What's in the SOSS? An OpenSSF Podcast
What's in the SOSS? features the sharpest minds in security as they dig into the challenges and opportunities that create a recipe for success in making software more secure.
Get a taste of all the ingredients that make up secure open source software (SOSS) and explore the latest trends at the intersection of AI and security, vulnerability management, and threat assessments.
Each episode of What's in the SOSS? is packed with valuable insight designed to foster collaboration and promote stronger security practices for the open source software community.
About Christopher Robinson (aka CRob), host
CRob is a 43rd level Dungeon Master and a 26th level Securityologist. He is a leader within several Open Source Security Foundation (OpenSSF) efforts and is a frequent speaker on cyber, application, and open source security. He enjoys hats, herding cats, and moonlit walks on the beach.
What's in the SOSS? An OpenSSF Podcast
Sonatype’s Brian Fox and the Perplexing Phenomenon of Downloading Known Vulnerabilities
Brian Fox is Co-founder and Chief Technology Officer at Sonatype, bringing over 28 years of hands-on experience driving software development for organizations of all sizes, from startups to large enterprises.
A recognized figure in the Apache Maven ecosystem and a longstanding member of the Apache Software Foundation, Brian has played a crucial role in creating popular plugins like the maven-dependency-plugin and maven-enforcer-plugin. His leadership includes overseeing Maven Central, the world's largest repository of open-source Java components, which recently surpassed a trillion downloads annually.
As a Governing Board member for the Open Source Security Foundation, Brian actively contributes to advancing cybersecurity. Working with other industry leaders, he helped create The Open Source Consumption Manifesto, urging organizations to elevate their awareness of the Open Source Software (OSS) components they use.
- 00:57 Brian shares his background
- 03:56 The confusing trend of people downloading assets on Maven with known vulnerabilities
- 08:16 How this trend continues in other repos
- 11:08 Brian and CRob discuss Log4Shell
- 16:54 Brian answers CRob’s rapid-fire questions
- 18:46 Brian’s advice for up-and-coming security professionals
- 19:50 Brian’s call to action
Episode links: