What's in the SOSS? An OpenSSF Podcast

On this episode of "What's in the SoSS," Yesenia Yser sits down with Justin Cappos, NYU professor and self-described "OG software supply chain guy" who's been working in this space since 2002. Justin reveals why most universities fail to teach fundamental security practices—from MFA to code signing—and how his groundbreaking software supply chain security course is creating some of the top 500 most qualified professionals in the world. We discuss the challenges of keeping curriculum current in a rapidly evolving field, the "throw them in the deep end" approach to teaching open source collaboration, and Justin's vision for transforming security education across institutions nationwide through the Linux Foundation's Academic Computing Acceleration Program.Episode links:Justin Cappos NYU Professor PageNYU Tandon School of EngineeringLinux Foundation Academic Computing AccreditationOpenSSF EducationCNCF Tag SecurityGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedInChapters00:24 - Introduction & Guest Welcome01:49 - The SolarWinds Effect02:01 - Aligning with Linux Foundation's Academic Program04:06 - Critical Gaps in Traditional CS Education06:35 - Teaching Open Source Culture10:45 - Career Impact & Student Success13:52 - Adapting to AI & Rapid Industry Change16:30 - Vision for the Next 5-10 Years19:52 - Rapid Fire Round20:52 - Final Advice & Closing

Jay White, a key figure in Microsoft's open source ecosystem, shares his journey from risk assessments to AI and community building. He discusses the importance of model signing and transparency in AI, highlighting his work with the OpenSSF and Coalition for Secure AI. White addresses the challenges of cultural representation in AI systems and encourages community involvement in open source security efforts. He emphasizes continuous learning and the need for standardization in AI supply chains, making a compelling case for collaboration in this evolving field.

In this engaging discussion, Stephanie Domas, Chief Security Officer at Canonical, delves into the pressing challenges of open source, including the complexities of third-party security patching and the implications of the EU Cyber Resilience Act. She highlights the importance of SBOMs and the risks posed by software sovereignty and geographic code restrictions. Domas also emphasizes the need for transparency in building trust and addresses the dangers of relying on single maintainers. Join her call to action for collaborative solutions in the OpenSSF!

Ben Cotton, Open Source Community Lead at Kusari, and Eddie Knight, Security Compliance Specialist at Sonatype, dive into the Open Source Project Security Baseline. They discuss how this baseline provides a framework for enhancing software security and simplifying requirements for maintainers. The GUAC case study showcases its real-world application, while the importance of documentation in securing software deployment is emphasized. Future directions focus on improving tooling and community engagement, allowing for continued refinement and increased confidence in open source projects.

In this engaging discussion, Seth Larson, a Security Developer in Residence at the Python Software Foundation and an esteemed open source maintainer, shares his journey from managing urllib3 to becoming a security leader. He emphasizes the crucial role of public documentation in shaping security practices. Seth explores how to support maintainers technically and emotionally while fostering trust in the community. He discusses the importance of collaborating with academic circles and shares his approach to making security more accessible. Plus, he reveals his fondness for retro Nintendo games!

In this episode of “What’s In The SOSS,” Yesenia interviews David A. Wheeler, the Director of Open Source Supply Chain Security at the Linux Foundation. They discuss the importance of secure software development, particularly in the context of AI and machine learning. David shares insights from his extensive experience in the field, emphasizing the need for both education and tools to ensure security. The conversation also touches on common misconceptions about AI, the relevance of digital badges for developers, and the structure of a new course aimed at teaching secure AI practices. David highlights the evolving nature of software development and the necessity for continuous learning in this rapidly changing landscape.Chapters: 00:00 Introduction to Open Source and Security02:31 The Journey to Secure AI and ML Development08:28 Understanding AI's Impact on Software Development12:14 Myths and Misconceptions about AI in Security18:24 Connecting AI Security to Open Source and Closed Source20:29 The Importance of Digital Badges for Developers24:31 Course Structure and Learning Outcomes28:18 Final Thoughts on AI and Software SecurityEpisode links:David A. Wheeler’s LinkedIn pageSecure AI/ML-Driven Software Development (LFEL1012)OpenSSF EducationGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

John Amaral, the founder of Root.io and an expert in open source container security, discusses the revolution in vulnerability management driven by AI technologies. He explains the shift from traditional scanning to a 'fix first' approach, enhancing developer efficiency and security. Amaral highlights how AI tools democratize coding, making it accessible while managing evolving threats in containerized environments. He advocates for 'shift out' practices, where agents take on maintenance burdens, allowing developers to focus on innovation.

In this engaging discussion, Kate Stewart, a prominent figure at the Linux Foundation and expert in safety-critical open source, shares her unique journey from Motorola manager to open source advocate. She explains the evolution of Software Bill of Materials (SBOMs) and how they enhance security in software development. Kate also highlights the Zephyr project's dedication to security, detailing its achievement as a gold-level OpenSSF exemplar. Listeners will gain insights into regulatory challenges, contributing to open source, and navigating the complexities of licensing.

Join David Hook, VP of Software Engineering at KeyFactor, and Tomas Gustavsson, Chief PKI Officer with 30 years of cryptography experience, as they tackle the urgent migration to post-quantum cryptography. They explain the quantum threat and why the financial sector is spearheading this transition. Practical tips for assessing current systems, enhancing crypto agility, and the vital need for high entropy in secure key generation are discussed. Plus, enjoy a fun rapid-fire Q&A showcasing their chemistry and insights!

In this episode of "What's in the SOSS," we welcome back Sarah Evans, Distinguished Engineer at Dell Technologies and a key figure in the OpenSSF's AI/ML working group. Sarah discusses the critical work being done to extend secure software development practices to the rapidly evolving field of AI. She dives into the AI Model Signing project, the groundbreaking MLOps white paper developed in partnership with Ericsson, and the crucial work of identifying and addressing new personas in AI/ML operations. Tune in to learn how OpenSSF is shaping the future of AI security and what challenges and opportunities lie ahead.Episode Chapters:0:00 Welcome and Introduction to Sarah Evans0:48 Sarah Evans: Role at Dell Technologies and Involvement in OpenSSF1:38 The OpenSSF AI/ML Working Group: Genesis and Goals3:37 Deep Dive: The AI Model Signing Project with Sigstore4:28 AI Model Signing: Benefits for Developers5:20 Transition to the MLSeCOps White Paper5:49 The Mission of the MLSecOps White Paper: Addressing Industry Gaps7:00 Collaboration with Ericsson on the MLEC Ops White Paper8:15 Identifying and Addressing New Personas in AI/ML Ops10:04 The Power of Open Source in Extending Previous Work10:15 Future Directions for OpenSSF's AI/ML Strategy11:21 OpenSSF's Broader AI Security Focus12:08 Sneak Peek: New Companion Video Podcast on AI Security12:31 Sarah's Personal Focus: The Year of the Agents (2025)13:00 Security Concerns: Bringing Together Data Models and Code in AI Applications14:00 Conclusion and ThanksEpisode links:Sarah Evans LinkedIn pageOpenSSF AI/ML Security Working GroupOpenSSF Blog: Visualizing Secure MLOps (MLSecOps): A Practical Guide for Building Robust AI/ML Pipeline SecurityOpenSSF Whitepaper: Visualizing Secure MLOps (MLSecOps): A Practical Guide for Building Robust AI/ML Pipeline SecurityGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn