What's in the SOSS? An OpenSSF Podcast Teaching the Next Generation: Software Supply Chain Security in Academia with Justin Cappos
8 snips
Dec 16, 2025 Justin Cappos, a professor at NYU and a pioneer in software supply chain security, discusses his innovative course that prepares students for in-demand roles. He reveals the critical gaps in traditional CS education, including the lack of crucial security practices. Justin emphasizes the importance of immersing students in open source collaboration to build essential skills. He also shares insights on adapting curriculum to keep pace with rapid AI advancements and envisions widespread accreditation through the Linux Foundation to enhance security education across academia.
AI Snips
Chapters
Transcript
Episode notes
Early Career In Supply Chain Security
- Justin Cappos describes himself as an "OG software supply chain guy" who started in 2002 and built practical tools like in-toto and sigstore with students.
- He says the field was lonely before SolarWinds made supply chain security mainstream and more active.
Balance Fundamentals And Current Tools
- Justin explains that software supply chain topics evolve so quickly that professors must balance fundamentals with very current practical tools.
- He stresses teaching fundamental sea changes rather than transient vendor features to keep curricula relevant.
Critical Gaps In University Curricula
- Many universities rarely teach basic security practices like MFA, code review policies, code signing, SBOMs, and attestations.
- The Linux Foundation's academic program aims to standardize these core, industry-relevant topics for wider curriculum adoption.