More Open Source Security episodes

Open Source Security at scale with Michael Wisner thumbnail

Open Source Security at scale with Michael Wisner

Published 30 Mar 2026

Duration: 42:30

The Alpha Omega Project addresses open-source security by targeting leverage points like Node.js and Python ecosystems, advocating for systemic solutions, dedicated security roles, sustainable funding, and registry infrastructure improvements to counter fragmented practices and downstream risks.

Episode Description

Josh talks to Michael Wisner about a talk he gave at FOSDEM as well as his work on Alpha Omega at the Linux Foudnation. Michael is approaching open so...

Overview

The podcast discusses the Alpha Omega Project, an initiative founded in 2022 to address open-source security gaps by creating dedicated security roles in key ecosystems like Node.js and Python. Its dual focusAlpha (identifying leverage points for systemic change) and Omega (scaling solutions)includes staffing security engineers, funding compute resources, and fostering community-wide security initiatives. Success stories include Seth Larsens contributions to Pythons security, with ripple effects beyond specific projects. The project aims to normalize security through tooling, staffing, and long-term sustainability strategies, such as maintaining reserve funding and encouraging self-sufficiency in open-source projects.

Challenges in securing package registries (e.g., PyPI, npm) are highlighted as critical infrastructure vulnerabilities, akin to app stores, requiring urgent attention due to their scale and risks like malware distribution. The discussion emphasizes the lack of affordable security audits and the potential for rapid security reviews (costing ~$5) to identify vulnerabilities quickly. Industry-wide issues include systemic underinvestment in open-source security, reliance on ad-hoc funding models, and the prioritization of growth over security in both commercial and open-source contexts. The "left-pad" incident exemplifies how developers often neglect security in favor of niche technical tasks, contrasting with the Y2K problems structured approach.

The conversation also explores cultural and operational barriers, such as the volunteer-driven nature of many registries, which risks instability if key infrastructure fails. Calls for sustained funding models, transparent cost structures, and ethical design practices are made to ensure registry resilience. Collaborative efforts, like the Alpha Omega board meetings and quarterly events for grant recipients, aim to drive cross-organizational innovation. Systemic changesranging from shifting priorities toward upstream security fixes to avoiding monoculture fundingare framed as essential for securing the software supply chain. The dialogue underscores the need for a public-good-focused approach, prioritizing quick action and learning from past failures to foster a more secure and sustainable open-source ecosystem.

Recent Episodes of Open Source Security

22 Jun 2026 Packagist and Composer security with Jordi Boggiano

Strategies for securing open-source ecosystems include malware detection via third-party feeds, transparency logs, rapid incident response, blocking malicious downloads, private registry controls, immutable package releases, standardized workflows, MFA enforcement, and technical proposals like artifact validation and build attestation, while addressing challenges like maintainer hacking, AI risks, usability trade-offs, and the need for ecosystem-wide alignment and human verification.

15 Jun 2026 Sustaining Open VSX with Mike and Thabang

Eclipse Foundation's OpenVSX, a VS Code extension repository, surged to 600M monthly downloads, evolved to a commercial model with enterprise SLAs and security teams, while addressing scalability, open-source balance, and funding challenges for AI expansion.

8 Jun 2026 Hacking your CI/CD with Francois Proulx

Critical vulnerabilities in open source CI/CD pipelines, including hijacking and supply chain attacks via social engineering or compromised builds, are highlighted through incidents like TJ Actions and Ultralytics, with mitigation strategies emphasizing secure credentials, externalized workflows, threat modeling, and tools like *Smoked Meat* and *Bagel* to enhance incident response and supply chain security.

1 Jun 2026 Open source verification with Sal Kimmich

Cybersecurity challenges include complex application ecosystems, overlooked kernel vulnerabilities, supply chain risks, and systemic risks from under-resourced organizations prioritizing surface-level controls, alongside calls for regulatory reforms, proactive threat modeling, secure development practices, and addressing tribal nations' unique legal and sovereignty concerns.

25 May 2026 Vulnerability disclosure with Casey Ellis

The evolution of vulnerability disclosure highlights challenges in prioritizing critical issues, outdated legal frameworks, and the role of initiatives like Disclosed.io in standardizing policies, alongside AI's impact on detection, open-source risks, triage complexities, and the need for collaboration and transparency to address systemic security barriers.

More Open Source Security episodes