Open Source Security

Josh talks to Kat Cosgrove about a how companies should be treating open source more like their critical infrastructure than free stuff. Kat has a ton of knowledge about how the interactions between companies and open source communities can work well, or not work at all. Kat's time on the Kubernetes Release Team. We touch on how a project like Kubernetes is super successful, while another, Ingress NGINX, was not. It's a super insightful discussion with a ton of lessons and advice for everyone.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-05-open-source-infrastructure-kat/

Josh and David finish up the disaster recovery and emergency planning trilogy. In this one David tells us how to test the plan he told us how to build in the last episode. There are some great ideas in this one about how to test the process not the people. How to construct the plan, and even some tips to go from a plan to some actual real world testing. It's another episode filled with great and practical advice.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-05-testing-the-plan-david-bernstein/

Josh has a discussion with Vlad-Stefan Harbuz about the Open Source Pledge as well as his recent FOSDEM talk. The Open Source Pledge is all about trying to build a sustainable universe for open source maintainers. This ties into Vlad's FOSDEM talk which was all about the challenge of just knowing what open source you are using. The importance of trying to make open source sustainable is a really important topic, but it's also a really hard topic. Vlad helps explain all of this as well as some ideas for the solving this in the future.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-04-open-source-pledge-vlad/

Josh welcomes back David Bernstein to talk about creating a disaster recover plan. It's a very timely topic given all the current events. There are more supply chain attacks and compromises than ever before. There are some great resources for this planning, but as David tells us, it's really not that hard to put some plans together. It's easy to over-plan, David gives some great tips on getting started with our planning for an eventual incident.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-04-disaster-planning-david-bernstein/

Josh talks to Paul McCarty of Open Source Malware about ... open source malware. Paul explains why there aren't many good open source malware datasets. We discuss why the existing data is lacking for many use cases. We of course touch on AI and the malware in skills problems and challenges. It's a fun discussion with a lot of new and interesting problems we all have to deal with.
The show notes and blog post for this episode can be found at
https://opensourcesecurity.io/2026/2026-04-open-source-malware-paul-mccarty/