What's in the SOSS? An OpenSSF Podcast

In this episode of What’s in the SOSS, CRob has an inspiring conversation with Kate Stewart, a Linux Foundation veteran who took an unconventional path into open source as a manager rather than a developer, navigating complex legal challenges to get Motorola's contributions upstream. Now a decade into her tenure at the Linux Foundation, Kate leads critical initiatives in safety-critical open source software, including the Zephyr RTOS project and ELISA, while being instrumental in the evolution of SPDX and Software Bill of Materials (SBOM). She breaks down the different types of SBOMs, explains how the Zephyr project became a security exemplar with gold-level OpenSSF badging, and shares practical insights on navigating the European Union's Cyber Resilience Act (CRA). Whether you're interested in embedded systems, security best practices, or the evolving regulatory landscape for open source, this episode offers valuable perspectives from someone who's been shaping these conversations for years.Episode Chapters:00:00 - Intro Music & Promo Clip00:00- Introduction and Welcome00:42- Kate's Current Work at Linux Foundation02:18- Origin Story: From Motorola Manager to Open Source Advocate06:38- Building Global Open Source Teams and SPDX Beginnings09:45- The Variety of Open Source Contributors10:57- Deep Dive: What is an SBOM and Why It Matters17:05- The Evolution of SBOM Types and Academic Understanding19:21- Cyber Resilience Act and Zephyr as a Security Exemplar26:46- Zephyr's Security Journey: From Badging to CNA Status31:05- Rapid Fire Questions32:19- Advice for Newcomers and Closing ThoughtsEpisode links:Kate Stewart LinkedIn pageZephyr ProjectSPDX (Software Package Data Exchange)ELISA ProjectGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

Join David Hook, VP of Software Engineering at KeyFactor, and Tomas Gustavsson, Chief PKI Officer with 30 years of cryptography experience, as they tackle the urgent migration to post-quantum cryptography. They explain the quantum threat and why the financial sector is spearheading this transition. Practical tips for assessing current systems, enhancing crypto agility, and the vital need for high entropy in secure key generation are discussed. Plus, enjoy a fun rapid-fire Q&A showcasing their chemistry and insights!

In this episode of "What's in the SOSS," we welcome back Sarah Evans, Distinguished Engineer at Dell Technologies and a key figure in the OpenSSF's AI/ML working group. Sarah discusses the critical work being done to extend secure software development practices to the rapidly evolving field of AI. She dives into the AI Model Signing project, the groundbreaking MLOps white paper developed in partnership with Ericsson, and the crucial work of identifying and addressing new personas in AI/ML operations. Tune in to learn how OpenSSF is shaping the future of AI security and what challenges and opportunities lie ahead.Episode Chapters:0:00 Welcome and Introduction to Sarah Evans0:48 Sarah Evans: Role at Dell Technologies and Involvement in OpenSSF1:38 The OpenSSF AI/ML Working Group: Genesis and Goals3:37 Deep Dive: The AI Model Signing Project with Sigstore4:28 AI Model Signing: Benefits for Developers5:20 Transition to the MLSeCOps White Paper5:49 The Mission of the MLSecOps White Paper: Addressing Industry Gaps7:00 Collaboration with Ericsson on the MLEC Ops White Paper8:15 Identifying and Addressing New Personas in AI/ML Ops10:04 The Power of Open Source in Extending Previous Work10:15 Future Directions for OpenSSF's AI/ML Strategy11:21 OpenSSF's Broader AI Security Focus12:08 Sneak Peek: New Companion Video Podcast on AI Security12:31 Sarah's Personal Focus: The Year of the Agents (2025)13:00 Security Concerns: Bringing Together Data Models and Code in AI Applications14:00 Conclusion and ThanksEpisode links:Sarah Evans LinkedIn pageOpenSSF AI/ML Security Working GroupOpenSSF Blog: Visualizing Secure MLOps (MLSecOps): A Practical Guide for Building Robust AI/ML Pipeline SecurityOpenSSF Whitepaper: Visualizing Secure MLOps (MLSecOps): A Practical Guide for Building Robust AI/ML Pipeline SecurityGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

In this episode of "What's in the SOSS," Derek Zimmer and Amir Montezari from the Open Source Technology Improvement Fund (OSTIF) discuss their decade-long mission of providing security resources to open source projects. They focus on collaborative, maintainer-centric security audits that help projects improve their security posture through expert third-party reviews, without creating fear or overwhelming developers.Episode Chapters:00:00 Introduction00:22 Podcast Welcome01:04 OSTIF Founders Introduction02:31 OSTIF's Mission and Approach05:28 Relationship Management and Expertise08:01 Evolution of Security Engagement Methods12:15 Making Security Audits Less Intimidating18:00 Rapid Fire Questions20:45 Closing, Call to ActionEpisode links:Derek Zimmer LinkedIn pageAmir Montezary LinkedIn pageOSTIF (Open Source Technology Improvement Fund)Get involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedInJoin us at OpenSSF Community Day Europe Aug 28, 2025

Michael Winser from Alpha Omega highlights the importance of community connections in open-source security. Ulf Riehm, Product Owner at Herrmann Ultraschall, discusses the integration of security into automation using a specialized tech stack. Jonatan Männchen, CISO at the Erlang Ecosystem Foundation, emphasizes compliance with the CRA and fostering a collaborative security culture. Together, they explore how proactive community engagement and transparency can enhance security practices across ecosystems.

Ram Iyengar, OpenSSF's India community representative and former computer science professor, shares his transformative journey into the world of open source security. He discusses the challenges of engaging developers in security practices and the launch of LF India for community building. Ram emphasizes the importance of education and local partnerships in fostering a strong open-source culture. With a mix of technical insights and fun banter, he sheds light on upcoming events and the vibrant, passionate community driving these initiatives.

Tabatha DiDomenico, an open source security engineer and community leader, shares her inspiring journey from a curious techie to a leader at G-Research and BSides Orlando. She discusses the pivotal role of DevRel in fostering vibrant open source ecosystems and the importance of local communities in cybersecurity. Tabatha emphasizes the value of volunteering for networking and shares insights on creating internal open source cultures. This captivating conversation offers practical advice for anyone looking to thrive in the open source world.

In this episode of What's in the SOSS, we sit down with longtime open source leader and DevOps champion Tracy Ragan. From her early days with the Eclipse Foundation to her current work with Ortelius, the Continuous Delivery Foundation, and the OpenSSF, Tracy shares her journey through the ever-evolving world of open source security.We dig into the importance of configuration management, what DevSecOps really means, and how projects like the OpenSSF Scorecard and Ortelius help make our software supply chains more transparent and secure. Plus, we tackle the education gap between security pros and DevOps engineers—and how we can bridge it.If you're curious about building more secure pipelines or just want to geek out about SBOMs and Scorecard, this episode is for you.Chapters:00:25 – Welcome + Tracy's Open Source Origin Story02:00 – Early Days at the Eclipse Foundation03:10 – DevOps + DevSecOps: Why It Matters04:20 – Explaining the DevOps “Factory Floor”06:00 – DevOps Pipelines as Security Data Engines07:50 – What Is the OpenSSF Scorecard?09:30 – Ortelius: Aggregating DevOps + Security Insights11:20 – The DevOps Budget Problem + Exposing Insecure Packages13:00 – Why DevRel Is Critical for DevOps Security Education15:40 – Crossing the Divide Between DevOps and Security Teams16:10 – 🎉 Rapid Fire: Editors, Mascots & Spicy Food17:30 – Final Call to Action + How to Get InvolvedEpisode links:Tracy Ragan’s LinkedIn pageOrtelius ProjectScorecard ProjectEclipse FoundationCD FoundationGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

In this enlightening and entertaining episode of What's in the SOSS, host Yesenia Yser sits down with DEI strategist, social psychologist, and Star Wars superfan Dr. Eden-Reneé Hayes. From her academic roots to her entrepreneurial journey, Dr. Hayes shares how diversity, equity, inclusion, and accessibility (DEIA) drive sustainable growth—and how she found inspiration for her TED Talk in the wisdom of Yoda. The two discuss the myths around DEIA, how the Jedi Council reflects ideal collaboration, and why unlearning old beliefs is key to progress. Plus, stay for the rapid-fire questions and discover if Dr. Hayes is more Marvel or DC.Chapters:00:00 – Introduction01:30 – Career Journey03:10 – Navigating DEIA in Today’s Landscape07:49 – TED Talk Inspiration: Star Wars & DEI11:31 – The TED Experience13:12 – The TED Talk Message14:38 – Favorite Yoda Quote16:34 – Rapid Fire Round18:37 – Final Thoughts19:10 – OutroEpisode links:Dr. Eden-Reneé Hayes LinkedInDr. Eden-Reneé Hayes Ted Talk: Yoda's Jedi Mind Tricks for Rethinking DEI | TEDxWaldenPondJoin the BEAR Working GroupGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

In this episode of What's in the SOSS, host CRob interviews Clyde Seepersad from the LF Education Department. They discuss Clyde's journey into open source, the role of LF Education in supporting the community, and the importance of cybersecurity education. They also delve into the development of the Global IT Cyber Skills Framework, emphasizing the need for continuous learning and community engagement in the tech industry.Chapters:00:00 Introduction to Open Source and LF Education02:59 Clyde's Journey into Open Source05:54 The Role of LF Education in Open Source09:00 Cybersecurity and the Global IT Cyber Skills Framework11:59 Framework Development and Industry Collaboration15:13 Continuous Learning and Community EngagementEpisode links:Clyde’s LinkedinLinux Foundation TrainingGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn