Dell's Sarah Evans and Lisa Bradley and Ensuring Secure Open Source Software at the Enterprise Level

What's in the SOSS? An OpenSSF Podcast

#Tech #Omkhar Arasaratnam, Open SSF #Omkhar Arasaratnam #Open SSF

26:18

How do you know when it’s time to make your next big career move? With International Women’s Day around the corner, we are excited to feature Avni Patel Thompson, Founder and CEO of Milo. Avni is building technology that directly supports the often overlooked emotional and logistical labor that falls on parents—especially women. Milo is an AI assistant designed to help families manage that invisible load more efficiently. In this episode, Avni shares her journey from studying chemistry to holding leadership roles at global brands like Adidas and Starbucks, to launching her own ventures. She discusses how she approaches career transitions, the importance of unpleasant experiences, and why she’s focused on making everyday life easier for parents. [01:26] Avni's University Days and Early Career [04:36] Non-Linear Career Paths [05:16] Pursuing Steep Learning Curves [11:51] Entrepreneurship and Safety Nets [15:22] Lived Experiences and Milo [19:55] Avni’s In Her Ellement Moment [20:03] Reflections Links: Avni Patel Thompson on LinkedIn Suchi Srinivasan on LinkedIn Kamila Rakhimova on LinkedIn Ipsos report on the future of parenting About In Her Ellement: In Her Ellement highlights the women and allies leading the charge in digital, business, and technology innovation. Through engaging conversations, the podcast explores their journeys—celebrating successes and acknowledging the balance between work and family. Most importantly, it asks: when was the moment you realized you hadn’t just arrived—you were truly in your element? About The Hosts: Suchi Srinivasan is an expert in AI and digital transformation. Originally from India, her career includes roles at trailblazing organizations like Bell Labs and Microsoft. In 2011, she co-founded the Cleanweb Hackathon, a global initiative driving IT-powered climate solutions with over 10,000 members across 25+ countries. She also advises Women in Cloud, aiming to create $1B in economic opportunities for women entrepreneurs by 2030. Kamila Rakhimova is a fintech leader whose journey took her from Tajikistan to the U.S., where she built a career on her own terms. Leveraging her English proficiency and international relations expertise, she discovered the power of microfinance and moved to the U.S., eventually leading Amazon's Alexa Fund to support underrepresented founders. Subscribe to In Her Ellement on your podcast app of choice to hear meaningful conversations with women in digital, business, and technology.…

for ca. et år siden 16:24

MP3•Episode hjem

Sarah sits on the OpenSSF Technical Advisory Council and at Dell’s she has been instrumental in cybersecurity innovation, conducting research within the global CTO R&D organization. Her career spans pivotal roles, including being an enterprise security architect and engaging in Identity and Access Management and IT at prestigious organizations like Wells Fargo and the U.S. Air Force.

Dr. Lisa Bradley is a distinguished cybersecurity expert and visionary leader. She has earned her reputation as a trailblazer in the field of security and vulnerability management. In her current role, she oversees Dell's Product Security Incident Response Team (PSIRT), Bug Bounty Program, SBOM initiative, Dependency Management, and Security Champion and Training Programs.

02:38 How Dell is managing its ingestion and productization of open source software
04:54 The complex task of managing open source software for a company the size of Dell
06:34 The importance of executive support when implementing security initiatives
10:40 Lisa and Sarah answer CRob’s rapid-fire questions
12:40 Lisa and Sarah’s advice to aspiring developers and security professionals
14:12 Lisa and Sarah’s call to action

Episode links:

26 episoder

What's in the SOSS? An OpenSSF Podcast

Dell's Sarah Evans and Lisa Bradley and Ensuring Secure Open Source Software at the Enterprise Level

What's in the SOSS? An OpenSSF Podcast

published for ca. et år siden

Del

MP3•Episode hjem

02:38 How Dell is managing its ingestion and productization of open source software
04:54 The complex task of managing open source software for a company the size of Dell
06:34 The importance of executive support when implementing security initiatives
10:40 Lisa and Sarah answer CRob’s rapid-fire questions
12:40 Lisa and Sarah’s advice to aspiring developers and security professionals
14:12 Lisa and Sarah’s call to action

Episode links:

26 episoder

#Tech #Omkhar Arasaratnam, Open SSF #Omkhar Arasaratnam #Open SSF

Todos os episódios

What's in the SOSS? An OpenSSF Podcast

1
Empowering Security: Yesenia Yser on Open Source, AI, and Personal Branding 17:18

for 5 dage siden17:18

17:18

In this inspiring episode of "What's in the SOSS?", we welcome our new Co-Host, cybersecurity expert and open source advocate Yesenia Yser. Join hosts CRob and Yesenia as they delve into her compelling journey from discovering open source at Red Hat to pioneering AI security at Microsoft. Learn how Yesenia blends her passion for cybersecurity, Brazilian jiu-jitsu, and empowering communities—especially women—to shape her personal brand and advocacy efforts. Don't miss this lively conversation full of actionable insights for anyone interested in cybersecurity, open source communities, and personal growth. Episode Highlights: 00:18 – Introduction to Yesenia Yser 00:55 – Yesenia's open source origin story 03:30 – From cybersecurity professional to jiu-jitsu practitioner 05:56 – Building a personal brand in tech and beyond 09:04 – Advocating diversity in tech through the BEAR group 12:40 – Fun rapid-fire round (VI or Emacs, Coke or Pepsi, favorite open source mascot, spicy vs. mild food, and more) 13:52 – Yesenia joins as new co-host of "What's in the SOSS?" 15:39 – Advice for breaking into open source and cybersecurity Connect with Yesenia: Yesenia Yser on LinkedIn The Lioness Instincts Get Involved with the OpenSSF: Subscribe to the OpenSSF newsletter Join the OpenSSF an upcoming Community Day Watch BEAR Community Office Hours on YouTube…

What's in the SOSS? An OpenSSF Podcast

1
OpenSSF 2025 MVVSR Overview 26:56

for 19 dage siden26:56

26:56

CRob is joined by Arun Gupta, Vice President and General Manager of Developer Programs at Intel and OpenSSF Governing Board Chair, and Zach Steindler, Principal Engineer at Github, a member of the OpenSSF TAC and co-chairs the OpenSSF Security Packages Repository Working Group to discuss the key lessons learned from open source security in 2024, the importance of the MVVSR (Mission, Vision, Values, Strategy, and Roadmap) framework, and the exciting initiatives planned for 2025. They highlight the growing reliance on open source, the challenges of dependency vulnerabilities, and the need for better security practices in the industry. Chapters: 03:29 Key Lessons from Open Source Security in 2024 08:29 MVSR: Mission, Vision, Strategy, and Roadmap 13:41 Importance of Strategy and Roadmap in OpenSSF 17:48 Roadmap Items for Community Collaboration 20:02 Key Resources and Courses for Developers 22:09 Exciting Opportunities Ahead for 2025 Episode links: Arun’s Linkedin Zach’s Linedkin 2024 Annual Report Get involved with the OpenSSF Subscribe to the OpenSSF newsletter Follow the OpenSSF on LinkedIn…

What's in the SOSS? An OpenSSF Podcast

1
Kusari’s Michael Lieberman Talks GUAC, SLSA and Securing the Open Source Supply Chain 21:06

for 12 weeks siden21:06

21:06

CRob is joined by Michael Lieberman, CTO and co-founder of Kusari, about the importance of supply chain security in the open source ecosystem. They discuss Michael's journey in open source, his contributions to projects like SLSA and GUAC and the future of supply chain security. 01:56 - Michael explains how he got into open source 04:10 - The challenges of being a startup within the open source ecosystem 05:38 - Michael digs into his participation with SLSA and GUAC 09:13 - How maintainers can address SBOMs with GUAC 10:56 - Michael’s predictions for supply chain security and dependency management 14:26 - Michael answers CRob’s rapid-fire questions 15:32 - Advice for those entering the cybersecurity or open source development spaces 17:50 - Michael’s call to action Links: Michael Liberman on LinkedIn Kusari homepage GUAC homepage on OpenSSF SLSA homepage on OpenSSF Get involved with the OpenSSF Subscribe to the OpenSSF newsletter Follow the OpenSSF on LinkedIn…

What's in the SOSS? An OpenSSF Podcast

1
Sovereign Tech Agency’s Tara Tarakiyee and Funding Important Open Source Projects 16:47

for 15 weeks siden16:47

16:47

In this episode, CRob talks to Tara Tarakiyee, FOSS technologist at the Sovereign Tech Agency, which supports the development, improvement and maintenance of open digital infrastructure. The Sovereign Tech Agency’s goal is to sustainably strengthen the open source ecosystem, focusing on security, resilience, technological diversity and the people behind the code. 01:42 - Why the Sovereign Tech Fund became the Sovereign Tech Agency 03:59 - The ways the Sovereign Tech Agency supports open source infrastructure initiatives 04:42 - The four criteria for Sovereign Tech Agency funding: prevalence, relevance, vulnerability and public interest 06:51 - Sovereign Tech Agency success stories 09:09 Plans for the Sovereign Tech Agency in 2025 11:54 – Tara answers CRob’s rapid-fire questions 13:54 - Advice to those entering open source development or security field 14:55 - Tara’s call to action for listeners Episode links: Tara Tarayikee on Linkedin Sovereign Tech Agency homepage Apply for Sovereign Tech Fund investment Get involved with the OpenSSF Subscribe to the OpenSSF newsletter Follow the OpenSSF on LinkedIn…

