas (Canonical)

  Stephanie Domas, Canonical's Chief Security Officer, returns to What's in the SOSS to discuss critical open source challenges. She addresses the issues of third-party security patch versioning, the rise of software sovereignty, and how custom patches break SBOMs. Domas also explains why geographic code restrictions contradict open source principles and what the EU's Cyber Resilience Act (CRA) means for enterprises. She highlights Canonical's work integrating memory-safe components like sudo-rs into the next Ubuntu LTS. This episode challenges assumptions about supply chain security, software trust, and the future of collaborative development in a regulated world.Chapters:00:00 - Welcome01:49 - Memory safety revolution02:00 - Black Hat reflections03:48 - The SBOM versioning crisis06:23 - Semantic versioning falls apart10:06 - Software sovereignty exposed12:33 - Trust through transparency14:02 - The insider threat parallel17:04 - EU CRA impact18:50 - The manufacturer gray area21:08 - The one-maintainer problem22:51 - Will regulations kill open source adoption?24:43 - Call to actionEpisode links:Stephanie Domas LinkedIn pageCanonicalUbuntuOpenSSF Global Cyber Policy Working Group (CRA & policy/standards resources)WiTS Podcast #18 - Canonical’s Stephanie Domas and Security Insight from a Self-Described “Tinkerer”Get involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

  --------  

  26:44

  --------

  26:44
• A Deep Dive into the Open Source Project Security (OSPS) Baseline

  In this episode of "What's in the SOSS," CRob, Ben Cotton, and Eddie Knight discuss the Open Source Project Security Baseline. This baseline provides a common language and control catalog for software security, enabling maintainers to demonstrate their project's security posture and fostering confidence in open source projects. They explore its integration with other OpenSSF projects, real-world applications like the GUAC case study, and its value to maintainers and stakeholders. The role of documentation in security is emphasized, ensuring secure software deployment. The effectiveness of the baseline is validated through real-world applications and refined by community feedback, with future improvements focusing on better tooling and compliance mapping.Episode Chapters00:00 - Welcome & Introductions02:40 - Understanding the Open Source Project Security Baseline05:54 - The Importance of Defining a Security Baseline08:49 - Integrating Baseline with Other OpenSSF Projects11:42 - Real-World Applications: The Glock Case Study14:21 - Value for Maintainers and Other Stakeholders17:29 - The Role of Documentation in Security20:37 - Future Directions for the Baseline and Orbit23:26 - Community Engagement and FeedbackEpisode links:Ben Cotton’s LinkedIn pageEddie Knight’s LinkedIn pageOSPS Baseline websiteOSPS Baseline githubOSPS Baseline slackOSPS ORBIT Working GroupOpenSSF Tech Talk: How to use the OSPS Baseline to Better Navigate Standards and RegulationsGemara projectGUAC projectGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

  --------  

  32:57

  --------

  32:57
• Building Trust in Open Source: Seth Larson's Journey from Maintainer to Security Leader

  In this episode of What’s in the SOSS, host Yesenia Yser sits down with Seth Larson, Security Developer in Residence at the Python Software Foundation, as he shares his unique perspective on open source security. From his Minneapolis base, Seth discusses his journey from urllib3 maintainer to leading security initiatives across the Python ecosystem. In this episode, we explore how public documentation shapes security work, the importance of supporting maintainers both technically and emotionally, and the art of building trust in open source communities. Seth also shares insights on engaging with academic communities, the evolution of secure-by-default practices, and his approach to making security accessible without disrupting existing workflows. Plus, don't miss our rapid-fire segment where Seth reveals his love for retro Nintendo games and PyCharm over traditional editors!Episode Chapters00:00Introduction & Seth's Background02:30The Power of Public Documentation07:00Supporting Open Source Maintainers 12:00Engaging Academic Communities 18:00Seth's 10-Year Open Source Journey 22:00Rapid Fire Round25:00Closing AdviceEpisode links:Seth Larson’s LinkedIn pagePython Software FoundationSeth’s Security BlogGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

  --------  

  21:43

  --------

  21:43
• New Education Course: Secure AI/ML-Driven Software Development (LFEL1012) with David A. Wheeler

  In this episode of “What’s In The SOSS,” Yesenia interviews David A. Wheeler, the Director of Open Source Supply Chain Security at the Linux Foundation. They discuss the importance of secure software development, particularly in the context of AI and machine learning. David shares insights from his extensive experience in the field, emphasizing the need for both education and tools to ensure security. The conversation also touches on common misconceptions about AI, the relevance of digital badges for developers, and the structure of a new course aimed at teaching secure AI practices. David highlights the evolving nature of software development and the necessity for continuous learning in this rapidly changing landscape.Chapters: 00:00 Introduction to Open Source and Security02:31 The Journey to Secure AI and ML Development08:28 Understanding AI's Impact on Software Development12:14 Myths and Misconceptions about AI in Security18:24 Connecting AI Security to Open Source and Closed Source20:29 The Importance of Digital Badges for Developers24:31 Course Structure and Learning Outcomes28:18 Final Thoughts on AI and Software SecurityEpisode links:David A. Wheeler’s LinkedIn pageSecure AI/ML-Driven Software Development (LFEL1012)OpenSSF EducationGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

  --------  

  38:44

  --------

  38:44

Fler podcasts i Teknologi

Trendiga poddar i Teknologi

Om What's in the SOSS? An OpenSSF Podcast