What's in the SOSS? An OpenSSF Podcast

Hosted by OpenSSF

TechnologyInterviews guests

Website RSS feed

Episodes

Latest episode

Jun 2026

Language

EN-US

About the show

What's in the SOSS? features the sharpest minds in security as they dig into the challenges and opportunities that create a recipe for success in making software more secure. Get a taste of all the ingredients that make up secure open source software (SOSS) and explore the latest trends at the intersection of AI and security, vulnerability management, and threat assessments. Each episode of What's in the SOSS? is packed with valuable insight designed to foster collaboration and promote stronger security practices for the open source software community. About Christopher Robinson (aka CRob), host CRob is a 43rd level Dungeon Master and a 26th level Securityologist. He is a leader within several Open Source Security Foundation (OpenSSF) efforts and is a frequent speaker on cyber, application, and open source security. He enjoys hats, herding cats, and moonlit walks on the beach.

Listen to episodes

60 recent

June 16, 2026Episode 1529 min

Consuming with Intent: Driving Enterprise Security and Career Growth Through Open Source with Jamie Thomas (IBM)

In this episode of Big Thoughts, Open Sources, host CRob sits down with Jamie Thomas, IBM Enterprise Security Executive and OpenSSF Governing Board Member (former Chair!), to tackle the vital shifting dynamics of enterprise open source engagement. From IBM's historical "billion-dollar bet" on Linux to modern supply chain wake-up calls like SolarWinds and Log4j, Jamie pulls back the curtain on what it truly means to move from accidental consumption to intentional stewardship. Tune in to discover how active participation in neutral foundations like the OpenSSF acts as a fast track for engineering career trajectories, why soft skills like "the art of influence" are critical for upstream collaboration, and how organizations can protect their crown jewels while implementing a powerful "give-back strategy."Chapters:00:00 – Intro Music + Promo Clip00:21 – Introduction & Welcoming Luminary Jamie Thomas01:32 – Wearing the Enterprise Security Hat at IBM02:10 – Supply Chain Wake-up Calls: From SolarWinds to Log4j03:14 – Unlocking Open Ecosystems: IBM’s Early History with Java and Linux05:21 – Mainframe Debates and Portability: The Evolution of Open Source Adoption06:24 – The Red Hat Acquisition and Monetizing the Developer Ecosystem08:20 – The Myth of "Free" Software: Securing Regulated Enterprise Deployment10:15 – Why a Seat at the Table Matters: The Value of Neutral Foundations11:29 – The Art of Influence: Upstream Contributions as a Career Catalyst13:50 – Moving Innovation from Open Source Kernels to Commercial Value16:12 – Storming, Norming, and Conversation: Lessons from the Kubernetes Era17:38 – Pitching Upstream Time: Helping Developers Sell Open Source to Management19:30 – Beyond Code: Bringing Domain Expertise and Soft Skills Upstream21:40 – Conquering the Chasm: Automating CI/CD Pipelines and Testing at Scale23:00 – Consuming with Intent: Active Stewardship and the OpenSSF Scorecard25:21 – Rapid Fire Round: Mainframes, AI-Generated Code, and Star Trek nostalgia27:53 – Call to Action: Crafting Your Organization's "Give-Back Strategy"Episode links:Jamie Thomas’ LinkedIn pageLearn more about IBM’s Strong History and Commitment to Open SourceRed HatEclipse FoundationCNCFGet involved with the OpenSSFLearn more about the OpenSSF Governing BoardSubscribe to the OpenSSF NewsletterFollow the OpenSSF on LinkedIn

June 2, 2026Episode 1426 min

The Ghost in the Dependency Tree: Navigating Open Source End-of-Life with HeroDevs