What's in the SOSS? An OpenSSF Podcast

1
Alpha-Omega’s Michael Winser and Catalyzing Sustainable Improvements in Open Source Security 27:15

for 16 weeks siden27:15

27:15

In this episode, CRob talks to Michael Winser, Technical Strategist for Alpha-Omega, an associated project of the OpenSSF that with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code – and get them fixed – to improve global software supply chain security. 01:00 - Michael shares his origin story into open source 02:09 - How Alpha-Omega came to be 03:48 Alpha-Omega’s mission is catalyzing sustainable security improvements 05:16 - The four types of investments Alpha-Omega makes to catalyze change 11:33 - Michael expands on his “clean the beach” approach to impacting open source security 16:41 - The 3F framework helps manage upstream dependencies effectively 21:13 - Michael answers CRob’s rapid-fire questions 23:06 - Michael’s advice to aspiring development and cybersecurity professionals 24:44 - Michael’s call to action for listeners Links Michael Winser on LinkedIn Alpha-Omega homepage OpenSSF on LinkedIn Subscribe to the OpenSSF newsletter Get involved with the OpenSSF community…

What's in the SOSS? An OpenSSF Podcast

1
Jack Cable of CISA and Zach Steindler of GitHub Dig Into Package Repository Security 23:44

for 18 weeks siden23:44

23:44

CRob discusses package repository security with two people who know a lot about the topic. Zach Steindler is a principal engineer at Github, a member of the OpenSSF TAC and co-chairs the OpenSSF Security Packages Repository Working Group. Jack Cable is a senior technical advisor at CISA. Earlier this year, Zach and Jack published a helpful guide of best practices called “Principles for Package Repository Security.” 00:48 - Jack and Zach share their backgrounds 02:59 - What package repositories are and why they’re important to open source users 04:17 - The positive impact package security has on downstream users 07:06 - Jack and Zach offer insight into the "Prinicples for Package Repository Security" document 11:18 - Future endeavors of the Securing Software Repositories Working Group 17:32 - Jack and Zach answer CRob’s rapid-fire questions 19:31 - Advice for those entering the industry 21:28 - Jack and Zach share their calls to action Episode links: Zach Steindler on LinkedIn Jack Cable on LinkedIn OpenSSF on LinkedIn Securing Package Repositories Working Group Principles for Package Repository Security document Subscribe to the OpenSSF newsletter Get involved with the OpenSSF community…

What's in the SOSS? An OpenSSF Podcast

1
Red Hat's Rodrigo Freire and the Impact of High-Profile Security Incidents 16:58

for 20 weeks siden16:58

16:58

In this episode, CRob talks to Rodrigo Freire, Red Hat's chief architect. They discuss high-profile incidents and vulnerability management in the open source community. Rodrigo has a distinguished track record of success and experience in several industries, especially high-performance and mission-critical environments in financial services. 01:08 - Rodrigo shares his entry into open source 02:42 - Diving into the specifics of a high-profile incident 06:22 - How security researchers coordinate a response to a high-profile incident 10:33 - The benefits of a vulnerability disclosure program 11:57 - Rodgiro answers CRob's rapid-fire questions 13:43 - Advice for anyone getting into the industry 14:26 - Rodrigo's call to action for listeners 15:53 - The importance of the security community working together Episode links: Rodrigo Freire on LinkedIn Rodrigo's blog on Red Hat's response to the XZ incident discovery Get involved with the OpenSSF community…

What's in the SOSS? An OpenSSF Podcast

1
Canonical’s Stephanie Domas and Security Insight from a Self-Described “Tinkerer” 16:58

for 22 weeks siden16:58

16:58

In this episode, CRob talks to Stephanie Domas, CISO at Canonical, the creators of the popular operating system Ubuntu. Having started her career with over 10 years of ethical hacking, reverse engineering and advanced vulnerability analysis, Stephanie has a deep knowledge and passion for the hacker mindset. 01:14: Stephanie shares how she got her start in security 05:41 Interesting things Stephanie has discovered since becoming more directly involved with open source 08:20 The challenge of instilling trust into those who consume open source 12:42 Stephanie answers CRob’s rapid-fire questions 14:07 Stephanie’s advice to those getting into cybersecurity 15:43 Stephanie’s call to action for listeners Episode links: Stephanie Domas on LinkedIn Canonical homepage White House’s M-22-18 memorandum CISA RSAA Secure Software Development Attestation Form NIST Secure Software Development Framework (SSDF) SP 800-218 Get involved with the OpenSSF community…

What's in the SOSS? An OpenSSF Podcast

1
Intel’s Katherine Druckman and the Impact of Developer Relations 14:23

for 24 weeks siden14:23

14:23

In this episode, CRob discusses the finer points of developer relations (DevRel) with Katherine Druckman, Open Source Evangelist at Intel and co-chair of the OpenSSF Marketing Advisory Council and DevRel Community. Katherine enjoys sharing her passion for a variety of open source topics and is a long-time open source advocate, developer and podcaster. She’s currently the host of Open at Intel and co-host of the FLOSS Weekly and Reality 2.0 podcasts. She spent over a decade at Linux Journal. A passionate Drupalist since she first downloaded a tarball in 2005, she has also been a Drupal contributor and engineer. Additionally, Katherine will be a featured speaker at SOSS Fusion/24 in Atlanta on Oct. 22-23. SOSS Fusion/24 is a collaborative and forward-thinking initiative dedicated to securing open source software. This event will bring together a diverse community of professionals from the public sector, software developers, security engineers to cybersecurity experts, CISOs, CIOs, Founders and tech pioneers. Katherine will be an active participant at SOSS Fusion/24 and will share her insight at the following presentations: Roundtable: Building Developer Confidence in Software Security with the DevRel Community, with Lori Lorusso, Percona; Tabatha DiDomenico, G-Research. Oct 22, 11:30 a.m. Keynote: Fireside Chat with Window Snyder, Founder & CEO, Thistle Technologies, Oct. 23, 9:30 a.m. Keynote: Back to Security Basics: Evaluating, Consuming, and Contributing Open Source Software, Oct. 23, 9:55 a.m. Check out the full schedule for SOSS Fusion/24. 01:42 - Katherine shares her non-traditional journey into open source 03:30 - DevRel’s definition varies, depending on the organization 06:11 - Tips for making connections with developers 08:23 - How DevRel professionals can help integrate security practices and tooling into everyday maintainer activities 09:38 - Katherine answers CRob’s rapid-fire questions 11:05 - Katherine’s belief that all knowledge can be relevant — even if it’s outside of your field 12:23 - Developers and security folks should be working together Episode links: Katherine Druckman on LinkedIn OpenSSF DevRel Community Open at Intel podcast SOSS Fusion/24 Get involved with the OpenSSF community…

What's in the SOSS? An OpenSSF Podcast

1
Dell's Sarah Evans and Lisa Bradley and Ensuring Secure Open Source Software at the Enterprise Level 16:24

for 26 weeks siden16:24

16:24

In this episode, CRob sits down with Sarah Evans, security research technologist at Dell and Lisa Bradley, senior director of product and application security at Dell. They dig into the challenges of implementing secure open software at a complex enterprise. Sarah sits on the OpenSSF Technical Advisory Council and at Dell’s she has been instrumental in cybersecurity innovation, conducting research within the global CTO R&D organization. Her career spans pivotal roles, including being an enterprise security architect and engaging in Identity and Access Management and IT at prestigious organizations like Wells Fargo and the U.S. Air Force. Dr. Lisa Bradley is a distinguished cybersecurity expert and visionary leader. She has earned her reputation as a trailblazer in the field of security and vulnerability management. In her current role, she oversees Dell's Product Security Incident Response Team (PSIRT), Bug Bounty Program, SBOM initiative, Dependency Management, and Security Champion and Training Programs. 02:38 How Dell is managing its ingestion and productization of open source software 04:54 The complex task of managing open source software for a company the size of Dell 06:34 The importance of executive support when implementing security initiatives 10:40 Lisa and Sarah answer CRob’s rapid-fire questions 12:40 Lisa and Sarah’s advice to aspiring developers and security professionals 14:12 Lisa and Sarah’s call to action Episode links: Lisa Bradley on LinkedIn Sarah Evans on LinkedIn Get involved in the OpenSSF community…

