More Open Source Security episodes
Published 9 Mar 2026
Duration: 33:34
OpenSSL 3.0 is criticized for increased complexity, performance issues, and insufficient progress in testing and memory safety, sparking debate over its adoption and the need for alternative cryptographic libraries.
Josh talks to Paul Kehrer and Alex Gaynor, from the Python Cryptographic Authority. Alex and Paul recently published a statement discuss the challenge...
The podcast highlights concerns from the Python Cryptographic Authority about OpenSSL 3.0, emphasizing challenges such as increased API complexity, internal code obscurity, performance regression, and stagnation in critical areas like testing and memory safety. The transition to OpenSSL 3.0 is criticized for diverging from user expectations and reflecting broader industry frustrations with its design and implementation. The discussion also notes that alternatives like LibreSSL, BoringSSL, and AWS LC prioritize different goals, such as simplicity or performance, while exploring how Rusts memory-safe code and efficient parsing could enhance cryptographic safety and performance.
The podcast underscores the importance of formal verification to ensure cryptographic reliability and the need for cross-platform consistency in cryptographic APIs. It stresses that long-term improvements in cryptographic libraries must balance usability, security, and performance, avoiding over-reliance on OpenSSL for future advancements like post-quantum cryptography. Collaborative efforts are highlighted as essential to address these challenges and drive sustainable progress in cryptographic software development.
30 Mar 2026 Open Source Security at scale with Michael Wisner
The Alpha Omega Project addresses open-source security by targeting leverage points like Node.js and Python ecosystems, advocating for systemic solutions, dedicated security roles, sustainable funding, and registry infrastructure improvements to counter fragmented practices and downstream risks.
23 Mar 2026 2026 State of the Software Supply Chain with Brian Fox
The State of the Software Supply Chain Report underscores explosive open source growth (10T annual downloads) paired with critical challenges like malware proliferation (1.2M malicious packages), unresolved vulnerabilities (65% unaddressed), infrastructure strain, AI's dual role in risk (hallucinations) and potential (MCP systems), and urgent needs for improved tools, policies, and cost management amid regulatory and scalability pressures.
16 Mar 2026 MCP and Agent security with Luke Hinds
The text explores AI agent security risks like prompt injection and open-source vulnerabilities, emphasizing the No-NO project's kernel-based sandboxing with a deny-by-default model, hardware enclaves, and Rust-driven efficiency, alongside layered defenses, restricted commands, and collaborative efforts to tackle evolving threats like social engineering and insecure coding practices.
2 Mar 2026 Rust coreutils with Sylvestre Ledru
A modern rewrite of Unix command-line tools using Rust aims for memory safety, performance, and maintainability while achieving high compatibility.
23 Feb 2026 Goose and the Agentic AI Foundation with Brad Axen
The development and application of AI tools, such as Goose AI, in software development is explored, highlighting challenges and opportunities in using AI-generated code and the evolving role of developers.