What's in the SOSS? An OpenSSF Podcast

In this special episode of What’s in the SoSS?, we welcome Stacey Potter, the new Community Manager at the Open Source Security Foundation (OpenSSF). Stacey shares her winding journey from managing operations at a vitamin company to becoming a powerful advocate and connector in the open source world. We explore her community-first mindset, her work with CNCF and Platform Engineering Day, and her passion for inclusion and authenticity. Whether you're curious about how to get started in open source or want insight into how community shapes security, this episode is for you.Chapters:00:00 – Welcome + Introduction01:06 – Stacey’s Origin Story in Open Source03:10 – Discovering Community Management at Weaveworks04:02 – Projects and Evolution Across CNCF and Beyond05:44 – Co-Chairing Platform Engineering Day09:06 – Being Openly Queer in Open Source13:10 – What Stacey Hopes to Bring to OpenSSF16:20 – Rapid Fire Round17:36 – Final ThoughtsEpisode links:Stacey Potter’s LinkedIn pageOpenSSF.org/events OpenSSF Community Day JapanOpenSSF Community Day North AmericaOpenSSF Community Day IndiaOpenSSF Community Day North AmericaOpenSSF Community Day EuropeGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

In this episode of What’s in the SOSS, host CRob is joined by the “Council of Daves” - Dr. David Wheeler of the OpenSSF and Dave Russo from Red Hat — for a deep dive into the intersection of secure software development and education. From their open source origin stories to the challenges of educating developers and managers alike, this conversation covers key initiatives like the LFD121 course, upcoming resources on the EU Cyber Resilience Act, and how AI is shifting the landscape.Whether you're a developer, manager, or just open source curious, this is your crash course in why security training matters more than ever.📚 Episode Chapters:Intro & Meet the Council of Daves (0:16)Open Source Origin Stories (1:22)The Role of the Education SIG (4:05)Why Secure Software Education Is Critical (6:30)Inside the LFD121 Secure Development Course (8:01)Training Managers on Secure SDLC Practices (12:24)Why AI Makes Education More Important, Not Less (13:53)What’s Next in Security Education: CRA 101 and More (16:04)Rapid Fire Round: VI vs. EMACS, Tabs or Spaces & Mascots (20:20)Final Thoughts & Call to Action (22:04)Episode links:Dave Russo LinkedInDavid Wheeler LinkedInOpenSSF Free Training:LFD121: Developing Secure SoftwareLFD125: Security for Software Development ManagersLFEL1001: Understanding the EU Cyber Resilience Act (CRA)Get involved with the OpenSSFSubscribe to the OpenSSF NewsletterFollow the OpenSSF on LinkedIn

In this episode of What’s in the SOSS, we sit down with the OpenSSF’s new General Manager, Steve Fernandez — a seasoned enterprise tech leader whose resumé spans giants like L’Oréal, Coca-Cola, AIG, and Ford. Steve shares his “origin story,” what drew him into the world of open source, and how his decades of experience as a consumer of open source software are shaping his vision for the Foundation.00:21 Welcome & Introductions00:57 Steve’s Tech Journey03:13 Why OpenSSF?05:02 The Role of Security & Strategic Vision08:17 Rapid Fire & Final Thoughts 

Robin Bender Ginn, Executive Director of the OpenJS Foundation, joins us to talk about JavaScript’s massive footprint, the challenges of sustaining critical open source projects, and the importance of security in the web ecosystem. She shares her journey, insights on community-led development, and how OpenJS is building a healthier future for the JavaScript ecosystem.Learn more and register for JSConf North America: https://events.linuxfoundation.org/jsconf-north-america/register/

Yesenia Yser, a cybersecurity expert and open source advocate from Microsoft, shares her inspiring journey from Red Hat to AI security. She discusses blending her passions for cybersecurity and Brazilian jiu-jitsu, including her nonprofit, Lioness Instincts, which empowers women through self-defense and digital security education. Yesenia emphasizes the power of personal branding in tech, advocating for diversity through the BEAR group, and engaging the open source community to mentor new contributors. Tune in for actionable insights!

