Best Josh Stenberg Podcasts (2025)

1
STIG automation with Aaron Lippold 33:28

12h ago33:28

33:28

I chat with Aaron Lippold, creator of MITRE's Security Automation Framework (SAF), to discuss how to escape the pain of manual STIG compliance. We explore the technical details of open-source tools like InSpec, Heimdall, and Vulcan that automate validation, normalize diverse security data, and streamline the entire security authoring process. The s…

1
Ecosyste.ms with Andrew Nesbitt 35:38

6d ago35:38

35:38

I recently chatted with Andrew Nesbitt about his project, Ecosyste.ms. Ecosyste.ms catalogs open source projects by tracking packages, dependencies, repositories, and more. With this dataset Andrew is able to incredible insights into the world of open source. We chat all about how Ecosyste.ms works and how he manages to wrangle all this data. The s…

1
Curl vs AI with Daniel Stenberg 34:23

15d ago34:23

34:23

Daniel Stenberg, the maintainer of Curl, discusses the increase in AI security reports that are wasting the time of maintainers. We discuss Curl's new policy of banning the bad actors while establishing some pretty sane AI usage guidelines. We chat about how this low-effort, high-impact abuse pattern is a denial-of-service attack on the curl projec…

1
Repository signing with Kairo De Araujo 33:29

22d ago33:29

33:29

I recently had a chat with Kairo about a project he maintains called Repository Service for TUF (RSTUF). We explain why TUF is tough (har har har), what RSTUF can do, and some of the challenges around securing repositories. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-05-rstuf-with-kairo-de-a…

1
Securing GitHub Actions with William Woodruff 31:50

29d ago31:50

31:50

William Woodruff discussed his project, Zizmor, a security linter designed to help developers identify and fix vulnerabilities within their GitHub Actions workflows. This tool addresses inherent security risks in GitHub Actions, such as injection vulnerabilities, permission issues, and mutable tags, by providing static analysis and remediation guid…

1
Embedded Security with Paul Asadoorian 34:24

1M ago34:24

34:24

Recently, I had the pleasure of chatting with Paul Asadoorian, Principal Security Researcher at Eclypsium and the host of the legendary Paul's Security Weekly podcast. Our conversation dove into the often-murky waters of embedded systems and the Internet of Things (IoT), sparked by a specific vulnerability discussion on Paul's show concerning refer…

1
tj-actions with Endor Lab's Dimitri Stiliadis 32:39

1M ago32:39

32:39

Dimitri Stiliadis, CTO from Endor Labs, discusses the recent tj-actions/changed-files supply chain attack, where a compromised GitHub Action exposed CI/CD secrets. We explore the impressive multi-stage attack vector and the broader often-overlooked vulnerabilities in our CI/CD pipelines, emphasizing the need to treat these build systems with produc…

1
Syft, Grype, and Grant with Alan Pope 31:04

2M ago31:04

31:04

I chat with Alan Pope about the open source security tools Syft, Grype, and Grant. These tools help create Software Bills of Materials (SBOMs) and scan for vulnerabilities. Learn why generating and storing SBOMs is crucial for understanding your software supply chain and quickly responding to new threats like Log4Shell. The show notes and blog post…

1
CVE for EOL with Aaron Frost 30:00

2M ago30:00

30:00

Aaron Frost explores the overly complex world of vulnerability identifiers for end of life software. We discuss how incomplete CVE reporting creates blind spots for users while arming attackers with knowledge. The conversation uncovers the ethical tensions between resource constraints and security transparency, highlighting why the "vulnerable unti…

1
cargo-semver-checks with Predrag Gruevski 33:35

2M ago33:35

33:35

Cargo Semver Checks is a Rust tool by Predrag Gruevski that is tackling the problem of broken dependencies that cost developers time when trying to upgrade dependencies. Predrag's work shows how automated checks can catch breaking changes before they're released, potentially saving projects from unexpected failures and making dependency updates les…

1
Distributed CI and Git with Lars Wirzenius 27:27

2M ago27:27

27:27

Lars Wirzenius discusses his innovative CI/CD system Ambient, which uses isolated virtual machines without network access to enhance security, and his work on Radicle, a peer-to-peer Git collaboration platform. Together, these projects offer a glimpse into a more distributed future for software development, addressing key challenges in current CI/C…

1
FIDO authentication with William Brown 29:26

3M ago29:26

29:26

William Brown tells us all about how confusing and complicated the FIDO authentication universe is. He talks about WebAuthn implementation challenges to flaws in the FIDO metadata service that affect how hardware tokens are authenticated against. The conversation covers the spectrum of hardware security key quality, attestation mechanisms, and the …

