Open Source Security

Josh welcomes back David Bernstein to talk about creating a disaster recover plan. It's a very timely topic given all the current events. There are more supply chain attacks and compromises than ever before. There are some great resources for this planning, but as David tells us, it's really not that hard to put some plans together. It's easy to over-plan, David gives some great tips on getting started with our planning for an eventual incident.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-04-disaster-planning-david-bernstein/

Josh talks to Paul McCarty of Open Source Malware about ... open source malware. Paul explains why there aren't many good open source malware datasets. We discuss why the existing data is lacking for many use cases. We of course touch on AI and the malware in skills problems and challenges. It's a fun discussion with a lot of new and interesting problems we all have to deal with.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-04-open-source-malware-paul-mccarty/

Josh welcomes back Andrew Nesbitt to discuss some recent blog posts he wrote about the challenges of new ecosystems as well as challenges of no ecosystems like C. There aren't very many people who look at multiple ecosystems in the way Andrew does. He has thoughts on why it's so hard to create a new ecosystem as well as some of the reasons we don't see a C language ecosystem. Andrew has a ton of interesting ideas and insight for us about both existing, new, and nonexistent ecosystems.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-04-ecosystems-andrew/

Josh talks to Michael Winser about a talk he gave at FOSDEM as well as his work on Alpha Omega at the Linux Foundation. Michael is approaching open source security in a way that nobody has ever tried before. What if we could fund some really big, really hard projects? It's not cheap or easy, but he's getting it done. We spend a lot of the time discussing package registries, which are a huge topic. Michael is doing some amazing work helping package registries which is the first step in a very long journey.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-03-michael-winser/

Josh chats with Brian Fox from Sonatype about their 2026 State of the Software Supply Chain report. Most of the number continue to grow at alarming rates, but there's some new interesting findings in this one. We discuss end of life and open source which is tough to define. We touch on what using AI with open source dependencies looks like (and why it's broken), and we discuss the challenge of upgrading your open source dependencies in a way that doesn't break everything. It's a great report and great discussion.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-03-SOTSSC-Brian-Fox/