In this episode of What’s in the SOSS, host CRob sits down with Isaac Wuest, Product Line Leader at HeroDevs, to explore the critical and often overlooked "gray area" of the software supply chain: End-of-Life (EOL) software. While the industry heavily relies on CVEs to track vulnerabilities, Isaac explains how maintainer abandonment creates a vacuum where risks are present but remain undiscovered and unreported. From the origins of HeroDevs supporting AngularJS to the nuances of the EU Cyber Resilience Act (CRA), this conversation provides a practical framework for distinguishing between inherent hazards and actual risk in your dependency tree.Chapters:00:04 - CRob welcomes Isaac Wuest from HeroDevs00:45 - The HeroDevs origin story: How Google sunsetting AngularJS created a need for secure drop-in replacements.02:44 - Isaac’s path to open source: Transitioning from product management to supporting maintainers.04:06 - Exploring the "Gap" in CVEs: Why dictionary-based vulnerability tracking misses EOL and malicious packages.07:03 - The challenge of "Maintainer Attestation": Why most open source projects lack a formal EOL calendar.09:52 - Compliance and Risks: How EOL dependencies create blank spots for security professionals and auditors.11:27 - The Shark in the Tank: Using a food regulation analogy to differentiate between hazard and risk.13:22 - Navigating the EU Cyber Resilience Act: Preparing for increased manufacturer accountability in software.14:08 - Maintainer Abandonment: Identifying the moment a project stops receiving patches without formal notice.16:14 - Scanning for Gaps: Why standard industry tools currently struggle to provide a complete EOL picture.18:49 - Practical Remediation: Recommendations for researching upgrade paths using tools like endoflife.date.20:49 - Analyzing SBOMs: How engineers can leverage free datasets to identify and fix deep dependency risks.23:00 - Rapid Fire: Coffee, Star Wars, spicy food, and the favorite apocalyptic robot.25:01 - Final Thoughts: A call to action for educating yourself on your application's EOL exposure.Episode links:Isaac Wuest’s LinkedIn pageHeroDevsFree Tool: End of Life Data SetCommunity Resource: endoflife.dateGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

May 19, 2026Episode 1325 min

Beginner to Builder: Shaping the Conversation in Open Source Security

In this episode of What's in the SOSS, Yesenia Yser interviews cybersecurity analyst Ejiro Oghenekome about her journey from UI/UX design to becoming a key contributor to the OpenSSF. Ejiro shares the inspiration behind her public "100 Days of Cybersecurity" challenge, which has helped her maintain discipline and consistency while making the field less intimidating for beginners. She discusses how connecting with the OpenSSF community led her to the BEAR Working Group, where her authorship of the "Beginner to Builder" blog series has allowed her to move from consuming content to actively shaping the open source security conversation. Ejiro also offers advice to the next generation, emphasizing that open source contribution is not just about coding but is a welcoming space for anyone to learn and grow, regardless of their current expertise.Episode links:Ejiro (Sonia) Oghenekome LinkedIn pageEjiro’s GitHub pageBEAR Working GroupEjiro’s OpenSSF Beginner to Builder Blog Series:Blog #1: From Beginner to Builder: Understanding OpenSSF Community and Working GroupsBlog #2: From Beginner to Builder: Your First Code ContributionBlog #3: From Beginner to Builder: Free OpenSSF and Linux Foundation Education CoursesGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedInChapters:00:00 - Music, Promo clip, & Welcome01:11 - Ejiro details her transition from UI/UX design to cybersecurity and connecting with OpenSSF.03:39 - Ejiro explains her motivation for starting the 100-day challenge, including receiving advice to learn publicly and a previous rejection from an internship.06:49 - Ejiro shares that she is currently on day 44 and expects to complete the challenge around April.07:50 - Ejiro discusses her biggest personal lesson: understanding consistency and discipline, and learning from the community.10:45 - Ejiro describes her authorship of the "Beginner to Builder" blog series, which shifted her from consuming content to shaping the open source conversation.15:47 - Ejiro shares the impact of her work, noting that it has made cybersecurity feel less intimidating for beginners and helped her grow in confidence.18:22 - Rapid Fire Questions: Ejiro shares her preferences on books, cooking, social media, and more.21:13 - Ejiro offers advice to the next generation, emphasizing that open source is welcoming, not just about coding, and provides great opportunities for learning and growth.24:46 - Yesenia concludes the interview, thanking Ejiro for her time and contributions

May 5, 2026Episode 1219 min

Packaging, Transferring, and Deploying Software in Air-Gapped Environments with Zarf

