What's in the SOSS? An OpenSSF Podcast

In this episode, CRob talks with Mike Lieberman from Kusari about the current state of open source security. They discuss the growing burden on maintainers from the "deluge" of noisy, low-quality vulnerability reports, often generated by AI tools, and the vital role of "a human in the loop." Mike introduces Kusari's tool, Inspector, explaining how it uses codified security expertise to process data from tools like OpenSSF Scorecard and SLSA, effectively filtering out false positives and giving maintainers only high-quality, actionable reports. They also dive into the design philosophy of "don't piss off the engineers" and share a vision for the future of security tooling that focuses on dramatically better user experience and building security primitives that are "secure by design.Chapters:00:06Introduction: The Biggest Challenge in Security Tooling01:12Overwhelmed Maintainers: The Deluge of Low-Quality AI Reports04:00Introducing Kusari's Inspector: How it Filters False Positives08:40The Secret Sauce: Security Expertise and the Need for Reproducible Tests12:03Meeting Engineers Where They Are: Design Choices to Reduce Maintainer Burden18:16The Future of Open Source Security Tooling: Focusing on Better UX22:19Call to Action: The Responsibility of Large OrganizationsEpisode links:Michael Lieberman’s LinkedIn pageLearn more about Kusari InspectorGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

Yesenia Yser, co-lead of the OpenSSF Mentorship Program and BEAR advocate for accessibility in open source. Kairo De Araujo, open source engineer and rstuf maintainer focused on security supply chains. They discuss bringing newcomers into software security. They highlight team-based mentorship, surprising maintainer outcomes, onboarding improvements, mentor/mentee tips, and key dates for the next paid mentorship cycle.

Hannah Braswell and Jenn Power, security engineers from Red Hat and contributors to the OpenSSF, join host Sally Cooper to discuss the Gemara project. Gemara, an acronym for GRC Engineering Model for Automated Risk Assessment, is a seven-layer logical model that aims to solve the problem of incompatibility in the GRC (Governance, Risk, and Compliance) stack. By outlining a separation of concerns, the project seeks to enable engineers to build secure and compliant systems without needing to be compliance experts. The speakers explain how Gemara grew organically to seven layers and connects with other open source initiatives like the OpenSSF Security Baseline and Finos Common Cloud Controls. They also touch on the ecosystem of tools being built, including Queue schemas and a Go SDK, and how new people can get involved.Chapters:00:00 Welcome music + promo clip00:22 Introductions02:17 What is Gemara and what problem does it address?03:58 Why do we need a model for GRC engineering?05:50 The seven-layer structure of Gemara07:40 How Gemara connects to other open source projects10:14 Tools available to help with Gemara model adoption11:39 How to get involved in the Gemara projects13:59 Rapid Fire16:03 Closing thoughts and call to actionEpisode links:Jenn Power LinkedIn pageHannah Braswell LinkedIn pageGemara WebsiteBlog: Introducing the Gemara ModelPublication: Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk AssessmentOpenSSF OSPS BaselineFinos Common Cloud ControlsPrivateerCyber Resilience Act (CRA) Brief Guide for OSS DevelopersLFEL1001: Understanding the EU Cyber Resilience Act (CRA) (Education/Training) Get involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

Jeff Diecks, OpenSSF technical lead on the AI Cyber Challenge with 20+ years in open source, discusses how AI-powered vulnerability detectors moved from competition to real-world use. He covers real bug findings in the Linux kernel and CUPS. He explains the OSS-CRS standard infrastructure for mixing system components and shares lessons on responsibly reporting AI-generated security findings to maintainers.

In the final episode of our AI Cyber Challenge (AIxCC) series, CRob sits down with Michael Brown, Principal Security Engineer at Trail of Bits, to discuss their runner-up cybersecurity reasoning system, Buttercup. Michael shares how their team took a hybrid approach - combining large language models with conventional software analysis tools like fuzzers - to create a system that exceeded even their own expectations. Learn how Trail of Bits made Buttercup fully open source and accessible to run on a laptop, their commitment to ongoing maintenance with prize winnings, and why they believe AI works best when applied to small, focused problems rather than trying to solve everything at once.This episode is part 3 of a four-part series on AIxCC:AIxCC part 1: From Skepticism to Success: The AI Cyber Challenge (AIxCC) with Andrew CarneyAIxCC part 2: From Skeptics to Believers: How Team Atlanta Won AIxCC by Combining Traditional Security with LLMsAIxCC part 4: Cyber Reasoning Systems: The Real-World Journey After AIxCCChapters:00:04 - Introduction & Welcome00:12 - About Trail of Bits & Open Source Commitment03:16 - Buttercup: Second Place in AIxCC04:20 - The Hybrid Approach Strategy06:45 - From Skeptic to Believer09:28 - Surprises & Vindication During Competition11:36 - Multi-Agent Patching Success14:46 - Post-Competition Plans15:26 - Making Buttercup Run on a Laptop18:22 - The Giant Check & DEF CON18:59 - How to Access Buttercup on GitHub21:37 - Enterprise Deployment & Community Support22:23 - Closing RemarksEpisode links:Michael Brown’s LinkedIn pageAI Cyber Challenge (AIxCC)Trail of BitsButtercup GitHub RepoOpenSSF AI/ML Security Working GroupCyber Reasoning Systems Special Interest Group (Slack)Get involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

In this 2nd episode in our series on DARPA's AI Cyber Challenge (AIxCC), CRob sits down with Professor Taesoo Kim from Georgia Tech to discuss Team Atlanta's journey to victory. Kim shares how his team - comprised of academics, world-class hackers, and Samsung engineers - initially skeptical of AI tools, underwent a complete mindset shift during the competition. He shares how they successfully augmented traditional security techniques like fuzzing and symbolic execution with LLM capabilities to find vulnerabilities in large-scale open source projects. Kim also reveals exciting post-competition developments, including commercialization efforts in smart contract auditing and plans to make their winning CRS accessible to the broader security community through integration with OSS-Fuzz.This episode is part 2 of a four-part series on AIxCC:AIxCC part 1: From Skepticism to Success: The AI Cyber Challenge (AIxCC) with Andrew CarneyAIxCC part 3: Buttercup's Hybrid Approach: Trail of Bits' Journey to Second Place in AIxCCAIxCC part 4: Cyber Reasoning Systems: The Real-World Journey After AIxCCChapters:00:00 - Introduction00:37 - Team Atlanta's Background and Competition Strategy03:43 - The Key to Victory: Combining Traditional and Modern Techniques05:22 - Proof of Vulnerability vs. Finding Bugs06:55 - The Mindset Shift: From AI Skeptics to Believers09:46 - Overcoming Scalability Challenges with LLMs10:53 - Post-Competition Plans and Commercialization12:25 - Smart Contract Auditing Applications14:20 - Making the CRS Accessible to the Community16:32 - Student Experience and Research Impact20:18 - Getting Started: Contributing to the Open Source CRS22:25 - Real-World Adoption and Industry Impact24:54 - The Future of AI-Powered Security CompetitionsEpisodes Links:Taesoo Kim’s LinkedIn pageAI Cyber Challenge (AIxCC)OSS-Fuzz ProjectOpenSSF AI/ML Security Working GroupCyber Reasoning Systems Special Interest Group (Slack)Get involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

This episode of What’s in the SOSS features Andrew Carney from DARPA and ARPA-H, discussing the groundbreaking AI Cyber Challenge (AIxCC). The competition was designed to create autonomous systems capable of finding and patching vulnerabilities in open source software, a crucial effort given the pervasive nature of open source in the tech ecosystem. Carney shares insights into the two-year journey, highlighting the initial skepticism from experts that ultimately turned into belief, and reveals the surprising efficiency of the competing teams, who collectively found over 80% of inserted vulnerabilities and patched nearly 70%, with remarkably low compute costs. The discussion concludes with a look at the next steps: integrating these cyber reasoning systems into the open source community to support maintainers and supercharge automated patching in development workflows.This episode is part 1 of a four-part series on AIxCC:AIxCC part 2: From Skeptics to Believers: How Team Atlanta Won AIxCC by Combining Traditional Security with LLMsAIxCC part 3: Buttercup's Hybrid Approach: Trail of Bits' Journey to Second Place in AIxCCAIxCC part 4: Cyber Reasoning Systems: The Real-World Journey After AIxCCChapters:00:00 - Introduction and Guest Welcome 00:59 - Guest Background: Andrew Carney's Role at DARPA/ARPA-H02:20 - Overview of the AI Cyber Challenge (AIxCC)03:48 - Competition History and Structure04:44 - The Value of Skepticism and Surprising Learnings07:11 - Surprising Efficiency and Low Compute Costs08:15 - Major Competition Highlights and Results13:09 - What's Next: Integrating Cyber Reasoning Systems into Open Source16:55 - A Favorite Tale of "Robots Gone Bad"18:37 - Call to Action and Closing ThoughtsEpisode links:Andrew Carney’s LinkedIn pageAI Cyber Challenge (AIxCC)OpenSSF AI/ML Security Working GroupCyber Reasoning Systems Special Interest Group (Slack)Get involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

Ever wondered what it takes to get your talk accepted at a major open source tech conference – or even land a keynote slot? Join What’s in the Sauce new co-host Sally Cooper, as she sits down with Stacey Potter and Adolfo “Puerco” García Veytia, fresh off their viral KubeCon keynote "Supply Chain Reaction." In this episode, they pull back the curtain on the CFP review process, share what makes a strong proposal stand out, and offer honest advice about overcoming imposter syndrome. Whether you're a first-time speaker or a seasoned presenter, you'll learn practical tips for crafting compelling abstracts, avoiding common pitfalls, and why your unique voice matters more than you think.Chapters:00:00 - Introduction and Guest Welcome01:40 - Meet the Keynote Speakers05:27 - Why CFPs Matter for Open Source Communities08:29 - Inside the Review Process: What Reviewers Look For14:29 - Crafting a Strong Abstract: Dos and Don'ts21:05 - From Regular Talk to Keynote: What Changed25:24 - Conquering Imposter Syndrome29:11 - Rapid Fire CFP Tips30:45 - Upcoming Speaking Opportunities33:08 - Closing ThoughtsEpisode links:Adolfo García Veytia LinkedIn pageStacey Potter LinkedIn pageKubeCon North America Keynote: Supply Chain Reaction: A Cautionary Tale in K8s SecurityOpenSSF Slack CFP Announce channel (#cfp-nnounce)Open Source Summit North America - CFP Closes February 9OpenSSF Community Day North America - CFP Closes February 15Open Source Summit Europe - CFP opens end of April or early MayOpenSSF Community Day Europe - CFP opens early MayGet involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn

Sally Cooper, OpenSSF marketing lead who moved from technical training and docs into making complex tech accessible. She talks about why marketing can unsettle open source, how personal branding builds community, using personas to reach diverse stakeholders, practical ways newcomers can get involved, and OpenSSF's 2026 quarterly themes like AI/ML security and CVE transparency.

Join co-hosts CRob and Yesenia for a special season finale celebrating OpenSSF's fifth anniversary and recapping an incredible year of innovation in open source security! From launching three free educational courses on the EU Cyber Resilience Act, AI/ML security, and security for software development managers, to the groundbreaking DARPA AI Cyber Challenge where competitors achieved over 90% accuracy in autonomous vulnerability discovery, 2025 has been transformative. We reflect on standout interviews with new OpenSSF leaders Steve Fernandez and Stacey, deep dives into game-changing projects like the Open Source Project Security Baseline and AI model signing, and the vibrant community conversations around SBOM, supply chain security, and developer education. With nearly 12,000 total podcast downloads and exciting Season 3 plans including AI Cyber Challenge competitor interviews, CFP writing workshops, and expanded global community initiatives in Africa, we're just getting started. Tune in for behind-the-scenes insights, friendly competition stats on our most popular episodes, and a sneak peek at what's coming in 2026!Chapters:00:00 - Celebrating OpenSSF's Fifth Anniversary02:52 - Educational Growth and New Initiatives05:51 - Community Voices and Leadership Changes08:45 - The Role of Community Manager11:44 - Open Source Project Security Baseline14:47 - AI and Machine Learning in Open Source17:47 - Software Bill of Materials (SBOM) Discussions20:34 - Podcast Highlights and Listener Engagement22:26 - Looking Ahead to Season ThreeEpisode links:Yesenia Yser on LinkedInChristopher Robinson on LinkedInOpenSSF Free Courses:LFD 125 - Security for Software Development ManagersLFEL 1001 - Understanding the EU Cyber Resilience ActLFEL 1012 - Secure AI/ML Driven DevelopmentOpenSSF What’s In The SOSS Podcast Episodes:Podcast #27 – S2E04 Enterprise to Open Source: Steve Fernandez’s Journey to the OpenSSFPodcast #29 – S2E06 Showing Up Fully: Meet OpenSSF’s new Community Manager, Stacey PotterPodcast #25 – S2E02 Empowering Security: Yesenia Yser on Open Source, AI, and Personal BrandingPodcast #44 – S2E21 A Deep Dive into the Open Source Project Security (OSPS) BaselinePodcast #36 – S2E13 From Compliance to Community: Meeting CRA Requirements Together