Open Source Security podcast

Episode 455 - Wordpress plugin security

18.11.2024

Open Source Security

0:00

35:38

Josh and Kurt talk about the way Wordpress vets their plugins. While Wordpress has been in the news lately, they do some clever things to get plugins approved. There's a static analyzer that runs against new submissions. We discuss using static analysis, securing open source, contributing and more.

Show Notes

Flere episoder fra "Open Source Security"

Daniel Thompson answers: Does the CRA apply to Santa?
vor 8 Stunden
47:29
Josh welcomes back Daniel Thompson explore the rather silly question of whether Santa Claus needs to be compliant with the Cyber Resilience Act (CRA). This episode was intended to be silly, but it ended up being an incredibly interesting conversation. Daniel explained a great deal about how the CRA works and how it could apply to Santa Claus. The TL;DR is even if he's giving out free stuff, the CRA almost certainly applies. Daniel also fills us in on his book (you can email Josh to enter into a drawing for a copy), and his work on web browsers for the CRA. It's an incredibly informative discussion. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-12-daniel-thompson-santa-cra/
Linux Foundation Europe with Gabriele Columbro
15.12.2025
32:56
Josh has a chat with Gabriele Columbro, Executive Director of the Fintech Open Source Foundation and General Manager of Linux Foundation Europe. We of course discuss the Cyber Resilience Act (CRA), the evolving landscape of open source regulation, and the collaborative efforts of major foundations. Open source is everywhere, but there's also a ton of work to do now. Gabriele has really good insight into where things are today and where they are heading in the future for open source and regulation. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-12-lfeu-gab/
Gå ikke glip af nogen episoder af “Open Source Security” - abonnér på podcasten med gratisapp GetPodcast.
Updating open source dependencies with Jamie Tanna
8.12.2025
29:31
Josh discusses updating open source dependencies with Jamie Tanna. Jamie works on Renovate which gives them a lot of insight into the challenges of keeping your open source updated. We discuss the challenges of semantic versioning, supply chain security, and AI-generated code. If you're new or old to the world of open source dependencies, there's something to learn from this chat. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-12-renovate-jamie
TARmageddon with Alex Zenla
1.12.2025
42:39
Josh discusses the TARmageddon vulnerability with Alex Zenla, CTO of Edera. In this episode, we explore the discovery of the TARmageddon vulnerability. It's especially interesting because it's Rust, but also involves multiple end of life crates. Alex shares the story of how Edera managed to figure all this out (it was not simple). Hard problems are still hard, but there's a lot of lessons in this one. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-12-tarmageddon-alex/
Python Security with Seth Larson
24.11.2025
31:44
In this episode Seth Larson gives us a cornucopia of topics relating to Python security. Seth discusses the Python Software Foundation's decision to reject a significant grant NSF. Diversity is a big deal to python, so this was a no brainier. We discuss the upcoming PyCon US conference, featuring a new security track that fosters collaboration between developers and security experts. Josh is a huge fan of having a security track at developer conferences. And we close on a paper about zip and tar archives Seth wrote. It seems like we should have zip and tar security figured out by now, but we don't. Thankfully Seth is working on it. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-11-python-security-seth-larson/
Linux Vendor Firmware Service with Richard Hughes
17.11.2025
35:46
Josh talks to Richard Hughes about the world of firmware. We cover how Richard's journey from developing the ColorHug led to the creation of the Linux Vendor Firmware Service (LVFS), changing how firmware updates are managed for nearly every Linux user. Updating firmware has always been dicey, and on Linux it used to be impossible. Richard helps us understand how this all works and how we can all help out. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-11-lvfs-richard-hughes/
NPM supply chain attacks with Charlie Eriksen
9.11.2025
34:31
Josh chats with Charlie Eriksen, a security researcher at Aikido Security. We discuss the recent NPM supply chain attacks that affect hundreds of packages. Charlie shares his experiences dealing with recent security breaches, the challenges of maintaining trust in open source software, and the importance of proactive measures to safeguard open source. The rapid pace of change is impacting our security practices and what steps can be taken to foster resilience in the face of evolving threats. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-11-npm-charlie/
Detecting XZ in Debian with Otto Kekäläinen
2.11.2025
31:48
In this episode, Josh and Otto dive into the world of Debian packaging, exploring the challenges of supply chain security and the importance of transparency in open source projects. They discuss Otto's blog post about the XZ backdoor and how it's a nearly impossible attack to detect. Otto does a great job breaking down an incredibly complex problem into understandable pieces. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-11-xz-debian-otto/
Eclipse Foundation SBOMs with Mikael Barbero
20.10.2025
31:15
In this conversation, Josh speaks with Mikael Barbero, head of security at the Eclipse Foundation. They discuss the foundation's role in enhancing the security posture of open source projects, the importance of Software Bill of Materials (SBOMs), and the various security services provided to projects. Mikael explains the challenges and strategies involved in implementing security best practices across a diverse range of projects, as well as the foundation's proactive approach to navigating security regulations and compliance. This is some great security work happening for open source projects. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-10-eclipse-sbom-mikael-barbero/
Actually finding vulnerabilities using AI with Joshua Rogers
13.10.2025
31:35
I chat with Joshua Rogers about a blog post he wrote as well as some bugs he submitted to the curl project. Joshua explains how he went searching for some AI tools to help find security bugs, and found out they can work, if you're a competent human. We discuss the challenges of finding effective tools, the importance of human oversight in triaging vulnerabilities, and how to submit those bugs to open source projects responsibly. It's a very sane and realistic conversation about what AI tools can and can't do, and how humans should be interacting with these things. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-10-ai-joshua-rogers/

Få adgang til hele det store podcastunivers med gratisappen GetPodcast.

Abonnér på dine favoritpodcasts, lyt til episoder offline, og få spændende anbefalinger.

© radio.de GmbH 2025