I recently had a chat with Kairo about a project he maintains called Repository Service for TUF (RSTUF). We explain why TUF is tough (har har har), what RSTUF can do, and some of the challenges around securing repositories. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-05-rstuf-with-kairo-de-araujo/
--------
33:29
Securing GitHub Actions with William Woodruff
William Woodruff discussed his project, Zizmor, a security linter designed to help developers identify and fix vulnerabilities within their GitHub Actions workflows. This tool addresses inherent security risks in GitHub Actions, such as injection vulnerabilities, permission issues, and mutable tags, by providing static analysis and remediation guidance. Fresh off the heels of the tj-actions/changed-files backdoor, this is a great topic with some things everyone can do right away. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-05-securing-github-actions-william-woodruff/
--------
31:50
Embedded Security with Paul Asadoorian
Recently, I had the pleasure of chatting with Paul Asadoorian, Principal Security Researcher at Eclypsium and the host of the legendary Paul's Security Weekly podcast. Our conversation dove into the often-murky waters of embedded systems and the Internet of Things (IoT), sparked by a specific vulnerability discussion on Paul's show concerning reference code for the popular ESP32 microcontroller. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-05-embedded-security-with-paul-asadoorian/
--------
34:24
tj-actions with Endor Lab's Dimitri Stiliadis
Dimitri Stiliadis, CTO from Endor Labs, discusses the recent tj-actions/changed-files supply chain attack, where a compromised GitHub Action exposed CI/CD secrets. We explore the impressive multi-stage attack vector and the broader often-overlooked vulnerabilities in our CI/CD pipelines, emphasizing the need to treat these build systems with production-level security rigor instead of ignoring them. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-04-tjactions_with_dimitri_stiliadis/
--------
32:39
Syft, Grype, and Grant with Alan Pope
I chat with Alan Pope about the open source security tools Syft, Grype, and Grant. These tools help create Software Bills of Materials (SBOMs) and scan for vulnerabilities. Learn why generating and storing SBOMs is crucial for understanding your software supply chain and quickly responding to new threats like Log4Shell. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-04-syft-grype-grant-alan-pope/
Open Source Security is a media project to help showcase and educate on open source security. Our goal is to give the community a platform educate both developers and users on how open source security works.
There’s a lot of good work happening that doesn’t get attention because there’s no marketing department behind it, they don’t have a developer relations team posting on LinkedIn every two hours. Let’s focus on those people and teams then learn what they do and how they do it. The goal is to hear from the people doing the work, they know what’s up, they have a lot to teach us. We just have to listen.
Brasil