What's in the SOSS? An OpenSSF Podcast

In this episode of What’s in the SOSS, we sit down with the OpenSSF’s new General Manager, Steve Fernandez — a seasoned enterprise tech leader whose resumé spans giants like L’Oréal, Coca-Cola, AIG, and Ford. Steve shares his “origin story,” what drew him into the world of open source, and how his decades of experience as a consumer of open source software are shaping his vision for the Foundation.00:21 Welcome & Introductions00:57 Steve’s Tech Journey03:13 Why OpenSSF?05:02 The Role of Security & Strategic Vision08:17 Rapid Fire & Final Thoughts 

Robin Bender Ginn, Executive Director of the OpenJS Foundation, joins us to talk about JavaScript’s massive footprint, the challenges of sustaining critical open source projects, and the importance of security in the web ecosystem. She shares her journey, insights on community-led development, and how OpenJS is building a healthier future for the JavaScript ecosystem.Learn more and register for JSConf North America: https://events.linuxfoundation.org/jsconf-north-america/register/

Yesenia Yser, a cybersecurity expert and open source advocate from Microsoft, shares her inspiring journey from Red Hat to AI security. She discusses blending her passions for cybersecurity and Brazilian jiu-jitsu, including her nonprofit, Lioness Instincts, which empowers women through self-defense and digital security education. Yesenia emphasizes the power of personal branding in tech, advocating for diversity through the BEAR group, and engaging the open source community to mentor new contributors. Tune in for actionable insights!

CRob is joined by Arun Gupta, Vice President and General Manager of Developer Programs at Intel and OpenSSF Governing Board Chair, and Zach Steindler, Principal Engineer at Github, a member of the OpenSSF TAC and co-chairs the OpenSSF Security Packages Repository Working Group to discuss the key lessons learned from open source security in 2024, the importance of the MVVSR (Mission, Vision, Values, Strategy, and Roadmap) framework, and the exciting initiatives planned for 2025. They highlight the growing reliance on open source, the challenges of dependency vulnerabilities, and the need for better security practices in the industry.Chapters:03:29 Key Lessons from Open Source Security in 202408:29 MVSR: Mission, Vision, Strategy, and Roadmap13:41 Importance of Strategy and Roadmap in OpenSSF17:48 Roadmap Items for Community Collaboration20:02 Key Resources and Courses for Developers22:09 Exciting Opportunities Ahead for 2025Episode links:Arun’s LinkedinZach’s Linedkin2024 Annual ReportGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

Michael Lieberman, CTO and co-founder of Kusari, dives into the essential world of supply chain security in open source. He shares his journey from programming to leading security initiatives like SLSA and GUAC. Learn about how maintainers can utilize Software Bill of Materials (SBOM) to tackle dependency management challenges. Michael also offers practical advice for newcomers to cybersecurity, emphasizing community engagement and the importance of diverse participation in enhancing security practices.

In this episode, CRob talks to Tara Tarakiyee, FOSS technologist at the Sovereign Tech Agency, which supports the development, improvement and maintenance of open digital infrastructure. The Sovereign Tech Agency’s goal is to sustainably strengthen the open source ecosystem, focusing on security, resilience, technological diversity and the people behind the code.01:42 - Why the Sovereign Tech Fund became the Sovereign Tech Agency03:59 - The ways the Sovereign Tech Agency supports open source infrastructure initiatives04:42 - The four criteria for Sovereign Tech Agency funding: prevalence, relevance, vulnerability and public interest06:51 - Sovereign Tech Agency success stories09:09 Plans for the Sovereign Tech Agency in 202511:54 – Tara answers CRob’s rapid-fire questions13:54 - Advice to those entering open source development or security field14:55 - Tara’s call to action for listenersEpisode links:Tara Tarayikee on LinkedinSovereign Tech Agency homepageApply for Sovereign Tech Fund investmentGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

In this episode, CRob talks to Michael Winser, Technical Strategist for Alpha-Omega, an associated project of the OpenSSF that with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code – and get them fixed – to improve global software supply chain security. 01:00 - Michael shares his origin story into open source 02:09 - How Alpha-Omega came to be03:48 Alpha-Omega’s mission is catalyzing sustainable security improvements05:16 - The four types of investments Alpha-Omega makes to catalyze change11:33 - Michael expands on his “clean the beach” approach to impacting open source security16:41 - The 3F framework helps manage upstream dependencies effectively21:13 - Michael answers CRob’s rapid-fire questions23:06 - Michael’s advice to aspiring development and cybersecurity professionals24:44 - Michael’s call to action for listenersLinksMichael Winser on LinkedInAlpha-Omega homepageOpenSSF on LinkedInSubscribe to the OpenSSF newsletterGet involved with the OpenSSF community

Jack Cable, a senior technical advisor at CISA specializing in open source software security, and Zach Steindler, a principal engineer at GitHub focused on supply chain security, dive into the critical topic of package repository security. They discuss the significance of secure package management in the open-source ecosystem and highlight their recently published best practices guide. Their conversation includes insights on trusted publishing, community engagement for newcomers, and the lighthearted debate on personal tech preferences, showcasing their expertise and camaraderie.

In this episode, CRob talks to Rodrigo Freire, Red Hat's chief architect. They discuss high-profile incidents and vulnerability management in the open source community. Rodrigo has a distinguished track record of success and experience in several industries, especially high-performance and mission-critical environments in financial services. 01:08 - Rodrigo shares his entry into open source02:42 - Diving into the specifics of a high-profile incident06:22 - How security researchers coordinate a response to a high-profile incident10:33 - The benefits of a vulnerability disclosure program11:57 - Rodgiro answers CRob's rapid-fire questions13:43 - Advice for anyone getting into the industry14:26 - Rodrigo's call to action for listeners15:53 - The importance of the security community working togetherEpisode links:Rodrigo Freire on LinkedInRodrigo's blog on Red Hat's response to the XZ incident discoveryGet involved with the OpenSSF community

In this episode, CRob talks to Stephanie Domas, CISO at Canonical, the creators of the popular operating system Ubuntu. Having started her career with over 10 years of ethical hacking, reverse engineering and advanced vulnerability analysis, Stephanie has a deep knowledge and passion for the hacker mindset.  01:14: Stephanie shares how she got her start in security05:41 Interesting things Stephanie has discovered since becoming more directly involved with open source08:20 The challenge of instilling trust into those who consume open source12:42 Stephanie answers CRob’s rapid-fire questions14:07 Stephanie’s advice to those getting into cybersecurity15:43 Stephanie’s call to action for listenersEpisode links:Stephanie Domas on LinkedInCanonical homepageWhite House’s M-22-18 memorandumCISA RSAASecure Software Development Attestation FormNIST Secure Software Development Framework (SSDF) SP 800-218Get involved with the OpenSSF community