Host Sally Cooper is joined by Brandt Keller, a staff software engineer at Defense Unicorns and maintainer of the OpenSSF sandbox project, Zarf. Brandt discusses Zarf's origins as a tool designed to reliably package, transfer, and deploy software components (like container images and Helm charts) specifically for critical, air-gapped environments that lack internet connectivity. The conversation explores Zarf's evolution, highlighting its current role in introducing security gates, improving transparency, and consolidating various management and S-bomb tools into a single, declarative workflow. Finally, Brandt explains how Zarf's declarative manifest model is helping to secure open source software by reducing the cognitive burden on maintainers and giving integrators confidence in upstream artifactsChapters00:01: Welcome and Introduction to Brandt Keller and Defense Unicorns02:01: What is Zarf and its history: Solving the air-gapped use case04:33: Zarf's critical function today: Security, transparency, and packaging09:18: How Zarf has evolved: From niche tool to agnostic distribution and GitOps integration12:07: Zarf’s role in OpenSSF and securing open source software16:05: Rapid Fire and Call to Action (Zarf.dev)Episode links:Brandt Keller’s LinkedIn pageZarf websiteZarf GitHubCNCF Security Technical Advisory Group (TAG Security)OpenSSF Software Supply Chain Integrity Working GroupOpenSSF Project GUACDefense UnicornsGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

April 7, 2026Episode 1029 min

Big Thoughts, Open Sources Inaugural Episode: Beyond the Hype: Brian Fox on Securing the Agentic Future of Open Source

In this inaugural episode of Big Thoughts and Open Sources, host Crob sits down with Brian Fox, Co-founder and CTO of Sonatype, to dissect the friction between rapid AI adoption and foundational software security. Brian shares insights from the 11th annual State of the Software Supply Chain Report, revealing the emergence of "slop squatting" and the high frequency of AI models recommending non-existent or vulnerable dependencies. The conversation explores how the Model Context Protocol (MCP) could revolutionize developer compliance and why the industry must fund the critical infrastructure supporting our trillion-dollar open source ecosystem.Chapters:00:23 – Welcome to the inaugural episode of Big Thoughts, Open Sources.01:01 – Brian shares his journey from 2002 Apache Maven contributor to co-founding Sonatype and joining the OpenSSF board.02:53 – The conversation shifts to the critical role of Maven Central in providing global visibility into the software supply chain.03:26 – Brian reflects on a decade of security trends, noting that the "Log4Shell" pattern of using unpatched libraries has existed for years.05:34 – The "Tribal Knowledge" problem is explored, highlighting how AI agents lack the undocumented context human developers share at lunch.07:06 – Brian reveals findings from the 11th Annual State of the Software Supply Chain Report, including how AI models recommend non-existent code versions 30% of the time.08:09 – The "Slop Squatting" phenomenon is explained, where attackers upload malicious packages to match common AI hallucinations.10:03 – Brian discusses the Model Context Protocol (MCP) as a game-changer for turning security tools into expert systems for AI agents.13:42 – The dialogue warns against ignoring sixty years of software engineering "physics" in the rush to adopt AI-generated code.15:11 – Brian describes the "Vulcan Mind Meld" opportunity of injecting high-quality governance data directly into an AI agent’s decision-making process.17:19 – The experts debate the risks and rewards of our "new robot overlords" and the need for ML SecOps discipline.19:30 – Brian emphasizes that "inefficient code is still inefficient code" and warns against repeating the costly mistakes of early cloud migrations.21:01 – Advice is given on building an "AI-native SDLC" that focuses on providing security information upfront during code creation.24:18 – Brian addresses the sustainability crisis, noting that the cloud infrastructure required for modern, secure open source builds is no longer free.27:17 – The episode concludes by highlighting the eight trillion dollars of economic value produced by open source and the need to fund its core infrastructure.Episode links:Brian Fox LinkedIn pageSonatype websiteMaven Central RepositoryThe State of the Software Supply Chain ReportSonatype BlogOpenSSF AI/ML Security Working GroupWhitepaper: Visualizing Secure MLOps (MLSecOps): A Practical Guide for Building Robust AI/ML Pipeline SecurityGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

March 24, 2026Episode 925 min

From Noise to Signal: Security Expertise and Kusari Inspector with Mike Lieberman