What's in the SOSS? An OpenSSF Podcast

1
Bidding Adieu to Omkhar Arasaratnam 20:32

for 28 weeks siden20:32

20:32

In this episode, CRob chats with Omkhar Arasaratnam, who has served as the general manager of the OpenSSF and was co-host of What’s in the SOSS? As Omkhar moves on to the next chapter of his occupational journey, he reflects on his tenure with the OpenSSF, shares his open source origin story and highlights the achievements of the OpenSSF and the tactics he used to engage different stakeholders. Omkhar shares his open source origin story 02:14 - Things Omkhar is proud of during his tenure at the OpenSSF 04:36 - The challenge of keeping myriad stakeholders engaged 07:12 - Areas of open source supply chains that public policymakers and regulators should better understand 09:44 - Some challenges ahead for the open source ecosystem 14:58 - Omkhar answers CRob’s rapid-fire questions 17:57 - Omkhar’s advice for people entering the open source community Links Omkhar Arasaratnam on LinkedIn Get involved with OpenSSF…

What's in the SOSS? An OpenSSF Podcast

1
CoSAI, OpenSSF and the Interesting Intersection of Secure AI and Open Source 22:47

for 29 weeks siden22:47

22:47

Omkhar is joined by Dave LaBianca, security engineering director at Google, Mihai Maruseac, member of the Google Open Source Security Team, and Jay White, security principal program manager at Microsoft. David and Jay are on the Project Governing Board for the Coalition for Secure AI (CoSAI), an alliance of industry leaders, researchers and developers dedicated to enhancing the security of AI implementations. Additionally, Jay — along with Mihai — are leads on the OpenSSF AI/ML Security Working Group. In this conversation, they dig into CoSAI’s goals and the potential partnership with the OpenSSF. 00:57 - Guest introductions 01:56 - Dave and Jay offer insight into why CoSAI was necessary 05:16 - Jay and Mihai explain the complementary nature of OpenSSF's AI/ML Security Working Group and CoSAI 07:21 - Mihai digs into the importance of proving model provenance 08:50 - Dave shares his thoughts on future CoSAI/OpenSSF collaborations 11:13 - Jay, Dave and Mihai answer Omkhar’s rapid-fire questions 14:12 - The guests offer their advice to those entering the field today and their call to action for listeners Links David LaBianca on LinkedIn Mihai Maruseac on LinkedIn Jay White on LinkedIn CoSAI homepage OpenSSF AI/ML Security Working Group homepage Get involved with OpenSSF…

What's in the SOSS? An OpenSSF Podcast

1
GitHub’s Mike Hanley and Transforming the “Dept. of No” Into the "Dept. of Yes, And…” 22:43

for 30 weeks siden22:43

22:43

In this episode, Omkhar chats with Mike Hanley, Chief Security Officer and SVP of Engineering at GitHub. Prior to GitHub, Mike was the Vice President of Security at Duo Security, where he built and led the security research, development, and operations functions. After Duo’s acquisition by Cisco for $2.35 billion in 2018, Mike led the transformation of Cisco’s cloud security framework and later served as CISO for the company. Mike also spent several years at CERT/CC as a Senior Member of the Technical Staff and security researcher focused on applied R&D programs for the US Department of Defense and the Intelligence Community. When he’s not talking about security at GitHub, Mike can be found enjoying Ann Arbor, MI with his wife and nine kids. 01:21 Mike shares insight into transporting a family of 11 02:02 Mike’s day-to-day at GitHub 03:53 Advice on communicating supply chain risk 08:19 Transforming the “Department of No” into the “Department of Yes And…” 12:44 AI’s potential impact on secure open source software and, specifically, on software supply chains 18:02 Mike answers Omkhar’s rapid-fire questions 19:26 Advice Mike would give to aspiring security or software professionals 20:38 Mike’s call to action for listeners Links Mike Hanley on LinkedIn DARPA AI Cyber Challenge Get involved with the OpenSSF…

What's in the SOSS? An OpenSSF Podcast

1
CISA's Aeva Black and the Public Sector View of Open Source Security 12:13

for 31 weeks siden12:13

12:13

In this episode, Omkhar Arasaratnam visits with Aeva Black, who currently serves as the Section Chief for Open Source Security at CISA, and is an open source hacker and international public speaker with 25 years of experience building open source software projects at large technology companies. She previously led open source security strategy within the Microsoft Azure Office of the CTO, and served on the OpenSSF Technical Advisory Committee, the OpenStack Technical Committee, and the Kubernetes Code of Conduct Committee. In her spare time, Aeva enjoys riding motorcycles up and down the west coast. 01:37- Aeva describes a day in the life at CISA 02:38 - Details on the use of open source in the public sector 04:27 - Why open source needs corporate investment to maintain security 06:20 - Aeva shares what their second year at CISA looks like 07:58 - Aeva answers Omkhar’s rapid-fire questions 09:28 - Advice for people entering the world of security 10:16 - Certs are nice to have, but they aren’t everything 10:42 - Aeva’s call to action for listeners Episode links: Aeva Black on LinkedIn CISA Open Source Security Roadmap Get involved with the OpenSSF community…

What's in the SOSS? An OpenSSF Podcast

1
Google’s Andrew Pollock and Addressing Open Source Vulnerabilities 12:16

for 33 weeks siden12:16

12:16

Episode description: Andrew Pollock is a Senior Software Engineer at Google, currently working on https://osv.dev. With a background as an Enterprise Security Engineer, he has extensive experience in large-scale Linux Systems Administration and GCP Security. Andrew is passionate about the human factors in security, focusing on scalable solutions, great user experiences and self-service opportunities. He has primarily worked in Linux/Unix environments as a Site Reliability Engineer or Security Engineer, with a strong interest in process improvement and automation. 00:52 - Andrew shares his background as a “mid-90s data nerd” 02:31 - Managing vulnerabilities in the open source ecosystem 03:57 - How to navigate inconsistent metadata 06:26 - The challenge of source attribution 07:54 - The rapid-fire round 09:15 - Andrew’s advice to open source developers 10:22 - Andrew’s call to action to developers Episode links: Andrew Pollock on LinkedIn Getting to know the Open Source Vulnerability format OSV.dev Get involved in the OpenSSF community…

What's in the SOSS? An OpenSSF Podcast

1
Rust Foundation’s Bec Rumbul and Succeeding as a “Non-Techie” in a Tech-Heavy Industry 18:28

for 35 weeks siden18:28

18:28

Bec Rumbul is the Executive Director and CEO of the Rust Foundation, a global non-profit that stewards the Rust language, supports maintainers, and ensures that Rust is safe, secure, and sustainable for the future. She holds a PhD in Politics and Governance and has worked as a consultant and researcher with governments, parliaments and development agencies all over the world, advocating for openness and transparency and developing tools to improve digital participation. 02:57 Bec shares her day-to-day activities with the Rust Foundation 04:53 Bec on her sometimes tricky responsibilities during her time at the U.N. 06:35 How Bec communicates the importance of memory safety and Rust with stakeholders 09:47 Surprises related to organizations that are adopting Rust 11:50 Impediments to Rust adoption 13:44 Bec answers Omkhar’s rapid-fire questions 15:49 Advice Bec would give a non-technical person entering a technical field 17:09 Bec’s call to action for listeners Episode links: Bec Rumbul on LinkedIn Rust Foundation homepage Get involved with OpenSSF…

What's in the SOSS? An OpenSSF Podcast

1
Sonatype’s Brian Fox and the Perplexing Phenomenon of Downloading Known Vulnerabilities 22:24

for 37 weeks siden22:24

22:24

Brian Fox is Co-founder and Chief Technology Officer at Sonatype, bringing over 28 years of hands-on experience driving software development for organizations of all sizes, from startups to large enterprises. A recognized figure in the Apache Maven ecosystem and a longstanding member of the Apache Software Foundation, Brian has played a crucial role in creating popular plugins like the maven-dependency-plugin and maven-enforcer-plugin. His leadership includes overseeing Maven Central, the world's largest repository of open-source Java components, which recently surpassed a trillion downloads annually. As a Governing Board member for the Open Source Security Foundation, Brian actively contributes to advancing cybersecurity. Working with other industry leaders, he helped create The Open Source Consumption Manifesto, urging organizations to elevate their awareness of the Open Source Software (OSS) components they use. 00:57 Brian shares his background 03:56 The confusing trend of people downloading assets on Maven with known vulnerabilities 08:16 How this trend continues in other repos 11:08 Brian and CRob discuss Log4Shell 16:54 Brian answers CRob’s rapid-fire questions 18:46 Brian’s advice for up-and-coming security professionals 19:50 Brian’s call to action Episode links: Brian Fox on LinkedIn Sonatype’s 2023 State of the Software Supply Chain Report Get involved with OpenSSF…

What's in the SOSS? An OpenSSF Podcast

1
Arun Gupta and Giving Back to Security Communities 22:02

for 39 weeks siden22:02

22:02

Arun Gupta is vice president and general manager of Open Ecosystem Initiatives at Intel Corporation and the OpenSSF Governing Board Chair. Arun has been an open source strategist, advocate, and practitioner for nearly two decades. He has taken companies such as Apple, Amazon, and Sun Microsystems through systemic changes to embrace open source principles, contribute, and collaborate effectively. On July 9th and 10th, the OpenSSF will attend the 2024 OSPOs for Good symposium hosted by the UN. What’s in the SOSS? co-host Omkhar Arasaratnam and Arun will lead a session called “Engaging the Open Source Community.” Following the symposium on July 11th, attendees are invited to come to a secondary event, What’s Next for Open Source? It will feature a collection of curated workshops to discover how to build and gather the skills you need to move forward with open source. Omkhar is coordinating the security track and presenting opening remarks. Arun will offer closing remarks. 02:13 - Arun’s general outlook on security and life 03:39 - Arun shares his personal background and illustrious career history 09:04 - Comparing the OpenSSF and the Cloud Native Computing Foundation (CNCF) 13:30 - Arun details his work with the United Nations 16:42 - Areas that a lot of security professionals are getting wrong 18:20 - Arun answers Omkhar’s rapid-fire questions 19:08 - Advice Arun would give to aspiring security professionals 20:40 - Arun’s call to action for listeners Episode links OSPOs for Good 2024 What’s Next for Open Source event Arun Gupta’s LinkedIn profile CNCF homepage United Nations Sustainable Development Goals Get involved with OpenSSF…

What's in the SOSS? An OpenSSF Podcast

1
Stacklok's Adolfo García Veytia Digs Into SBOMs and VEX 18:11

for 41 weeks siden18:11

18:11

The world of software bill of materials (SBOMs) is both complex and fascinating. And few people know the SBOM community better than Adolfo García Veytia — aka Puerco — Staff Software Engineer at Stacklok. Puerco is also a Technical Lead with Kubernetes SIG Release specializing in supply chain improvements to the software that drives the automation behind the release process. Puerco is one of the original authors of OpenVEX, an OpenSSF project working towards a minimal implementation of VEX that can be easily embedded and attested. He's also a contributor to the SPDX project and a maintainer of several SBOM OSS tools. He’s passionate about writing software with friends, helping new contributors and amplifying the Latinx presence in the cloud-native community. 01:04 - Puerco shares his background 02:21 - What SBOMs are and why they’re so important 06:42 - An overview of standards in the SBOM space 09:58 - Puerco details his work on VEX projects 14:05 - Puerco enters the rapid-fire portion of the interview 15:06 - Advice Puerco would offer aspiring open source or security professionals 16:12 - Puerco’s call to action for listeners Links Adolfo García Veytia’s LinkedIn page…

What's in the SOSS? An OpenSSF Podcast

1
A Man Called CRob: Introducing the Newest Co-host of What’s in the SOSS? 20:03

for 42 weeks siden20:03

20:03

Christopher Robinson (aka CRob) is the Director of Security Communications at Intel Product Assurance and Security. He also serves as the Open SSF’s Technical Advisory Committee (TAC) Chair. And soon, CRob will step into another role: co-host of What’s in the SOSS? With 25 years of enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the financial, medical, legal, and manufacturing verticals. He also spent six years helping lead the Red Hat Product Security team as their Program Architect. 00:57 - CRob’s day-to-day activities and his affiliation with the OpenSSF 03:15 - The insight CRob will bring to the podcast as co-host 05:46 - What developers writing “post-bang” code should be considering 08:40 - Lessons open source could learn from corporate and vice versa 12:17 - CRob explores the evolution of open source 14:22 - Crob answers Omkhar’s rapid fire questions 15:57 - CRob’s advice to people entering the cybersecurity field 18:18 - CRob’s call to action for listeners: give back Episode links: CRob’s LinkedIn page More content with CRob…

What's in the SOSS? An OpenSSF Podcast

1
OpenAI’s Matt Knight and Exploring the Intersection of AI and Open Source Security 14:58

for 43 weeks siden14:58

14:58

Matt Knight is Head of Security at OpenAI, where he builds IT, privacy and security programs. His teams also collaborate on security research with teams across OpenAI and with the broader security research community. Their goal is to explore the frontier of AI, understand its impacts and maximize its benefits, especially in the cybersecurity domain. 00:40 - Matt’s duties at OpenAI 01:52 - Matt’s accidental journey into cybersecurity 05:18 - The intersection of AI and open source 06:45 - Matt’s thoughts on how AI can help security professionals 08:53 - Details on the AI Cyber Challenge (AIxCC) 10:53 - Matt answers Omkhar’s rapid-fire questions 12:29 - Advice Matt would give to aspiring security professionals 13:00 - Matt’s call-to-cation for listeners Episode links: Matt Knight’s Linkedin page GNU Radio AIxCC Challenge OpenAI Cybersecurity Grant Program…

What's in the SOSS? An OpenSSF Podcast

1
Eric Brewer and the Future of Open Source Security 16:09

for 45 weeks siden16:09

16:09

In this episode, Omkhar talks to Eric Brewer, professor emeritus of computer science at the University of California, Berkeley and vice president of infrastructure at Google. He’s also on the Governing Board of the OpenSSF. His research interests include operating systems and distributed computing. He is known for formulating the CAP theorem about distributed network applications in the late 1990s. 01:15 - Eric discusses his background 03:14 - Improving security in a corporate vs. open source environment 05:58 - Advancements Eric has noticed in open source in recent years 07:17 - How to make software repositories more secure 08:58 - The next big hurdle in open source security 11:12 - Rapid-fire questions: Mild or spicy food? Vim or Emacs? Spaces or tabs? 12:42 - Eric’s advice for aspiring security professionals 14:45 - The importance of being active in security communities Episode links: Eric Brewer’s LinkedIn profile OS3I report…

What's in the SOSS? An OpenSSF Podcast

1
Mark Russinovich and AI’s Impact on Software Engineering and Open Source Software Security 17:29

for 47 weeks siden17:29

17:29

In this episode, Omkhar talks to Mark Russinovich, CTO of Microsoft Azure. Mark oversees the technical strategy and architecture of Microsoft’s cloud computing platform. Mark is also on the Governing Board of the OpenSSF. He’s a widely recognized expert in distributed systems, operating system internals, and cybersecurity. Mark’s also the author of the Jeff Aiken cyberthriller novels Zero Day, Trojan Horse and Rogue Code, and co-author of the Microsoft Press Windows Internals books. 00:36 - Mark on his role at Azure 01:30 - Where AI is headed and its impact on enterprises 04:06 - The task of teaching a machine learning model to unlearn Harry Potter 06:32 - The good and bad of AI hallucinations 10:35 - The promise of more secure open source software via AI 13:05 - Mark answers Omkhar’s “rapid-fire” questions: mild or spicy food, Vim, Emacs or VS Code and tabs or spaces 15:01 - Why aspiring software engineers should still learn to code Episode links: Mark Russinovich’s LinkedIn page Press Release: OpenSSF to Support Darpa on New AI Cyber Challenge (AIxCC)…

What's in the SOSS? An OpenSSF Podcast

1
Christoph Kern and the Challenge of Keeping Google Secure 20:50

for 49 weeks siden20:50

20:50

In this episode, Omkhar talks to Christoph Kern, Principal Software Engineer in Google’s Information Security Engineering organization. Christoph helps to keep Google’s products secure and users safe. His main focus is on developing scalable, principled approaches to software security. 00:42 - Christoph offers a rundown of his duties at Google 01:38 - Google’s general approach to security 03:02 - What Christoph describes as “stubborn vulnerabilities” and how to stop them 06:42 - An overview of Google’s security ecosystem 10:00 - Why memory safety is so important 12:23 - Solving memory safety problems via languages 16:23 - Omkhar’s rapid-fire questions 18:28 - Why Christoph thinks this may be a great time for young professionals to enter the cybersecurity industry Episode links: Blog: Tackling Cybersecurity Vulnerabilities Through Secure by Design Report: Secure by Design: Google’s Perspective on Memory Safety White House Press Release: Future Software Should be Memory Safe Blog: OpenSSF Supports White House’s Efforts to Build More Secure and Measurable Software Research: Developer Ecosystems for Software Safety: Continuous Assurance at Scale…

What's in the SOSS? An OpenSSF Podcast

1
Vincent Danen and the Art of Vulnerability Management 18:36

for 50 weeks siden18:36

18:36

Omkhar talks to Vincent Danen, Vice President of Product Security at Red Hat, which is responsible for security and compliance activities for all Red Hat products and services. He’s also on the Governing Board of the OpenSSF. Vincent has been involved with open source and software security for over 20 years, leading security teams and participating in open source communities and development. Links: Vincent Danen’s LinkedIn page Red Hat Product Security Vulnerability Management OpenSSF Security Toolbelt…

What's in the SOSS? An OpenSSF Podcast

1
What's in the SOSS? Preview 0:38

for 1 year siden0:38