The Remediation Revolution: How AI Agents Are Transforming Open Source Security with John Amaral of Root.io
In this episode of What's in the SOSS, CRob sits down with John Amaral from Root.io to explore the evolving landscape of open source security and vulnerability management. They discuss how AI and LLM technologies are revolutionizing the way we approach security challenges, from the shift away from traditional "scan and triage" methodologies to an emerging "fix first" approach powered by agentic systems. John shares insights on the democratization of coding through AI tools, the unique security challenges of containerized environments versus traditional VMs, and how modern developers can leverage AI as a "pair programmer" and security analyst. The conversation covers the transition from "shift left" to "shift out" security practices and offers practical advice for open source maintainers looking to enhance their security posture using AI tools.Chapters:00:25 - Welcome and introductions01:05 - John's open source journey and Root.io's SIM Toolkit project02:24 - How application development has evolved over 20 years05:44 - The shift from engineering rigor to accessible coding with AI08:29 - Balancing AI acceleration with security responsibilities10:08 - Traditional vs. containerized vulnerability management approaches13:18 - Leveraging AI and ML for modern vulnerability management16:58 - The coming "remediation revolution" and fix-first approach18:24 - Why "shift left" security isn't working for developers19:35 - Using AI as a cybernetic programming and analysis partner20:02 - Call to action: Start using AI tools for security today22:00 - Closing thoughts and wrap-upEpisode links:John Amaral’s LinkedIn pageRoot websiteGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn
--------
22:53
--------
22:53
From Manager to Open Source Security Pioneer: Kate Stewart's Journey Through SBOM, Safety, and the Zephyr Project
In this episode of What’s in the SOSS, CRob has an inspiring conversation with Kate Stewart, a Linux Foundation veteran who took an unconventional path into open source as a manager rather than a developer, navigating complex legal challenges to get Motorola's contributions upstream. Now a decade into her tenure at the Linux Foundation, Kate leads critical initiatives in safety-critical open source software, including the Zephyr RTOS project and ELISA, while being instrumental in the evolution of SPDX and Software Bill of Materials (SBOM). She breaks down the different types of SBOMs, explains how the Zephyr project became a security exemplar with gold-level OpenSSF badging, and shares practical insights on navigating the European Union's Cyber Resilience Act (CRA). Whether you're interested in embedded systems, security best practices, or the evolving regulatory landscape for open source, this episode offers valuable perspectives from someone who's been shaping these conversations for years.Episode Chapters:00:00 - Intro Music & Promo Clip00:00- Introduction and Welcome00:42- Kate's Current Work at Linux Foundation02:18- Origin Story: From Motorola Manager to Open Source Advocate06:38- Building Global Open Source Teams and SPDX Beginnings09:45- The Variety of Open Source Contributors10:57- Deep Dive: What is an SBOM and Why It Matters17:05- The Evolution of SBOM Types and Academic Understanding19:21- Cyber Resilience Act and Zephyr as a Security Exemplar26:46- Zephyr's Security Journey: From Badging to CNA Status31:05- Rapid Fire Questions32:19- Advice for Newcomers and Closing ThoughtsEpisode links:Kate Stewart LinkedIn pageZephyr ProjectSPDX (Software Package Data Exchange)ELISA ProjectGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn
--------
34:47
--------
34:47
Racing Against Quantum: The Urgent Migration to Post-Quantum Cryptography with KeyFactor's Crypto Experts
The quantum threat is real, and the clock is ticking. With government deadlines set for 2030, organizations have just five years to migrate their cryptographic infrastructure before quantum computers can break current RSA and elliptic curve systems. In this episode of "What's in the SOSS," join host Yesenia Yser as she sits down with David Hook (VP Software Engineering) and Tomas Gustavsson (Chief PKI Officer) from Keyfactor to break down post-quantum cryptography, from ELI5 explanations of quantum-safe algorithms to the critical importance of crypto agility and entropy. Learn why the financial sector and supply chain security are leading the charge, discover the hidden costs of migration planning, and find out why your organization needs to start inventory and testing now because once quantum computers arrive, it's too late.Episode Chapters:00:00 Introduction00:22 Podcast Welcome00:01 - 01:22: Introductions and Setting the Stage01:23 - 03:22: Post-Quantum 101 - The Quantum Threat Explained03:23 - 06:38: Government Deadlines and Industry Readiness06:39 - 09:14: Bouncy Castle's Quantum-Safe Journey09:15 - 10:46: The Power of Open Source Collaboration10:47 - 13:32: Industry Sectors Leading the Migration13:33 - 16:33: Planning Challenges and Crypto Agility16:34 - 22:01: The Randomness Problem - Why Entropy Matters22:02 - 26:44: Getting Started - Practical Migration Advice26:45 - 28:05: Supply Chain and SBOMs 28:06 - 30:48: Rapid Fire Round30:49 - 31:40: Final Thoughts and Call to ActionEpisode links:Tomas Gustavsson LinkedIn pageDavid Hook LinkedIn pageKeyfactorBouncycastle.orgEJBCA.orgSignServer.orgGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn
--------
30:19
--------
30:19
Securing AI: A Conversation with Sarah Evans on OpenSSF's AI/ML Initiatives
In this episode of "What's in the SOSS," we welcome back Sarah Evans, Distinguished Engineer at Dell Technologies and a key figure in the OpenSSF's AI/ML working group. Sarah discusses the critical work being done to extend secure software development practices to the rapidly evolving field of AI. She dives into the AI Model Signing project, the groundbreaking MLOps white paper developed in partnership with Ericsson, and the crucial work of identifying and addressing new personas in AI/ML operations. Tune in to learn how OpenSSF is shaping the future of AI security and what challenges and opportunities lie ahead.Episode Chapters:0:00 Welcome and Introduction to Sarah Evans0:48 Sarah Evans: Role at Dell Technologies and Involvement in OpenSSF1:38 The OpenSSF AI/ML Working Group: Genesis and Goals3:37 Deep Dive: The AI Model Signing Project with Sigstore4:28 AI Model Signing: Benefits for Developers5:20 Transition to the MLSeCOps White Paper5:49 The Mission of the MLSecOps White Paper: Addressing Industry Gaps7:00 Collaboration with Ericsson on the MLEC Ops White Paper8:15 Identifying and Addressing New Personas in AI/ML Ops10:04 The Power of Open Source in Extending Previous Work10:15 Future Directions for OpenSSF's AI/ML Strategy11:21 OpenSSF's Broader AI Security Focus12:08 Sneak Peek: New Companion Video Podcast on AI Security12:31 Sarah's Personal Focus: The Year of the Agents (2025)13:00 Security Concerns: Bringing Together Data Models and Code in AI Applications14:00 Conclusion and ThanksEpisode links:Sarah Evans LinkedIn pageOpenSSF AI/ML Security Working GroupOpenSSF Blog: Visualizing Secure MLOps (MLSecOps): A Practical Guide for Building Robust AI/ML Pipeline SecurityOpenSSF Whitepaper: Visualizing Secure MLOps (MLSecOps): A Practical Guide for Building Robust AI/ML Pipeline SecurityGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn
--------
14:59
--------
14:59
Open Source Security: OSTIF's 10-Year Journey of Collaborative Audits
In this episode of "What's in the SOSS," Derek Zimmer and Amir Montezari from the Open Source Technology Improvement Fund (OSTIF) discuss their decade-long mission of providing security resources to open source projects. They focus on collaborative, maintainer-centric security audits that help projects improve their security posture through expert third-party reviews, without creating fear or overwhelming developers.Episode Chapters:00:00 Introduction00:22 Podcast Welcome01:04 OSTIF Founders Introduction02:31 OSTIF's Mission and Approach05:28 Relationship Management and Expertise08:01 Evolution of Security Engagement Methods12:15 Making Security Audits Less Intimidating18:00 Rapid Fire Questions20:45 Closing, Call to ActionEpisode links:Derek Zimmer LinkedIn pageAmir Montezary LinkedIn pageOSTIF (Open Source Technology Improvement Fund)Get involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedInJoin us at OpenSSF Community Day Europe Aug 28, 2025
What's in the SOSS? features the sharpest minds in security as they dig into the challenges and opportunities that create a recipe for success in making software more secure. Get a taste of all the ingredients that make up secure open source software (SOSS) and explore the latest trends at the intersection of AI and security, vulnerability management, and threat assessments. Each episode of What's in the SOSS? is packed with valuable insight designed to foster collaboration and promote stronger security practices for the open source software community.About Christopher Robinson (aka CRob), hostCRob is a 43rd level Dungeon Master and a 26th level Securityologist. He is a leader within several Open Source Security Foundation (OpenSSF) efforts and is a frequent speaker on cyber, application, and open source security. He enjoys hats, herding cats, and moonlit walks on the beach.
Lyssna på What's in the SOSS? An OpenSSF Podcast, All-In with Chamath, Jason, Sacks & Friedberg och många andra poddar från världens alla hörn med radio.se-appen
Sverige