Open Source Security

Josh and David finish up the disaster recovery and emergency planning trilogy. In this one David tells us how to test the plan he told us how to build in the last episode. There are some great ideas in this one about how to test the process not the people. How to construct the plan, and even some tips to go from a plan to some actual real world testing. It's another episode filled with great and practical advice.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-05-testing-the-plan-david-bernstein/

Josh has a discussion with Vlad-Stefan Harbuz about the Open Source Pledge as well as his recent FOSDEM talk. The Open Source Pledge is all about trying to build a sustainable universe for open source maintainers. This ties into Vlad's FOSDEM talk which was all about the challenge of just knowing what open source you are using. The importance of trying to make open source sustainable is a really important topic, but it's also a really hard topic. Vlad helps explain all of this as well as some ideas for the solving this in the future.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-04-open-source-pledge-vlad/

Josh welcomes back David Bernstein to talk about creating a disaster recover plan. It's a very timely topic given all the current events. There are more supply chain attacks and compromises than ever before. There are some great resources for this planning, but as David tells us, it's really not that hard to put some plans together. It's easy to over-plan, David gives some great tips on getting started with our planning for an eventual incident.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-04-disaster-planning-david-bernstein/

Josh talks to Paul McCarty of Open Source Malware about ... open source malware. Paul explains why there aren't many good open source malware datasets. We discuss why the existing data is lacking for many use cases. We of course touch on AI and the malware in skills problems and challenges. It's a fun discussion with a lot of new and interesting problems we all have to deal with.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-04-open-source-malware-paul-mccarty/

Josh welcomes back Andrew Nesbitt to discuss some recent blog posts he wrote about the challenges of new ecosystems as well as challenges of no ecosystems like C. There aren't very many people who look at multiple ecosystems in the way Andrew does. He has thoughts on why it's so hard to create a new ecosystem as well as some of the reasons we don't see a C language ecosystem. Andrew has a ton of interesting ideas and insight for us about both existing, new, and nonexistent ecosystems.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-04-ecosystems-andrew/