Michael Lieberman, CTO and co-founder of Kusari, dives into the essential world of supply chain security in open source. He shares his journey from programming to leading security initiatives like SLSA and GUAC. Learn about how maintainers can utilize Software Bill of Materials (SBOM) to tackle dependency management challenges. Michael also offers practical advice for newcomers to cybersecurity, emphasizing community engagement and the importance of diverse participation in enhancing security practices.

In this episode, CRob talks to Tara Tarakiyee, FOSS technologist at the Sovereign Tech Agency, which supports the development, improvement and maintenance of open digital infrastructure. The Sovereign Tech Agency’s goal is to sustainably strengthen the open source ecosystem, focusing on security, resilience, technological diversity and the people behind the code.01:42 - Why the Sovereign Tech Fund became the Sovereign Tech Agency03:59 - The ways the Sovereign Tech Agency supports open source infrastructure initiatives04:42 - The four criteria for Sovereign Tech Agency funding: prevalence, relevance, vulnerability and public interest06:51 - Sovereign Tech Agency success stories09:09 Plans for the Sovereign Tech Agency in 202511:54 – Tara answers CRob’s rapid-fire questions13:54 - Advice to those entering open source development or security field14:55 - Tara’s call to action for listenersEpisode links:Tara Tarayikee on LinkedinSovereign Tech Agency homepageApply for Sovereign Tech Fund investmentGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

In this episode, CRob talks to Michael Winser, Technical Strategist for Alpha-Omega, an associated project of the OpenSSF that with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code – and get them fixed – to improve global software supply chain security. 01:00 - Michael shares his origin story into open source 02:09 - How Alpha-Omega came to be03:48 Alpha-Omega’s mission is catalyzing sustainable security improvements05:16 - The four types of investments Alpha-Omega makes to catalyze change11:33 - Michael expands on his “clean the beach” approach to impacting open source security16:41 - The 3F framework helps manage upstream dependencies effectively21:13 - Michael answers CRob’s rapid-fire questions23:06 - Michael’s advice to aspiring development and cybersecurity professionals24:44 - Michael’s call to action for listenersLinksMichael Winser on LinkedInAlpha-Omega homepageOpenSSF on LinkedInSubscribe to the OpenSSF newsletterGet involved with the OpenSSF community

Jack Cable, a senior technical advisor at CISA specializing in open source software security, and Zach Steindler, a principal engineer at GitHub focused on supply chain security, dive into the critical topic of package repository security. They discuss the significance of secure package management in the open-source ecosystem and highlight their recently published best practices guide. Their conversation includes insights on trusted publishing, community engagement for newcomers, and the lighthearted debate on personal tech preferences, showcasing their expertise and camaraderie.

In this episode, CRob talks to Rodrigo Freire, Red Hat's chief architect. They discuss high-profile incidents and vulnerability management in the open source community. Rodrigo has a distinguished track record of success and experience in several industries, especially high-performance and mission-critical environments in financial services. 01:08 - Rodrigo shares his entry into open source02:42 - Diving into the specifics of a high-profile incident06:22 - How security researchers coordinate a response to a high-profile incident10:33 - The benefits of a vulnerability disclosure program11:57 - Rodgiro answers CRob's rapid-fire questions13:43 - Advice for anyone getting into the industry14:26 - Rodrigo's call to action for listeners15:53 - The importance of the security community working togetherEpisode links:Rodrigo Freire on LinkedInRodrigo's blog on Red Hat's response to the XZ incident discoveryGet involved with the OpenSSF community

In this episode, CRob talks to Stephanie Domas, CISO at Canonical, the creators of the popular operating system Ubuntu. Having started her career with over 10 years of ethical hacking, reverse engineering and advanced vulnerability analysis, Stephanie has a deep knowledge and passion for the hacker mindset.  01:14: Stephanie shares how she got her start in security05:41 Interesting things Stephanie has discovered since becoming more directly involved with open source08:20 The challenge of instilling trust into those who consume open source12:42 Stephanie answers CRob’s rapid-fire questions14:07 Stephanie’s advice to those getting into cybersecurity15:43 Stephanie’s call to action for listenersEpisode links:Stephanie Domas on LinkedInCanonical homepageWhite House’s M-22-18 memorandumCISA RSAASecure Software Development Attestation FormNIST Secure Software Development Framework (SSDF) SP 800-218Get involved with the OpenSSF community

