More Open Source Security episodes
Published 9 Mar 2026
Duration: 33:34
OpenSSL 3.0 is criticized for increased complexity, performance issues, and insufficient progress in testing and memory safety, sparking debate over its adoption and the need for alternative cryptographic libraries.
Josh talks to Paul Kehrer and Alex Gaynor, from the Python Cryptographic Authority. Alex and Paul recently published a statement discuss the challenge...
The podcast highlights concerns from the Python Cryptographic Authority about OpenSSL 3.0, emphasizing challenges such as increased API complexity, internal code obscurity, performance regression, and stagnation in critical areas like testing and memory safety. The transition to OpenSSL 3.0 is criticized for diverging from user expectations and reflecting broader industry frustrations with its design and implementation. The discussion also notes that alternatives like LibreSSL, BoringSSL, and AWS LC prioritize different goals, such as simplicity or performance, while exploring how Rusts memory-safe code and efficient parsing could enhance cryptographic safety and performance.
The podcast underscores the importance of formal verification to ensure cryptographic reliability and the need for cross-platform consistency in cryptographic APIs. It stresses that long-term improvements in cryptographic libraries must balance usability, security, and performance, avoiding over-reliance on OpenSSL for future advancements like post-quantum cryptography. Collaborative efforts are highlighted as essential to address these challenges and drive sustainable progress in cryptographic software development.
11 May 2026 Open source is critical infrastructure with Kat Cosgrove
Maintaining open source infrastructure is critical to prevent security risks from neglected projects, highlighting the need for sustainable funding, corporate collaboration beyond financial support, and systemic reforms to address coordination challenges, dependency fragility, and vulnerabilities.
4 May 2026 How to actually test a disaster plan with David Bernstein
A three-part disaster recovery framework emphasizing simplicity, clear roles, and collaboration, utilizing structured testing via HSEEP, real-world validation, and continuous improvement through exercises, while addressing pitfalls and balancing realism with psychological safety.
27 Apr 2026 Open Source Pledge with Vlad-Stefan Harbuz
Challenges in open source sustainability include undervaluing maintainers, dependency tracking issues, fragmented tooling, burnout, governance flaws, and paradoxical tool sustainability, necessitating financial support, sustainable governance, and collective action for long-term project viability.
20 Apr 2026 Building a plan for disaster with David Bernstein
Adaptive emergency management and disaster recovery demand dynamic strategies, structured frameworks like ISO 22301/NIST, cyclical preparedness, stress testing, stakeholder alignment, and resilience through collaboration and continuous learning to tackle evolving digital and physical risks.
13 Apr 2026 Open Source Malware with Paul McCarty
Open Source Malware (OSM) addresses the gap in detecting intentional malicious open-source components by cataloging threats, de-obfuscating code, extracting indicators of compromise, and providing post-incident data, while tackling challenges like persistent malicious packages, limitations of traditional tools against interpreted languages, fragmented collaboration, AI risks, and the need for improved CI/CD security, audit tools, and balanced AI-human oversight.