More Open Source Security episodes
Published 30 Mar 2026
Duration: 42:30
The Alpha Omega Project addresses open-source security by targeting leverage points like Node.js and Python ecosystems, advocating for systemic solutions, dedicated security roles, sustainable funding, and registry infrastructure improvements to counter fragmented practices and downstream risks.
Josh talks to Michael Wisner about a talk he gave at FOSDEM as well as his work on Alpha Omega at the Linux Foudnation. Michael is approaching open so...
The podcast discusses the Alpha Omega Project, an initiative founded in 2022 to address open-source security gaps by creating dedicated security roles in key ecosystems like Node.js and Python. Its dual focusAlpha (identifying leverage points for systemic change) and Omega (scaling solutions)includes staffing security engineers, funding compute resources, and fostering community-wide security initiatives. Success stories include Seth Larsens contributions to Pythons security, with ripple effects beyond specific projects. The project aims to normalize security through tooling, staffing, and long-term sustainability strategies, such as maintaining reserve funding and encouraging self-sufficiency in open-source projects.
Challenges in securing package registries (e.g., PyPI, npm) are highlighted as critical infrastructure vulnerabilities, akin to app stores, requiring urgent attention due to their scale and risks like malware distribution. The discussion emphasizes the lack of affordable security audits and the potential for rapid security reviews (costing ~$5) to identify vulnerabilities quickly. Industry-wide issues include systemic underinvestment in open-source security, reliance on ad-hoc funding models, and the prioritization of growth over security in both commercial and open-source contexts. The "left-pad" incident exemplifies how developers often neglect security in favor of niche technical tasks, contrasting with the Y2K problems structured approach.
The conversation also explores cultural and operational barriers, such as the volunteer-driven nature of many registries, which risks instability if key infrastructure fails. Calls for sustained funding models, transparent cost structures, and ethical design practices are made to ensure registry resilience. Collaborative efforts, like the Alpha Omega board meetings and quarterly events for grant recipients, aim to drive cross-organizational innovation. Systemic changesranging from shifting priorities toward upstream security fixes to avoiding monoculture fundingare framed as essential for securing the software supply chain. The dialogue underscores the need for a public-good-focused approach, prioritizing quick action and learning from past failures to foster a more secure and sustainable open-source ecosystem.
11 May 2026 Open source is critical infrastructure with Kat Cosgrove
Maintaining open source infrastructure is critical to prevent security risks from neglected projects, highlighting the need for sustainable funding, corporate collaboration beyond financial support, and systemic reforms to address coordination challenges, dependency fragility, and vulnerabilities.
4 May 2026 How to actually test a disaster plan with David Bernstein
A three-part disaster recovery framework emphasizing simplicity, clear roles, and collaboration, utilizing structured testing via HSEEP, real-world validation, and continuous improvement through exercises, while addressing pitfalls and balancing realism with psychological safety.
27 Apr 2026 Open Source Pledge with Vlad-Stefan Harbuz
Challenges in open source sustainability include undervaluing maintainers, dependency tracking issues, fragmented tooling, burnout, governance flaws, and paradoxical tool sustainability, necessitating financial support, sustainable governance, and collective action for long-term project viability.
20 Apr 2026 Building a plan for disaster with David Bernstein
Adaptive emergency management and disaster recovery demand dynamic strategies, structured frameworks like ISO 22301/NIST, cyclical preparedness, stress testing, stakeholder alignment, and resilience through collaboration and continuous learning to tackle evolving digital and physical risks.
13 Apr 2026 Open Source Malware with Paul McCarty
Open Source Malware (OSM) addresses the gap in detecting intentional malicious open-source components by cataloging threats, de-obfuscating code, extracting indicators of compromise, and providing post-incident data, while tackling challenges like persistent malicious packages, limitations of traditional tools against interpreted languages, fragmented collaboration, AI risks, and the need for improved CI/CD security, audit tools, and balanced AI-human oversight.