1
CRA with Luis Villa 25:46

3M ago25:46

25:46

In this episode, open source legal expert Luis Villa breaks down what the EU's Cyber Resilience Act means for developers and businesses, exploring carve-outs for individual contributors and the complex relationship between security and sustainability. Luis provides practical guidance on navigating this evolving regulatory landscape while explaining…

1
Open Source Malware with Brian Fox 30:18

3M ago30:18

30:18

Brian Fox discusses findings from a recent Sonatype report about the growing challenge of malicious packages in open source repositories. At the time of recording there are now over 820,000 malware packages in public repositories. Brian explains why certain ecosystems are more vulnerable than others and how behavioral detection methods can identify…

1
Open Source Foundations with Kelley Misata of Suricata 31:45

3M ago31:45

31:45

In this episode Open Source Security talks to Dr. Kelly Masada about the Open Information Security Foundation (OISF). The way OISF is managing Suricata through a foundation is super interesting. There are a lot of lessons in this one for both open source projects and existing open source foundations. The blog post for this episode can be found at h…

1
Forking Open Source Projects with Sheogorath 22:14

4M ago22:14

22:14

In this episode Open Source Security chats with Sheogorath about HedgeDoc project's journey from HackMD to CodiMD and finally to HedgeDoc. We learn what forking a project looks like, including license changes (MIT to AGPL), security vulnerability management across different codebases, naming challenges, and infrastructure migrations. The conversati…

1
Patching EOL Open Source with Aaron Frost 22:53

4M ago22:53

22:53

In this episode, Open Source Security chats with Aaron Frost, CEO of Hero Devs about the world of maintaining end-of-life open source software. Aaron explains how EOL versions of open source work and how backporting security fixes can help maintaining compliance. In the discussion we cover the "just upgrade" mentality, how backporting works, why it…

1
Why do we keep ignoring CI security with François Proulx 23:38

4M ago23:38

23:38

François Proulx, a supply chain security researcher at Boost Security, discusses how continuous integration (CI) and build pipeline security represents a critical and overlooked hole in our supply chain security. It seems like most supply chain compromises are actually from CI system breaches rather than direct code compromise, yet we seem to obses…

1
Modern day authentication with Marc Boorshtein 26:17

4M ago26:17

26:17

In this discussion with Tremolo Security CTO Marc Boorshtein, we explore what modern day Single Sign-On (SSO) looks like. Everyone likes to talk about zero trust, but how does that work? We talk about some of the history of authentication that got us here, and some technical details on how you should be implementing authentication into your applica…

1
Government Security Requirements with Dick Brooks 19:44

4M ago19:44

19:44

Dick Brooks from Business Cyber Guardian discusses the landscape of federal software security requirements, we discuss frameworks like CISA's Software Acquisition Guide, Secure Software Development Framework, and the EU's Cyber Resilience Act. These regulations impact open source projects differently from commercial vendors, Dick helps explain what…

1
Open Source Maintenance with Gary Kramlich 27:18

5M ago27:18

27:18

In this episode, Gary Kramlich, the lead developer of Pidgin discusses the challenges and strategies of maintaining a 26-year-old open source messaging client.Gary tell us all about how a small team manages technical debt, handles library dependencies, and makes decisions about rewrites versus incremental improvements while supporting a broader ope…

1
Safety vs Security with Thomas Depierre 21:23

5M ago21:23

21:23

In this episode of Open Source Security, Josh welcomes Thomas Depierre, a Site Reliability Engineer and open source maintainer, to discuss the intersection of safety and security. Thomas explains why safety is broader than security. While security often views people as the problem, Thomas explains that people are paradoxically the solution. Nothing…

1
The Future of Open Source Security 4:28

5M ago4:28

4:28

It’s a new year and time for some changes to the opensourcesecurity.io website. It's time to retire the podcast, but that's to make way for something new and hopefully better. You can read the details in the blog post (the audio version is basically the same thing) https://opensourcesecurity.io/posts/2025-01-the_future_of_open_source_security/…

1
Episode 461 - The new NIST password guidance 36:07

5M ago36:07

36:07

Josh and Kurt talk about new NIST password guidance. There's some really good stuff in this new document. Ideas like usability and equity show up (which is amazing). There's more strict guidance against rotating passwords and complex passwords. This new guidance gives us a lot to look forward to. Show Notes Usagi Electric NIST proposes barring some…

1
Episode 460 - Santa's Supply Chain Security 43:29

6M ago43:29

43:29

Josh and Kurt talk about the supply chain of Santa. Does he purchase all those things? Are they counterfeit goods? Are they acquired some other way? And once he has all the stuff, the logistics of getting it to the sleigh is mind boggling. It's all very complex Show Notes Project Gunman

