Josh Bressers

EU Regulations will change everything with Daniel Thompson In this episode, we dive into the Product Liability Directive and Cyber Resilience Act with Daniel Thompson, CEO of Crab Nebula. The EU’s new legislative framework impacts manufacturers in ways we don...

I talked to Daniel Thompson-Yvetot on the latest episode of #OpenSourceSecurity

The main topic was the coming regulation for software developers. While there are carve outs for open source projects, what counts as an open source project isn't as clear as I thought it was.

Open source microprocessors with Jan Pleskac In this episode Jan Pleskac, CEO and co-founder of Tropic Square, shares insights on the challenges and innovations in creating open and auditable hardware. While most hardware is very closed, Tropic ...

This #OpenSourceSecurity episode I chatted with Jan Pleskac from Tropic Square about open source microprocessors

I learned an incredible amount about how this all works, what Tropic Square is trying to do, and what we can start to expect in the future

Package URLs with Philippe Ombredanne I’m joined by Philippe Ombredanne, creator of the Package URL (PURL), to discuss the surprisingly complex and messy problem of simply identifying open source software packages. We dive into how PURLs ...

I chatted with Philippe Ombredanne about Package URLs, or PURLs. He created them, so he knows a thing or two.

We do complain about CPE quite a bit :)

But it's a really hard problem. It feels like a package identifier should be easy, but it's way harder than you think it is.

Hobbyist Maintainers with Thomas DePierre Thomas DePierre joins Open Source Security to discuss the central idea from his blog post, “You are all on the hobbyist maintainers turf now,” exploring the massive disconnect between the corporate wo...

#OpenSourceSecurity chats with @Di4na@hachyderm.io about his blog post explaining hobbyist open source maintainers

Whatever you think you know about open source, you're going to learn something from this one

STIG automation with Aaron Lippold I chat with Aaron Lippold, creator of MITRE’s Security Automation Framework (SAF), to discuss how to escape the pain of manual STIG compliance. We explore the technical details of open-source tools li...

This episode of #OpenSourceSecurity I chat with Aaron Lippold from MITRE about #STIG automation (it's one big open source project)

STIG has historically been incredibly difficult

Thanks to #FedRAMP it's getting more attention than ever before and the work Aaron has been doing makes it a lot easier

Ecosyste.ms with Andrew Nesbitt I recently chatted with Andrew Nesbitt about his project, Ecosyste.ms. Ecosyste.ms catalogs open source projects by tracking packages, dependencies, repositories, and more. With this dataset Andrew is...

This week #OpenSourceSecurity chats with @andrewnez.bsky.social about Ecosyste.ms

Ecosyste.ms is a massive collection of data about open source

It's an amazingly useful collection of data. If you're doing anything that needs information about open source you should check it out

Curl vs AI with Daniel Stenberg Daniel Stenberg, the maintainer of Curl, discusses the increase in AI security reports that are wasting the time of maintainers. We discuss Curl’s new policy of banning the bad actors while establishi...

I chatted with @daniel.haxx.se about #Curl and the recent #AI happenings

It's always fun talking to Daniel, and I think there's a lot of good ideas in this one, especially on how to approach AI fueled contributions that aren't slop. And even suggestions on how to deal with slop contributions :)

Repository signing with Kairo De Araujo I recently had a chat with Kairo about a project he maintains called Repository Service for TUF (RSTUF). We explain why TUF is tough (har har har), what RSTUF can do, and some of the challenges around...

I spoke with Kairo De Araujo about signing package repositories with RSTUF. It's one of those topics that's incredibly hard and I learn so much anytime I chat with an expert

Just because you're using a package mirror doesn't mean you shouldn't think about signing the artifacts

Obfuscated JavaScript in Phishing Kits While sorting phishing kits this morning, I discovered a clever use of JavaScript to hide an infostealer.

Obfuscated JavaScript in Phishing Kits technicaloutcast.com...

Securing GitHub Actions with William Woodruff William Woodruff discussed his project, Zizmor, a security linter designed to help developers identify and fix vulnerabilities within their GitHub Actions workflows. This tool addresses inherent secur...

I chatted with @yossarian.net about securing GitHub Actions with Zizmor

I learned a ton, and given all the recent news about GitHub Actions, everyone should be looking at Zizmor

opensourcesecurity.io/2025/2025-05...