In this episode, CRob discusses the finer points of developer relations (DevRel) with Katherine Druckman, Open Source Evangelist at Intel and co-chair of the OpenSSF Marketing Advisory Council and DevRel Community. Katherine enjoys sharing her passion for a variety of open source topics and is a long-time open source advocate, developer and podcaster. She’s currently the host of Open at Intel and co-host of the FLOSS Weekly and Reality 2.0 podcasts. She spent over a decade at Linux Journal. A passionate Drupalist since she first downloaded a tarball in 2005, she has also been a Drupal contributor and engineer. Additionally, Katherine will be a featured speaker at SOSS Fusion/24 in Atlanta on Oct. 22-23. SOSS Fusion/24 is a collaborative and forward-thinking initiative dedicated to securing open source software. This event will bring together a diverse community of professionals from the public sector, software developers, security engineers to cybersecurity experts, CISOs, CIOs, Founders and tech pioneers.Katherine will be an active participant at SOSS Fusion/24 and will share her insight at the following presentations:Roundtable: Building Developer Confidence in Software Security with the DevRel Community, with Lori Lorusso, Percona; Tabatha DiDomenico, G-Research. Oct 22, 11:30 a.m.Keynote: Fireside Chat with Window Snyder, Founder & CEO, Thistle Technologies, Oct. 23, 9:30 a.m.  Keynote: Back to Security Basics: Evaluating, Consuming, and Contributing Open Source Software, Oct. 23, 9:55 a.m. Check out the full schedule for SOSS Fusion/24.01:42 - Katherine shares her non-traditional journey into open source03:30 - DevRel’s definition varies, depending on the organization06:11 - Tips for making connections with developers08:23 - How DevRel professionals can help integrate security practices and tooling into everyday maintainer activities09:38 - Katherine answers CRob’s rapid-fire questions11:05 - Katherine’s belief that all knowledge can be relevant — even if it’s outside of your field12:23 - Developers and security folks should be working togetherEpisode links:Katherine Druckman on LinkedInOpenSSF DevRel CommunityOpen at Intel podcastSOSS Fusion/24Get involved with the OpenSSF community

In this episode, CRob sits down with Sarah Evans, security research technologist at Dell and Lisa Bradley, senior director of product and application security at Dell. They dig into the challenges of implementing secure open software at a complex enterprise.  Sarah sits on the OpenSSF Technical Advisory Council and at Dell’s she has been instrumental in cybersecurity innovation, conducting research within the global CTO R&D organization. Her career spans pivotal roles, including being an enterprise security architect and engaging in Identity and Access Management and IT at prestigious organizations like Wells Fargo and the U.S. Air Force.Dr. Lisa Bradley is a distinguished cybersecurity expert and visionary leader. She has earned her reputation as a trailblazer in the field of security and vulnerability management. In her current role, she oversees Dell's Product Security Incident Response Team (PSIRT), Bug Bounty Program, SBOM initiative, Dependency Management, and Security Champion and Training Programs. 02:38 How Dell is managing its ingestion and productization of open source software04:54 The complex task of managing open source software for a company the size of Dell06:34 The importance of executive support when implementing security initiatives10:40 Lisa and Sarah answer CRob’s rapid-fire questions12:40 Lisa and Sarah’s advice to aspiring developers and security professionals14:12 Lisa and Sarah’s call to actionEpisode links:Lisa Bradley on LinkedInSarah Evans on LinkedInGet involved in the OpenSSF community

In this episode, CRob chats with Omkhar Arasaratnam, who has served as the general manager of the OpenSSF and was co-host of What’s in the SOSS? As Omkhar moves on to the next chapter of his occupational journey, he reflects on his tenure with the OpenSSF, shares his open source origin story and highlights the achievements of the OpenSSF and the tactics he used to engage different stakeholders. Omkhar shares his open source origin story02:14 - Things Omkhar is proud of during his tenure at the OpenSSF04:36 - The challenge of keeping myriad stakeholders engaged07:12 - Areas of open source supply chains that public policymakers and regulators should better understand09:44 - Some challenges ahead for the open source ecosystem14:58 - Omkhar answers CRob’s rapid-fire questions17:57 - Omkhar’s advice for people entering the open source communityLinksOmkhar Arasaratnam on LinkedInGet involved with OpenSSF

Join Dave LaBianca, security engineering director at Google; Mihai Maruseac from the Google Open Source Security Team; and Jay White from Microsoft for a deep dive into AI security. They discuss the Coalition for Secure AI (CoSAI) and its essential role in enhancing AI security and governance. The trio shares insights on collaboration between CoSAI and the OpenSSF AI/ML Security Working Group, covering vital topics like model provenance and best practices for AI software supply chains. Plus, they serve up rapid-fire fun and invaluable advice for aspiring tech professionals!