Recent searches

No recent searches

Search options

Only available when logged in.
eupolicy.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
This Mastodon server is a friendly and respectful discussion space for people working in areas related to EU policy. When you request to create an account, please tell us something about you.

Administered by:

Server stats:

216
active users

eupolicy.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.1

#opensourcesecurity

1 post1 participant0 posts today
Josh Bressers

This #OpenSourceSecurity episode I chatted with Jan Pleskac from Tropic Square about open source microprocessors

I learned an incredible amount about how this all works, what Tropic Square is trying to do, and what we can start to expect in the future

I would like to say it's time for open source to work its magic on the world of hardware, but it's indescribably more complicated than software

opensourcesecurity.io/2025/202

Open Source Security · Open source microprocessors with Jan PleskacIn this episode Jan Pleskac, CEO and co-founder of Tropic Square, shares insights on the challenges and innovations in creating open and auditable hardware. While most hardware is very closed, Tropic Square is working to change this. WE discuss how open source can enhance security, the complexities of integrating third-party technologies, and the future of secure computing devices. Episode Links Jan Pleskac Tropic Square Tropic Square GitHub This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
Josh Bressers

#OpenSourceSecurity chats with @Di4na about his blog post explaining hobbyist open source maintainers

Whatever you think you know about open source, you're going to learn something from this one

An enormous amount of the open source that runs the world is written by hobbyists, and how we can support them is not at all obvious or easy

opensourcesecurity.io/2025/202

Open Source Security · Hobbyist Maintainers with Thomas DePierreThomas DePierre joins Open Source Security to discuss the central idea from his blog post, “You are all on the hobbyist maintainers turf now,” exploring the massive disconnect between the corporate world that consumes open source and the hobbyist community that actually produces it. The conversation reveals this isn’t a new problem, but a long-standing reality whose consequences for security, stability, and the future of software we are only now beginning to truly confront.
Josh Bressers

This episode of #OpenSourceSecurity I chat with Aaron Lippold from MITRE about #STIG automation (it's one big open source project)

STIG has historically been incredibly difficult and a bit of a niche space. Thanks to #FedRAMP it's getting more attention than ever before, and the work Aaron has been doing makes it a lot easier

opensourcesecurity.io/2025/202

Open Source Security · STIG automation with Aaron LippoldI chat with Aaron Lippold, creator of MITRE’s Security Automation Framework (SAF), to discuss how to escape the pain of manual STIG compliance. We explore the technical details of open-source tools like InSpec, Heimdall, and Vulcan that automate validation, normalize diverse security data, and streamline the entire security authoring process. Episode Links Aaron MITRE SAF This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
Josh Bressers

This week #OpenSourceSecurity chats with @andrewnez about @ecosystems

Ecosyste.ms is a massive collection of data about open source projects

It's an amazingly useful collection of data. If you're doing anything that needs information about open source packages, or git repos, or even the folks who work on this stuff, you should check it out

opensourcesecurity.io/2025/202

Open Source Security · Ecosyste.ms with Andrew NesbittI recently chatted with Andrew Nesbitt about his project, Ecosyste.ms. Ecosyste.ms catalogs open source projects by tracking packages, dependencies, repositories, and more. With this dataset Andrew is able to incredible insights into the world of open source. We chat all about how Ecosyste.ms works and how he manages to wrangle all this data. Episode Links Andrew Ecosyste.ms Open Collective OpenSSF Issue 101 This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
OpenSSF

🚀 Looking to break into #Cybersecurity or gain hands-on experience in #OpenSourceSecurity? The OpenSSF BEAR WG is teaming up with LFX Mentorship for the Summer 2025 program — and applications are now open!

Projects include #RSTUF and #gittuf, with a stipend for mentees!
🗓️ Deadline: May 18, 2025
📖 Read the blog for details + tips to apply: openssf.org/blog/2025/05/08/an
📝 Apply now: mentorship.lfx.linuxfoundation

Josh Bressers

This episode of #OpenSourceSecurity I talk with @paulasadoorian about embedded security, but with an open source twist

It's open source all the way down. And old open source quite often. It's a really fun discussion, I learned a lot!

opensourcesecurity.io/2025/202

Open Source Security · Embedded Security with Paul AsadoorianRecently, I had the pleasure of chatting with Paul Asadoorian, Principal Security Researcher at Eclypsium and the host of the legendary Paul’s Security Weekly podcast. Our conversation dove into the often-murky waters of embedded systems and the Internet of Things (IoT), sparked by a specific vulnerability discussion on Paul’s show concerning reference code for the popular ESP32 microcontroller. Episode Links Paul Eclypsium Below the surface podcast RVAsec This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
FIRST.org

Thank you Brittany Day, Linux Security for your insightful coverage of #VulnCon25!

This article highlights critical developments in vulnerability management including metadata improvements, supply chain security measures, EU Cyber Resilience Act impacts and emerging security baseline standards.

Read more: go.first.org/zeokh

Linux SecurityKey Trends & Takeaways from VulnCon 2025VulnCon 2025, recently held in Raleigh, NC, created a dynamic stage for security professionals and open-source advocates to connect, share, and...
#cybersecurity#OpenSourceSecurity#VulnerabilityManagement
Josh Bressers

This episode of #OpenSourceSecurity I chat with Dimitri Stiliadis of @endorlabs about the tj-actions/changed-files backdoor

Endor did some great research into how many repos were affected and we cover some of the background on this attack. It's way weirder than you can imagine

opensourcesecurity.io/2025/202

Open Source Security · tj-actions with Endor Lab's Dimitri StiliadisDimitri Stiliadis, CTO from Endor Labs, discusses the recent tj-actions/changed-files supply chain attack, where a compromised GitHub Action exposed CI/CD secrets. We explore the impressive multi-stage attack vector and the broader often-overlooked vulnerabilities in our CI/CD pipelines, emphasizing the need to treat these build systems with production-level security rigor instead of ignoring them. Episode Links Dimitri’s Linkedin Endor Labs Harden-Runner detection: tj-actions/changed-files action is compromised Unit 42 tj-actions analysis This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
Josh Bressers

This episode of #OpenSourceSecurity talks to @predrag about cargo-semver-checks

it's a #Rust tool that can help you figure out if you broke #semver, it's pretty awesome

We also touch on the difficulty of detecting breaking changes, sustainable open source, and what's to come for semver checking

It's a fun chat and you'll learn a lot

opensourcesecurity.io/2025/202

Open Source Security · cargo-semver-checks with Predrag GruevskiCargo Semver Checks is a Rust tool by Predrag Gruevski that is tackling the problem of broken dependencies that cost developers time when trying to upgrade dependencies. Predrag’s work shows how automated checks can catch breaking changes before they’re released, potentially saving projects from unexpected failures and making dependency updates less painful across the entire Rust ecosystem. Episode links Predrag’s Mastodon Predrag’s Blog “We never update unless forced to” — cargo-semver-checks 2024 Year in Review cargo-semver-checks issue 5 This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
Josh Bressers

I spoke with @liw on #OpenSourceSecurity about two really cool projects he's working on

Ambient is a distributed CI/CD system written in Rust

@radicle is a distributed Git Forge

It's a really fun chat and I learned a lot

opensourcesecurity.io/2025/202

Open Source Security · Distributed CI and Git with Lars WirzeniusI got to chat with Lars about a new CI/CD system he’s been working on called Ambient. It sounds really cool and does some very clever things today, with even more things planned in the future. We also spend some time discussing a project he works on called Radicle, a distributed Git forge. It feels like having decentralized infrastructure might be more important than it’s ever been, for some reason.
Josh Bressers

I chatted with @firstyear about FIDO authentication on #OpenSourceSecurity, especially the FIDO Metadata Service. I learned a ridiculous amount about U2F, WebAuthn, and FIDO in this conversation

opensourcesecurity.io/2025/202

Open Source Security · FIDO authentication with William BrownWhen William Brown posted a rant on Mastodon about the FIDO Metadata Service, it sounded like exactly the sort of thing I wanted to learn more about. So that’s what I did! It’s a fun conversation, William is really good at explaining insanely complicated topics in a way that’s easy to understand. This one is dense, but it’s really interesting, you’re going to learn a ton. Episode links William’s Mastodon Yubico FEITIAN Token2 This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
Josh Bressers

This week on #OpenSourceSecurity I chat with Brian Fox from Sonatype about open source malware

The volume of malware is continuing to grow, and we don't have amazing answers today

The first step is to understand the problem

opensourcesecurity.io/2025/202

Open Source Security · Open Source Malware with Brian FoxI recently sat down with Brian Fox, CTO and co-founder of Sonatype, about a report they recently published about malware in open source ecosystems. This is something that’s not a surprise to anyone paying attention, but there are some things Sonatype is doing in this space that’s very clever. I’ve known Brian for a long time so it was a treat to catch up and see what they found, and what it means for the future.
Josh Bressers

This episode of #OpenSourceSecurity talks to Kelley Misata of @suricata

The foundation model behind Suricata is fascinating, the conversation has a ton of lessons on how to run sustainable open source projects

opensourcesecurity.io/2025/202

Open Source Security · Open Source Foundations with Kelley Misata of SuricataIn the world of open source software, we often celebrate the code, the contributors, and the collaboration. But beneath the surface lies a world unknown to most. It’s not a secret, it’s just not something most of us pay attention to, the foundations that drive some of the open source projects. I had the opportunity to discuss this with Dr. Kelly Masada, who has served as president of the Open Information Security Foundation (OISF) for over 12 years. OISF is the organization behind Suricata, the very capable and well known open source network analysis and threat detection software.
TrendingLive feeds
About