What's in the SOSS? An OpenSSF Podcast

Adolfo García Veytia, a Staff Software Engineer at Stacklok, delves into the importance of SBOMs, VEX projects, and standards in the software supply chain. He shares insights on open source contributions, communication tools, and advice for aspiring professionals.

Christopher Robinson (aka CRob) is the Director of Security Communications at Intel Product Assurance and Security. He also serves as the Open SSF’s Technical Advisory Committee (TAC) Chair. And soon, CRob will step into another role: co-host of What’s in the SOSS? With 25 years of enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the financial, medical, legal, and manufacturing verticals. He also spent six years helping lead the Red Hat Product Security team as their Program Architect.00:57 - CRob’s day-to-day activities and his affiliation with the OpenSSF03:15 - The insight CRob will bring to the podcast as co-host05:46 - What developers writing “post-bang” code should be considering08:40 - Lessons open source could learn from corporate and vice versa12:17 - CRob explores the evolution of open source14:22 - Crob answers Omkhar’s rapid fire questions15:57 - CRob’s advice to people entering the cybersecurity field18:18 - CRob’s call to action for listeners: give backEpisode links:CRob’s LinkedIn pageMore content with CRob

Matt Knight is Head of Security at OpenAI, where he builds IT, privacy and security programs. His teams also collaborate on security research with teams across OpenAI and with the broader security research community. Their goal is to explore the frontier of AI, understand its impacts and maximize its benefits, especially in the cybersecurity domain. 00:40 - Matt’s duties at OpenAI01:52 - Matt’s accidental journey into cybersecurity05:18 - The intersection of AI and open source06:45 - Matt’s thoughts on how AI can help security professionals08:53 - Details on the AI Cyber Challenge (AIxCC)10:53 - Matt answers Omkhar’s rapid-fire questions12:29 - Advice Matt would give to aspiring security professionals13:00 - Matt’s call-to-cation for listenersEpisode links:Matt Knight’s Linkedin pageGNU RadioAIxCC ChallengeOpenAI Cybersecurity Grant Program

Professor Eric Brewer discusses improving security in corporate vs. open source environments, advancements in open source, making software repositories more secure, and the next big hurdle in open source security. He also shares rapid-fire answers about food preferences and tech tools, along with advice for aspiring security professionals.

In this episode, Omkhar talks to Mark Russinovich, CTO of Microsoft Azure. Mark oversees the technical strategy and architecture of Microsoft’s cloud computing platform. Mark is also on the Governing Board of the OpenSSF. He’s a widely recognized expert in distributed systems, operating system internals, and cybersecurity. Mark’s also the author of the Jeff Aiken cyberthriller novels Zero Day, Trojan Horse and Rogue Code, and co-author of the Microsoft Press Windows Internals books.00:36 - Mark on his role at Azure01:30 - Where AI is headed and its impact on enterprises04:06 - The task of teaching a machine learning model to unlearn Harry Potter06:32 - The good and bad of AI hallucinations10:35 - The promise of more secure open source software via AI13:05 - Mark answers Omkhar’s “rapid-fire” questions: mild or spicy food, Vim, Emacs or VS Code and tabs or spaces15:01 - Why aspiring software engineers should still learn to codeEpisode links:Mark Russinovich’s LinkedIn pagePress Release: OpenSSF to Support Darpa on New AI Cyber Challenge (AIxCC)

In this episode, Omkhar talks to Christoph Kern, Principal Software Engineer in Google’s Information Security Engineering organization. Christoph helps to keep Google’s products secure and users safe. His main focus is on developing scalable, principled approaches to software security.00:42 - Christoph offers a rundown of his duties at Google01:38 - Google’s general approach to security03:02 - What Christoph describes as “stubborn vulnerabilities” and how to stop them06:42 - An overview of Google’s security ecosystem10:00 - Why memory safety is so important12:23 - Solving memory safety problems via languages16:23 - Omkhar’s rapid-fire questions18:28 - Why Christoph thinks this may be a great time for young professionals to enter the cybersecurity industryEpisode links:Blog: Tackling Cybersecurity Vulnerabilities Through Secure by DesignReport: Secure by Design: Google’s Perspective on Memory SafetyWhite House Press Release: Future Software Should be Memory SafeBlog: OpenSSF Supports White House’s Efforts to Build More Secure and Measurable SoftwareResearch: Developer Ecosystems for Software Safety: Continuous Assurance at Scale

Omkhar talks to Vincent Danen, Vice President of Product Security at Red Hat, which is responsible for security and compliance activities for all Red Hat products and services. He’s also on the Governing Board of the OpenSSF. Vincent has been involved with open source and software security for over 20 years, leading security teams and participating in open source communities and development.Links: Vincent Danen’s LinkedIn pageRed Hat Product Security Vulnerability ManagementOpenSSF Security Toolbelt

Omkhar Arasaratnam is the General Manager of the Open Source Security Foundation (OpenSSF) and a veteran cybersecurity and technical risk management executive. Before joining the OpenSSF, he led security organizations at financial and technology institutions, such as Google, JPMorgan Chase, Credit Suisse, Deutsche Bank, TD Bank Group, and IBM. As a seasoned technology leader, Omkhar has revolutionized the effectiveness of secure software engineering, compliance, and cybersecurity controls. He is also an accomplished author and has led contributions to many international standards. In this short preview, Omkhar offers a sneak peek into the coming What's in the SOSS? podcast series.