More Open Source Security episodes

2026 State of the Software Supply Chain with Brian Fox thumbnail

2026 State of the Software Supply Chain with Brian Fox

Published 23 Mar 2026

Duration: 35:48

The State of the Software Supply Chain Report underscores explosive open source growth (10T annual downloads) paired with critical challenges like malware proliferation (1.2M malicious packages), unresolved vulnerabilities (65% unaddressed), infrastructure strain, AI's dual role in risk (hallucinations) and potential (MCP systems), and urgent needs for improved tools, policies, and cost management amid regulatory and scalability pressures.

Episode Description

Josh chats with Brian Fox from Sonatype about their 2026 State of the Software Supply Chain report. Most of the number continue to grow at alarming ra...

Overview

The podcast discusses Sonatypes long-running State of the Software Supply Chain Report (SSCR), which tracks trends and challenges in the open source ecosystem over 11 years. Key trends include growing awareness of open source reliance in the 2010s, the rise of SBOMs (Software Bill of Materials) for transparency, and the increasing prevalence of malware in open source packages, now reaching 1.2 million malicious components annually. Stakeholders also highlight concerns about end-of-life (EOL) components, which persist despite awareness, and the unsustainable costs of maintaining public registries like Maven Central, which face $510 million in annual operational expenses without adequate funding.

Open source usage has surged, with 9.8 trillion downloads in 2023 alone, surpassing Google search volume, but this growth strains infrastructure and creates challenges in managing software waste, such as unused code and "intentional garbage" in repositories. Malware volume is doubling yearly, while AI tools introduce new risks, including versioning errors and slop squatting, where attackers exploit AI-generated project names. The NVD (National Vulnerability Database) remains underfunded, with 65% of open source vulnerabilities unaddressed, and data quality issues in public databases exacerbate security risks.

The report underscores the need for improved vulnerability management, SBOM adoption, and funding models for registries to address scalability and sustainability. Case studies like Log4Shell reveal persistent gaps in patch adoption, even after high-profile vulnerabilities. While AI tools offer potential solutions, they also introduce risks like hallucinations and misaligned recommendations, necessitating human oversight or hybrid systems like Model Control Protocols (MCP) to refine AI-driven decisions. The industry faces ongoing challenges in balancing security, innovation, and the growing complexity of managing open source dependencies at scale.

Recent Episodes of Open Source Security

22 Jun 2026 Packagist and Composer security with Jordi Boggiano

Strategies for securing open-source ecosystems include malware detection via third-party feeds, transparency logs, rapid incident response, blocking malicious downloads, private registry controls, immutable package releases, standardized workflows, MFA enforcement, and technical proposals like artifact validation and build attestation, while addressing challenges like maintainer hacking, AI risks, usability trade-offs, and the need for ecosystem-wide alignment and human verification.

15 Jun 2026 Sustaining Open VSX with Mike and Thabang

Eclipse Foundation's OpenVSX, a VS Code extension repository, surged to 600M monthly downloads, evolved to a commercial model with enterprise SLAs and security teams, while addressing scalability, open-source balance, and funding challenges for AI expansion.

8 Jun 2026 Hacking your CI/CD with Francois Proulx

Critical vulnerabilities in open source CI/CD pipelines, including hijacking and supply chain attacks via social engineering or compromised builds, are highlighted through incidents like TJ Actions and Ultralytics, with mitigation strategies emphasizing secure credentials, externalized workflows, threat modeling, and tools like *Smoked Meat* and *Bagel* to enhance incident response and supply chain security.

1 Jun 2026 Open source verification with Sal Kimmich

Cybersecurity challenges include complex application ecosystems, overlooked kernel vulnerabilities, supply chain risks, and systemic risks from under-resourced organizations prioritizing surface-level controls, alongside calls for regulatory reforms, proactive threat modeling, secure development practices, and addressing tribal nations' unique legal and sovereignty concerns.

25 May 2026 Vulnerability disclosure with Casey Ellis

The evolution of vulnerability disclosure highlights challenges in prioritizing critical issues, outdated legal frameworks, and the role of initiatives like Disclosed.io in standardizing policies, alongside AI's impact on detection, open-source risks, triage complexities, and the need for collaboration and transparency to address systemic security barriers.

More Open Source Security episodes