More Open Source Security episodes
Published 23 Mar 2026
Duration: 35:48
The State of the Software Supply Chain Report underscores explosive open source growth (10T annual downloads) paired with critical challenges like malware proliferation (1.2M malicious packages), unresolved vulnerabilities (65% unaddressed), infrastructure strain, AI's dual role in risk (hallucinations) and potential (MCP systems), and urgent needs for improved tools, policies, and cost management amid regulatory and scalability pressures.
Josh chats with Brian Fox from Sonatype about their 2026 State of the Software Supply Chain report. Most of the number continue to grow at alarming ra...
The podcast discusses Sonatypes long-running State of the Software Supply Chain Report (SSCR), which tracks trends and challenges in the open source ecosystem over 11 years. Key trends include growing awareness of open source reliance in the 2010s, the rise of SBOMs (Software Bill of Materials) for transparency, and the increasing prevalence of malware in open source packages, now reaching 1.2 million malicious components annually. Stakeholders also highlight concerns about end-of-life (EOL) components, which persist despite awareness, and the unsustainable costs of maintaining public registries like Maven Central, which face $510 million in annual operational expenses without adequate funding.
Open source usage has surged, with 9.8 trillion downloads in 2023 alone, surpassing Google search volume, but this growth strains infrastructure and creates challenges in managing software waste, such as unused code and "intentional garbage" in repositories. Malware volume is doubling yearly, while AI tools introduce new risks, including versioning errors and slop squatting, where attackers exploit AI-generated project names. The NVD (National Vulnerability Database) remains underfunded, with 65% of open source vulnerabilities unaddressed, and data quality issues in public databases exacerbate security risks.
The report underscores the need for improved vulnerability management, SBOM adoption, and funding models for registries to address scalability and sustainability. Case studies like Log4Shell reveal persistent gaps in patch adoption, even after high-profile vulnerabilities. While AI tools offer potential solutions, they also introduce risks like hallucinations and misaligned recommendations, necessitating human oversight or hybrid systems like Model Control Protocols (MCP) to refine AI-driven decisions. The industry faces ongoing challenges in balancing security, innovation, and the growing complexity of managing open source dependencies at scale.
11 May 2026 Open source is critical infrastructure with Kat Cosgrove
Maintaining open source infrastructure is critical to prevent security risks from neglected projects, highlighting the need for sustainable funding, corporate collaboration beyond financial support, and systemic reforms to address coordination challenges, dependency fragility, and vulnerabilities.
4 May 2026 How to actually test a disaster plan with David Bernstein
A three-part disaster recovery framework emphasizing simplicity, clear roles, and collaboration, utilizing structured testing via HSEEP, real-world validation, and continuous improvement through exercises, while addressing pitfalls and balancing realism with psychological safety.
27 Apr 2026 Open Source Pledge with Vlad-Stefan Harbuz
Challenges in open source sustainability include undervaluing maintainers, dependency tracking issues, fragmented tooling, burnout, governance flaws, and paradoxical tool sustainability, necessitating financial support, sustainable governance, and collective action for long-term project viability.
20 Apr 2026 Building a plan for disaster with David Bernstein
Adaptive emergency management and disaster recovery demand dynamic strategies, structured frameworks like ISO 22301/NIST, cyclical preparedness, stress testing, stakeholder alignment, and resilience through collaboration and continuous learning to tackle evolving digital and physical risks.
13 Apr 2026 Open Source Malware with Paul McCarty
Open Source Malware (OSM) addresses the gap in detecting intentional malicious open-source components by cataloging threats, de-obfuscating code, extracting indicators of compromise, and providing post-incident data, while tackling challenges like persistent malicious packages, limitations of traditional tools against interpreted languages, fragmented collaboration, AI risks, and the need for improved CI/CD security, audit tools, and balanced AI-human oversight.