In this episode, CRob talks with Mike Lieberman from Kusari about the current state of open source security. They discuss the growing burden on maintainers from the "deluge" of noisy, low-quality vulnerability reports, often generated by AI tools, and the vital role of "a human in the loop." Mike introduces Kusari's tool, Inspector, explaining how it uses codified security expertise to process data from tools like OpenSSF Scorecard and SLSA, effectively filtering out false positives and giving maintainers only high-quality, actionable reports. They also dive into the design philosophy of "don't piss off the engineers" and share a vision for the future of security tooling that focuses on dramatically better user experience and building security primitives that are "secure by design.Chapters:00:06Introduction: The Biggest Challenge in Security Tooling01:12Overwhelmed Maintainers: The Deluge of Low-Quality AI Reports04:00Introducing Kusari's Inspector: How it Filters False Positives08:40The Secret Sauce: Security Expertise and the Need for Reproducible Tests12:03Meeting Engineers Where They Are: Design Choices to Reduce Maintainer Burden18:16The Future of Open Source Security Tooling: Focusing on Better UX22:19Call to Action: The Responsibility of Large OrganizationsEpisode links:Michael Lieberman’s LinkedIn pageLearn more about Kusari InspectorGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

March 17, 2026Episode 822 min

Empowering New Maintainers: Inside the OpenSSF Mentorship Program

In this episode of What’s in the SOSS? host Sally Cooper sits down with Yesenia Yser, co-lead of the OpenSSF Mentorship Program and the BEAR Working Group, and Kairo De Araujo, Open Source Software Engineer and mentor for rstuf. They dive into the success of the OpenSSF Mentorship Program, which focuses on bringing underrepresented voices into software security. Kairo shares an incredible outcome from the last cycle – where two out of three mentees became project maintainers – while Yesenia discusses the evolution of the BEAR Working Group (Belonging, Empowerment, Allyship, and Representation) mentorship program. Whether you are a potential mentor or a mentee looking to break into open source, this episode provides a roadmap for the upcoming paid mentorship cycle.Important Dates for the 2026 Mentorship Cycle:Applications Open: March 24, 2026Applications Close: April 12, 2026Selection Period: April 13 – April 30, 2026Notification Date: May 1, 2026Onboarding: May 5 – May 29, 2026Mentorship Period: June 1 – August 21, 2026Chapters:00:01 – Welcome01:43 – Kairo on his work with the Repository Service for TUF (RSTUFF).02:30 – Yesenia on the BEAR Working Group and making open source accessible.04:30 – The "Why" behind mentorship: Solving the barrier to entry for security beginners.07:28 – Success strategies: Working as a team across time zones with multiple mentees.09:28 – The ultimate goal: Moving mentees from learners to official project maintainers.10:58 – Challenges and growing pains: Managing deadlines and interview chaos.13:48 – Advice for Mentors: The importance of clear communication and flexibility.15:02 – Advice for Mentees: Don't be afraid to join; focus on "pre-onboarding".17:13 – Key Dates for the 2026 Mentorship Cycle.20:15 – Call to Action: Get to know this year’s participating projects (gittuf, rstuf, SBOMit, Minder) and how to get involved.Episode links:Yesenia Yser LinkedIn pageKairo De Araujo LinkedIn pageLFX MentorshipsBEAR Working GroupOpenSSF Participating Projects for 2026 Mentorship ProgramRepository Service for TUF (rstuf)gittufSBOMitMinderBEAR Working Group Welcome Calls YouTube PlaylistGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

March 10, 2026Episode 717 min

The Gemara Project: GRC Engineering Model for Automated Risk Assessment

Hannah Braswell and Jenn Power, security engineers from Red Hat and contributors to the OpenSSF, join host Sally Cooper to discuss the Gemara project. Gemara, an acronym for GRC Engineering Model for Automated Risk Assessment, is a seven-layer logical model that aims to solve the problem of incompatibility in the GRC (Governance, Risk, and Compliance) stack. By outlining a separation of concerns, the project seeks to enable engineers to build secure and compliant systems without needing to be compliance experts. The speakers explain how Gemara grew organically to seven layers and connects with other open source initiatives like the OpenSSF Security Baseline and Finos Common Cloud Controls. They also touch on the ecosystem of tools being built, including Queue schemas and a Go SDK, and how new people can get involved.Chapters:00:00 Welcome music + promo clip00:22 Introductions02:17 What is Gemara and what problem does it address?03:58 Why do we need a model for GRC engineering?05:50 The seven-layer structure of Gemara07:40 How Gemara connects to other open source projects10:14 Tools available to help with Gemara model adoption11:39 How to get involved in the Gemara projects13:59 Rapid Fire16:03 Closing thoughts and call to actionEpisode links:Jenn Power LinkedIn pageHannah Braswell LinkedIn pageGemara WebsiteBlog: Introducing the Gemara ModelPublication: Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk AssessmentOpenSSF OSPS BaselineFinos Common Cloud ControlsPrivateerCyber Resilience Act (CRA) Brief Guide for OSS DevelopersLFEL1001: Understanding the EU Cyber Resilience Act (CRA) (Education/Training) Get involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