1
Episode 459 - CWE Top 25 List 36:01

6M ago36:01

36:01

Josh and Kurt talk about a CWE Top 25 list from MITRE. The list itself is fine, but we discuss why the list looks the way it does (it's because of WordPress). We also discuss why Josh hates lists like this (because they never create any actions). We finish up running through the whole list with a few comments about the findings. Show Notes 2024 CWE…

1
Episode 458 - FBI endorses E2E encryption 33:43

6M ago33:43

33:43

Josh and Kurt talk about the FBI telling everyone to use end to end encrypted messengers. This is a pretty drastic deviation from messages in the past. The reason for this is it appears the US telephone networks are pwnt beyond repair at this point, which is concerning. The only real solution now is to treat the phone network as untrusted and encry…

1
Episode 457 - The D-Link D-bacle 41:00

6M ago41:00

41:00

Josh and Kurt talk about a serious D-Link security vulnerability in a bunch of end of life products. The crux of the discussion focuses on D-Link, but the reality is almost all consumer gear you plug into the internet is terrible. And there's little hope it will get better anytime soon. Show Notes China has utterly pwned 'thousands and thousands' o…

1
Episode 456 - What if XZ happened to a company? The openness of open source 33:42

7M ago33:42

33:42

Josh and Kurt embark on a thought experiment to discuss how a commercial entity would handle something like the xz incident. It was very specific and difficult to understand. It's easy to claim just because source code being available doesn't matter. But the reality is when source code is needed, it can make a huge difference for everyone working t…

1
Episode 455 - Wordpress plugin security 35:38

7M ago35:38

35:38

Josh and Kurt talk about the way Wordpress vets their plugins. While Wordpress has been in the news lately, they do some clever things to get plugins approved. There's a static analyzer that runs against new submissions. We discuss using static analysis, securing open source, contributing and more. Show Notes Linus Torvalds Lands A 2.6% Performance…

1
Episode 454 - The state of open source with Brian Fox from Sonatype and Donald Fischer from Tidelift 43:13

7M ago43:13

43:13

Josh and Kurt talk to Brian Fox from Sonatype and Donald Fischer from Tidelift about their recent reports as well as open source. There are really interesting connections between the two reports. The overall theme seems to be open source is huge, everywhere, and needs help. But all is no lost! There's some great ideas on what the future needs to lo…

1
Episode 453 - Software Liability 36:28

7M ago36:28

36:28

Josh and Kurt talk about three government activities happening around security. CISA has a request for comment, and an international strategic plan around cybersecurity. These are both good ideas, and hopefully will help drive change. But we also discuss an EU proposal that brings liability rules to software which sounds like a great way to force c…

1
Episode 452 - All about Meshtastic 39:29

7M ago39:29

39:29

Josh and Kurt talk about the Meshtastic open source project. It's a really slick mesh radio system that runs on very cheap radio equipment. This episode isn't very security related (there are a few things), but it is very open source. Show Notes Meshtastic Heltec LoRa 32(V3) Radio 465 Rutgers University Confirmed: Meshtastic and LoRa are dangerous …

1
Episode 451 - Python security with Seth Larson 36:24

8M ago36:24

36:24

Josh and Kurt talk to Seth Larson from the Python Software Foundation about security the Python ecosystem. Seth is an employee of the PSF and is doing some amazing work. Seth is showing what can be accomplished when we pay open source developers to do some of the tasks a volunteer might consider boring, but is super important work. Show Notes Seth …

1
Episode 450 - What's Wrong With WordPress 39:01

8M ago39:01

39:01

Josh and Kurt talk about the current Wordpress / WP Engine mess. In what is certainly a supply chain attack, the Advanced Custom Fields forking. This whole saga is weird and filled with chaos and stupidity. We have no idea how it will end, but we do know that the blog platform you use shouldn't be this exciting. The bad sort of exciting. Show Notes…

1
Episode 449 - The CUPSpocalypse 38:01

8M ago38:01

38:01

Josh and Kurt talk about the recent CUPS issue. The vulnerability itself wasn't all that exciting, but the whole disclosure process was wild. There's a lot to talk about, many things didn't quite go as planned and it all leaked early. Let's talk about why and what it all means. Show Notes CUPS vulnerability Akamai report Wil Wheaton: being a nerd i…

1
Episode 448 - What's wrong with CISA? 34:48

8M ago34:48

34:48

Josh and Kurt talk about a few things that have recently come out of CISA. They seem to be blaming the vendors for a lot of the problems, but there's also not any actionable advice telling the vendors what they should be doing. This feels like the classic case of "just security harder". We need CISA to be leading the way funding and defining securi…

1
Episode 447 - The Tidelift 2024 open source maintainer report 38:52

9M ago38:52

38:52

Josh and Kurt talk about the 2024 Tidelift maintainer report. The report is pretty big and covers a ton of ground. We focus in a few of the statistics that should worry anyone who uses open source. We've known for a while developers are struggling, and the numbers back that up. This one feels like the old "we've tried nothing and we're all out of i…

1
Episode 446 - Researchers took over .MOBI TLD 33:06

9M ago33:06

33:06

Josh and Kurt talk about some security researchers sort of taking over the .MOBI whois server. The story is a bit sensational, but we ask if it really matters? There are a lot of interesting possible attacks, but turning something like this into a good attack is really hard, maybe impossible. The researchers presented the findings in a very reasona…

1
Episode 445 - EPSS with Jay Jacobs 41:12

9M ago41:12

41:12

Josh and Kurt talk to Jay Jacobs about Exploit Prediction Scoring System (EPSS). EPSS is a new way to view vulnerabilities. It's a metric for the likelyhood that a vulnerability will be exploited in the next 30 days. Jay explains how EPSS got to where it is today, how the scoring works, and how we can start to think about including it in our larger…

1
Episode 444 - Open Source and End of Life 37:49

9M ago37:49

37:49

Josh and Kurt talk about Chrome unexpectedly going EOL on Ubuntu 18. Keeping old things alive is really hard to do, and in open source it's becoming more common to just run the latest version rather than trying to keep old versions alive for long periods of time. Show Notes Chrome dumped support for Ubuntu 18.04 – but it'll be back Linus Torvalds t…

1
Episode 443 - The Supply Chain Security Crisis 34:23

10M ago34:23

34:23

Josh and Kurt talk about a story that discusses a story from Black Hat that references supply chains. There's a ton of doom and gloom around our software supply chains and much of the advice isn't realistic. If we want to take this seriously we need to stop obsessing over the little problems and focus on some big problems. Show Notes Black Hat USA …

1
Episode 442 - The foundation of society, TLS certificates are a mess 40:35

10M ago40:35

40:35

Josh and Kurt talk about a few stories around the TLS CA certificate world. It's all pretty dire sounding. There's not a lot of organization or process in the space, and the root CAs are literally the foundation of modern society, everything needs them to function. There's not a lot of positive ideas here, it's mostly a show where Kurt explains to …

1
Episode 441 - Is CWE useful? 33:23

10M ago33:23

33:23

Josh and Kurt talk about CWE. What is it, and why does it matter. We cover some history, some shortcomings, and some ideas on how CWE could be used to make security a lot better. We frame the future discussion around the OWASP top 10 list. We should be putting more effort into removing removing entire classes of vulnerabilities. Show Notes CWE Epis…

1
Episode 440 - "What is open source" talk Josh gave 34:36

10M ago34:36

34:36

Josh and Kurt talk about a presentation Josh recently gave that was supposed to be about how open source works. The talk was the wrong topic for a security crowd, but there's a lot of interesting details in the questions and comments that emerged. It's clear a lot of security people don't really care about the fine details about what open source is…

1
Episode 439 - Where are all the youth in open source? 29:27

11M ago29:27

29:27

Josh and Kurt talk about a story talking about the "graying" of open source. There doesn't seem to be many young people working on open source, but we don't really know why that is. There are many thoughts, but a better question is why should anyone get involved in open source anymore? The world has changed quite a lot since open source was created…

1
Episode 438 - CISA's bad OSS advice vs the Whitehouse good advice 34:52

11M ago34:52

34:52

Josh and Kurt talk about two documents from the US government that discuss open source in very different ways. The CISA document lays out a way to measure open source, but we take issue with the idea of trying to measure which open source projects are "good". The Whitehouse on the other hand takes an approach that is very open source, get involved.…

1
Episode 437 - CocoPods and proper funding for open source 36:50

11M ago36:50

36:50

Josh and Kurt talk about a pretty big bug found in CocoPods ownership. We also touch on a paper that discusses the technical debt that open source should have. We discuss what the long term sustainability of open source. There aren't any good solutions for open source today, but talking about these problems is important, we have to start to underst…

1
Episode 436 - OpenSSH and node-ip - it's all exponential growth 32:10

11M ago32:10

32:10

Josh and Kurt talk about the recent OpenSSH vulnerability and the node-ip project owner taking their project private. They're quasi related in the context of two open source projects handled bugs very differently. The OpenSSH bug isn't really as serious as it seems, but you still want to patch. The node-ip bug is a very different story. The relatio…

1
Episode 435 - polyfill.io - open source is too big to fix 38:50

11M ago38:50

38:50

Josh and Kurt talk about the latest polyfill.io mess. Apparently someone took over a very popular project and started to serve malware. First XZ, now this. What does it mean for open source? We don't have any answers, and it's hard to even talk about this problem because it's so big. The thing is though, even if we can't fix open source, it's here …

Podcasts Worth a Listen

Josh Stenberg Podcasts

Podcasts Worth a Listen

Quick Reference Guide