CRob is joined by Arun Gupta, Vice President and General Manager of Developer Programs at Intel and OpenSSF Governing Board Chair, and Zach Steindler, Principal Engineer at Github, a member of the OpenSSF TAC and co-chairs the OpenSSF Security Packages Repository Working Group to discuss the key lessons learned from open source security in 2024, the importance of the MVVSR (Mission, Vision, Values, Strategy, and Roadmap) framework, and the exciting initiatives planned for 2025. They highlight the growing reliance on open source, the challenges of dependency vulnerabilities, and the need for better security practices in the industry.Chapters:03:29 Key Lessons from Open Source Security in 202408:29 MVSR: Mission, Vision, Strategy, and Roadmap13:41 Importance of Strategy and Roadmap in OpenSSF17:48 Roadmap Items for Community Collaboration20:02 Key Resources and Courses for Developers22:09 Exciting Opportunities Ahead for 2025Episode links:Arun’s LinkedinZach’s Linedkin2024 Annual ReportGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

Michael Lieberman, CTO and co-founder of Kusari, dives into the essential world of supply chain security in open source. He shares his journey from programming to leading security initiatives like SLSA and GUAC. Learn about how maintainers can utilize Software Bill of Materials (SBOM) to tackle dependency management challenges. Michael also offers practical advice for newcomers to cybersecurity, emphasizing community engagement and the importance of diverse participation in enhancing security practices.

In this episode, CRob talks to Tara Tarakiyee, FOSS technologist at the Sovereign Tech Agency, which supports the development, improvement and maintenance of open digital infrastructure. The Sovereign Tech Agency’s goal is to sustainably strengthen the open source ecosystem, focusing on security, resilience, technological diversity and the people behind the code.01:42 - Why the Sovereign Tech Fund became the Sovereign Tech Agency03:59 - The ways the Sovereign Tech Agency supports open source infrastructure initiatives04:42 - The four criteria for Sovereign Tech Agency funding: prevalence, relevance, vulnerability and public interest06:51 - Sovereign Tech Agency success stories09:09 Plans for the Sovereign Tech Agency in 202511:54 – Tara answers CRob’s rapid-fire questions13:54 - Advice to those entering open source development or security field14:55 - Tara’s call to action for listenersEpisode links:Tara Tarayikee on LinkedinSovereign Tech Agency homepageApply for Sovereign Tech Fund investmentGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

In this episode, CRob talks to Michael Winser, Technical Strategist for Alpha-Omega, an associated project of the OpenSSF that with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code – and get them fixed – to improve global software supply chain security. 01:00 - Michael shares his origin story into open source 02:09 - How Alpha-Omega came to be03:48 Alpha-Omega’s mission is catalyzing sustainable security improvements05:16 - The four types of investments Alpha-Omega makes to catalyze change11:33 - Michael expands on his “clean the beach” approach to impacting open source security16:41 - The 3F framework helps manage upstream dependencies effectively21:13 - Michael answers CRob’s rapid-fire questions23:06 - Michael’s advice to aspiring development and cybersecurity professionals24:44 - Michael’s call to action for listenersLinksMichael Winser on LinkedInAlpha-Omega homepageOpenSSF on LinkedInSubscribe to the OpenSSF newsletterGet involved with the OpenSSF community

Jack Cable, a senior technical advisor at CISA specializing in open source software security, and Zach Steindler, a principal engineer at GitHub focused on supply chain security, dive into the critical topic of package repository security. They discuss the significance of secure package management in the open-source ecosystem and highlight their recently published best practices guide. Their conversation includes insights on trusted publishing, community engagement for newcomers, and the lighthearted debate on personal tech preferences, showcasing their expertise and camaraderie.