BTS #49 - The Hidden Risks of Open Source Components - Eclypsium | Supply Chain Security for the Modern Enterprise In this episode, Paul Asadoorian and Josh Bressers delve into the complexities of open source supply chain security, discussing the prevalence of open source components in modern software, the challen...

I had the opportunity to join @paulasadoorian.bsky.social on the @eclypsium.bsky.social podcast to talk about open source and that whole supply chain thing

It was a fun chat and Paul is always a great host

eclypsium.com/podcasts/bts...

This was fun, make sure you check it out!

Embedded Security with Paul Asadoorian Recently, I had the pleasure of chatting with Paul Asadoorian, Principal Security Researcher at Eclypsium and the host of the legendary Paul’s Security Weekly podcast. Our conversation dove into the o...

This episode of #OpenSourceSecurity I talk with @paulasadoorian.bsky.social about embedded security, but with an open source twist

It's open source all the way down. And old open source quite often. It's a really fun discussion, I learned a lot!

opensourcesecurity.io/2025/2025-05...

tj-actions with Endor Lab's Dimitri Stiliadis Dimitri Stiliadis, CTO from Endor Labs, discusses the recent tj-actions/changed-files supply chain attack, where a compromised GitHub Action exposed CI/CD secrets. We explore the impressive multi-stag...

This episode of #OpenSourceSecurity I chat with Dimitri Stiliadis of @endorlabs.bsky.social about the tj-actions/changed-files backdoor

Endor did some great research into how many repos were affected and we cover some of the background on this attack. It's way weirder than you can imagine

Trust, Transparency, & the Future of the CVE Program When the cybersecurity community learned that the contract for MITRE’s operation of the CVE Program—the system that assigns standardized identifiers for publicly known software vulnerabilities—was at ...

Jen Easterly had some words to say about the CVE Foundation

www.linkedin.com/pulse/trust-...

What's happening with CVE I’m not a super expert in all this, but I know enough to be dangerous. If I make any mistakes, please let me know (there are many ways to contact me listed in the “Contact” menu). I will clearly mark ...

It's been a week since CVEmageddon

I try to answer some questions about the funding, what happened, and what could happen next

opensourcesecurity.io/2025/04-cve-...

#CVE #cybersecurity

What's happening with CVE I’m not a super expert in all this, but I know enough to be dangerous. If I make any mistakes, please let me know (there are many ways to contact me listed in the “Contact” menu). I will clearly mark ...

It's been a week since CVEmageddon

I try to answer some questions about the funding, what happened, and what could happen next

opensourcesecurity.io/2025/04-cve-...

#CVE #cybersecurity

Syft, Grype, and Grant with Alan Pope I chat with Alan Pope about the open source security tools Syft, Grype, and Grant. These tools help create Software Bills of Materials (SBOMs) and scan for vulnerabilities. Learn why generating and st...

I was a guest on the Open Source Security podcast with @josh.bressers.name, chatting about @syftproject.bsky.social , @grypeproject.bsky.social and other @anchore.com #opensource stuff.

opensourcesecurity.io/2025/2025-04...

It's always amusing when I tell someone to search for "buffer overflow" on GitHub and it returns a ton of things

Can we trust CVE? If you are a security nerd, and even if you’re not, you probably heard about the epic CVE mess that happened. It’s a very long story and was covered in many places, but the TL;DR was the funding for C...

I did some digging this evening into a few of the things that have emerged to fill the #CVE gap. It was much less inspiring than I had hoped it would be

opensourcesecurity.io/2025/04-can-...

@josh.bressers.name created a Discord server to discuss the situation: discord.gg/gSCrXxMuPx

I don’t think it’s a scam, but it’s not the best way to build trust

No names or details. Cool, cool

CVE for EOL with Aaron Frost Aaron Frost explores the overly complex world of vulnerability identifiers for end of life software. We discuss how incomplete CVE reporting creates blind spots for users while arming attackers with k...

I had a chat with Aaron Frost from @hero.dev about #EOL and #CVE. It's a surprisingly complicated topic

If you're unsure an old version is affected, should you assume it is or isn't affected by a vulnerability?

opensourcesecurity.io/2025/2025-04...

Why I didn't go to VulnCon VulnCon 2025 is over. I didn’t go. A bunch of people have asked me why, and rather than keep my answer to a small group, I thought it would make sense to write something public about it all. The TL;DR...