February 10, 2026Episode 617 min

AIxCC Part 4 – Cyber Reasoning Systems: The Real-World Journey After AIxCC

In this final episode of our AI Cyber Challenge (AIxCC) series, CRob and Jeff Diecks wrap-up the journey from DARPA's groundbreaking two-year competition to the exciting collaborative phase happening now. Discover how winning teams are taking their AI-powered vulnerability detection systems into the real world, finding actual bugs in projects like the Linux kernel and CUPS. Learn about the innovative OSS-CRS project that aims to create a standard infrastructure for mixing and matching the best components from different systems, and hear valuable lessons about how to responsibly introduce AI-generated security findings to open source maintainers. The competition may be over, but the real work—and collaboration—is just beginning.This episode is part 4 of a four-part series on AIxCC:AIxCC part 1: From Skepticism to Success: The AI Cyber Challenge (AIxCC) with Andrew CarneyAIxCC part 2: From Skeptics to Believers: How Team Atlanta Won AIxCC by Combining Traditional Security with LLMsAIxCC part 3: Buttercup's Hybrid Approach: Trail of Bits' Journey to Second Place in AIxCCChapters:00:00 - Welcome and Introduction to AICC01:37 - OpenSSF's AI Security Mission: Two Lenses03:54 - Competition Highlights: What the Teams Discovered07:43 - Real-World Impact: From Research to Production10:44 - Lessons Learned: Working with Open Source Maintainers13:13 - OSS-CRS: Building a Standard Infrastructure14:29 - Breaking Down Walls: Post-Competition Collaboration15:39 - How to Get InvolvedEpisode links:Jeff Diecks LinkedIn pageChristopher “CRob” Robinson LinkedIn pageAI Cyber Challenge (AIxCC)OSS-CRS ProjectOpenSSF AI/ML Security Working GroupCyber Reasoning Systems Special Interest Group (Slack)Get involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

February 10, 2026Episode 523 min

AIxCC Part 3 - Buttercup's Hybrid Approach: Trail of Bits' Journey to Second Place in AIxCC

In the final episode of our AI Cyber Challenge (AIxCC) series, CRob sits down with Michael Brown, Principal Security Engineer at Trail of Bits, to discuss their runner-up cybersecurity reasoning system, Buttercup. Michael shares how their team took a hybrid approach - combining large language models with conventional software analysis tools like fuzzers - to create a system that exceeded even their own expectations. Learn how Trail of Bits made Buttercup fully open source and accessible to run on a laptop, their commitment to ongoing maintenance with prize winnings, and why they believe AI works best when applied to small, focused problems rather than trying to solve everything at once.This episode is part 3 of a four-part series on AIxCC:AIxCC part 1: From Skepticism to Success: The AI Cyber Challenge (AIxCC) with Andrew CarneyAIxCC part 2: From Skeptics to Believers: How Team Atlanta Won AIxCC by Combining Traditional Security with LLMsAIxCC part 4: Cyber Reasoning Systems: The Real-World Journey After AIxCCChapters:00:04 - Introduction & Welcome00:12 - About Trail of Bits & Open Source Commitment03:16 - Buttercup: Second Place in AIxCC04:20 - The Hybrid Approach Strategy06:45 - From Skeptic to Believer09:28 - Surprises & Vindication During Competition11:36 - Multi-Agent Patching Success14:46 - Post-Competition Plans15:26 - Making Buttercup Run on a Laptop18:22 - The Giant Check & DEF CON18:59 - How to Access Buttercup on GitHub21:37 - Enterprise Deployment & Community Support22:23 - Closing RemarksEpisode links:Michael Brown’s LinkedIn pageAI Cyber Challenge (AIxCC)Trail of BitsButtercup GitHub RepoOpenSSF AI/ML Security Working GroupCyber Reasoning Systems Special Interest Group (Slack)Get involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn