What's in the SOSS? An OpenSSF Podcast
What's in the SOSS? features the sharpest minds in security as they dig into the challenges and opportunities that create a recipe for success in making software more secure.
Get a taste of all the ingredients that make up secure open source software (SOSS) and explore the latest trends at the intersection of AI and security, vulnerability management, and threat assessments.
Each episode of What's in the SOSS? is packed with valuable insight designed to foster collaboration and promote stronger security practices for the open source software community.
About Christopher Robinson (aka CRob), host
CRob is a 43rd level Dungeon Master and a 26th level Securityologist. He is a leader within several Open Source Security Foundation (OpenSSF) efforts and is a frequent speaker on cyber, application, and open source security. He enjoys hats, herding cats, and moonlit walks on the beach.
What's in the SOSS? An OpenSSF Podcast
A Deep Dive into the Open Source Project Security (OSPS) Baseline
In this episode of "What's in the SOSS," CRob, Ben Cotton, and Eddie Knight discuss the Open Source Project Security Baseline. This baseline provides a common language and control catalog for software security, enabling maintainers to demonstrate their project's security posture and fostering confidence in open source projects. They explore its integration with other OpenSSF projects, real-world applications like the GUAC case study, and its value to maintainers and stakeholders. The role of documentation in security is emphasized, ensuring secure software deployment. The effectiveness of the baseline is validated through real-world applications and refined by community feedback, with future improvements focusing on better tooling and compliance mapping.
Episode Chapters
00:00 - Welcome & Introductions
02:40 - Understanding the Open Source Project Security Baseline
05:54 - The Importance of Defining a Security Baseline
08:49 - Integrating Baseline with Other OpenSSF Projects
11:42 - Real-World Applications: The Glock Case Study
14:21 - Value for Maintainers and Other Stakeholders
17:29 - The Role of Documentation in Security
20:37 - Future Directions for the Baseline and Orbit
23:26 - Community Engagement and Feedback
Episode links:
- Ben Cotton’s LinkedIn page
- Eddie Knight’s LinkedIn page
- OSPS Baseline website
- OSPS Baseline github
- OSPS Baseline slack
- OSPS ORBIT Working Group
- OpenSSF Tech Talk: How to use the OSPS Baseline to Better Navigate Standards and Regulations
- Gemara project
- GUAC project
- Get involved with the OpenSSF
- Subscribe to the OpenSSF newsletter
- Follow the OpenSSF on LinkedIn