I've had a bunch of people ask me why I wasn't at #VulnCon, so I wrote a blog post about it

TL;DR - I don't think VulnCon should exist

Follow me for more security hot takes

opensourcesecurity.io/2025/04-why-...

Ecosystem Funds is Generally Available **Today Open Source Collective and ecosyste.ms are launching Funds supporting 291 Open Source Ecosystems. Unsurprisingly, we call them Ecosystem Funds.** A few, short weeks before the holidays we announced Ecosystem Funds; a collaboration between Open Source Collective and ecosyste.ms that makes it easier to support your critical software dependencies. ### What are Ecosystem Funds? Using billions of data points from ecosyste.ms we’ve packaged millions of the most critical open source components into a few hundred Funds centred on a language, framework, or package, turning a process that can take months into a five minute conversation with your CTO. ### What have we been up to? We launched with a $67,500 commitment from Sentry to the Rust, Python, Django and Javascript Ecosystems. We’ve since distributed over 80% of the funds in 375 individual payments to 136 projects. We’ve sent money to projects on GitHub Sponsors, Patreon, BuyMeACoffee, Ko-fi, and of course Open Collective. We contacted hundreds maintainers, asking them to update their ‘funding.yml’ so anyone could support them, for those who didn’t we paid maintainers directly, again through Open Collective. We’re hoping to distribute the remaining funds this month which is why we’re launching Ecosystem Funds to the general public today. ### How does it work? Once again for those in the back: Sponsor the technology you depend upon, we’ll do the rest. Find an ecosystem using our search and donate a single or recurring sponsorship. We handle everything else. We’ll direct your money (minus a 10% management fee) to maintainers, using the tools they have chosen to manage their finances. We allocate 100% of the donations in every fund with a balance of $1,000 or more, on a monthly basis. Every donation and payment is traceable through both Ecosystem Funds and Open Collective. Donations can be made directly through funds.ecosyste.ms or, if you have an account, on Open Collective. Companies who wish to make a large donation, or start a Fund of their own, can request an Invoice from Open Source Collective — who are already an approved vendor to most large open-source-supporting organisations. ### What’s next? While we’re launching with nearly three hundred Funds we’re certain that we’ll have missed more than a few ecosystems around your favourite framework, tool, or package, and we’re happy to add them. Just get in touch and we’ll do some data wrangling to add it — note that we’re not going to include a Fund for just the projects you work on, that’s what GitHub Sponsors is for. We’re also hugely aware of the limitations of our approach. We’re missing all the standards bodies, documentation projects, and foundations who support open source outside of the dependency graph. We’re also missing domain-specific Funds, there’s no climate, marine, aviation, or space-exploration based Funds to support. To address this we’ll be building ways for communities (and corporations) to package their own Ecosystem Fund, and support it. ### … Just one more thing While building a service to support thousands of the most critical software components might be enough for some, it’s not for us. Over the coming months we’ll be building a tool to track all your open source ‘investments’, to better understand the impact your money is having on the projects you depend on most.

Ecosystem Funds is Generally Available https://blog.ecosyste.ms/2025/04/04/ecosystem-funds-ga.html

cargo-semver-checks has a *security* impact on Rust too.

Make version upgrades less painful, and people upgrade more! No more "we got hacked because we were running 5 year old unpatched software." More on this in the podcast 👇

cargo-semver-checks with Predrag Gruevski Cargo Semver Checks is a Rust tool by Predrag Gruevski that is tackling the problem of broken dependencies that cost developers time when trying to upgrade dependencies. Predrag’s work shows how autom...

This episode of #OpenSourceSecurity talks to @predr.ag about cargo-semver-checks

it's a #Rust tool that can help you figure out if you broke #semver

We also touch on the difficulty of detecting breaking changes, sustainable open source, and what's to come for semver checking

Distributed CI and Git with Lars Wirzenius I got to chat with Lars about a new CI/CD system he’s been working on called Ambient. It sounds really cool and does some very clever things today, with even more things planned in the future. We also...

I spoke with Lars Wirzenius on #OpenSourceSecurity about two really cool projects he's working on

Ambient is a distributed CI/CD system written in Rust

Radicle is a distributed Git Forge

It's a really fun chat and I learned a lot

opensourcesecurity.io/2025/2025-03...

You should totally tell your story on the @cyphercon.bsky.social hacker history podcast!

hackerhistory.com

I’ll hook you up with some contact info at the show