S3E21: Josh Bressers - Securing Open Source Software

Chris: To start us off, why do you think OSS and the software supply chain are now beginning to get so much attention, despite being widely used for years now?

Chris: When it comes to OSS, any thoughts on how we balance security while also not stifling the innovative creative environment that is the OSS ecosystem?

Nikki: On one of your recent podcast episodes, you discussed how open source can be unfair, whether that's to users or to developers. Can you break that down a little bit for our audience?

Nikki: I think there are a lot of valuable lessons from the past that inform future trends. What would you say some of the top emerging trends are around open-source software - what should we be concerned about today versus a year from now?

Chris: What are your thoughts on the current state of Vulnerability Databases, we know you have some strong opinions and have been involved in an effort titled the Global Security Database with CSA - can you tell us a bit about that and why it is needed?

Chris: Do you think the emerging frameworks such as NIST 800 161 R1, SSDF, SLSA etc. are going in the right direction?

Chris: We couldn't let you go without discussing SBOM. What are your thoughts on the current state and direction of both SBOM and VEX. Do you think this increased level of transparency and granularity of vulnerabilities will be something most organizations can manage successfully?

Nikki: You have 341 episodes of your podcast - can you talk a little bit about why you wanted to get into podcasting? And also if you have any tips or advice for anyone who wants to start their own podcast?

Nikki: One of the major areas I don't hear being discussed around open source software is the 'human factor'. I see the integration of open source software as alleviating some of the mental workloads and information processing for developers and teams, but may also introduce other concerns. How do you feel about the human factor around OSS?