loader from loading.io

FIDO authentication with William Brown

Open Source Security

Release Date: 03/24/2025

CVE update with Patrick Garrity show art CVE update with Patrick Garrity

Open Source Security

In this episode I chat with Patrick Garrity from VulnCheck. We discuss the chaos that has enveloped the CVE and NVD programs over the past two years. We cover some of the transparency and communication challenges with the existing program. What some of the new things that have started to emerge as well as why they seem to be struggling. We end on the note that the last 3 months haven't been confidence inspiring. It's likely in 6 months everyone will be scrambling to deal with a difficult situation. The show notes and blog post for this episode can be found at

info_outline
GCVE with Cédric Bonhomme and Alexandre Dulaunoy show art GCVE with Cédric Bonhomme and Alexandre Dulaunoy

Open Source Security

In this episode I discuss GCVE and Vulnerability-Lookup with Alex and Cedric from CIRCL. GCVE offers a decentralized approach, allowing organizations to assign their own IDs and publish vulnerabilities independently. Vulnerability-Lookup is the tool that makes GCVE a reality. The flexibility addresses many of the limitations we see today with a single centralized ID system. The work happening by CIRCL on GCVE is very impressive, with all the current CVE turmoil, this is a project we should all be paying attention to. The show notes and blog post for this episode can be found at

info_outline
EU Regulations will change everything with Daniel Thompson show art EU Regulations will change everything with Daniel Thompson

Open Source Security

In this episode, we dive into the Product Liability Directive and Cyber Resilience Act with Daniel Thompson, CEO of Crab Nebula. The EU's new legislative framework impacts manufacturers in ways we don't totally understand, but are going to bring substantial changes to how companies use and develop open source. Daniel explains the broader implications for software security and the future of digital products in the European market. The show notes and blog post for this episode can be found at

info_outline
Open source microprocessors with Jan Pleskac show art Open source microprocessors with Jan Pleskac

Open Source Security

In this episode Jan Pleskac, CEO and co-founder of Tropic Square, shares insights on the challenges and innovations in creating open and auditable hardware. While most hardware is very closed, Tropic Square is working to change this. WE discuss how open source can enhance security, the complexities of integrating third-party technologies, and the future of secure computing devices. The show notes and blog post for this episode can be found at

info_outline
Package URLs with Philippe Ombredanne show art Package URLs with Philippe Ombredanne

Open Source Security

I'm joined by Philippe Ombredanne, creator of the Package URL (PURL), to discuss the surprisingly complex and messy problem of simply identifying open source software packages. We dive into how PURLs provide a universal, common-sense standard that is becoming essential for the future of SBOMs and securing the software supply chain. The show notes and blog post for this episode can be found at

info_outline
Hobbyist Maintainers with Thomas DePierre show art Hobbyist Maintainers with Thomas DePierre

Open Source Security

Thomas DePierre joins Open Source Security to discuss the central idea from his blog post, "You are all on the hobbyist maintainers turf now," exploring the massive disconnect between the corporate world that consumes open source and the hobbyist community that actually produces it. The conversation reveals this isn't a new problem, but a long-standing reality whose consequences for security, stability, and the future of software we are only now beginning to truly confront. The show notes and blog post for this episode can be found at

info_outline
STIG automation with Aaron Lippold show art STIG automation with Aaron Lippold

Open Source Security

I chat with Aaron Lippold, creator of MITRE's Security Automation Framework (SAF), to discuss how to escape the pain of manual STIG compliance. We explore the technical details of open-source tools like InSpec, Heimdall, and Vulcan that automate validation, normalize diverse security data, and streamline the entire security authoring process. The show notes and blog post for this episode can be found at

info_outline
Ecosyste.ms with Andrew Nesbitt show art Ecosyste.ms with Andrew Nesbitt

Open Source Security

I recently chatted with Andrew Nesbitt about his project, Ecosyste.ms. Ecosyste.ms catalogs open source projects by tracking packages, dependencies, repositories, and more. With this dataset Andrew is able to incredible insights into the world of open source. We chat all about how Ecosyste.ms works and how he manages to wrangle all this data. The show notes and blog post for this episode can be found at

info_outline
Curl vs AI with Daniel Stenberg show art Curl vs AI with Daniel Stenberg

Open Source Security

Daniel Stenberg, the maintainer of Curl, discusses the increase in AI security reports that are wasting the time of maintainers. We discuss Curl's new policy of banning the bad actors while establishing some pretty sane AI usage guidelines. We chat about how this low-effort, high-impact abuse pattern is a denial-of-service attack on the curl project (and other open source projects too). The show notes and blog post for this episode can be found at

info_outline
Repository signing with Kairo De Araujo show art Repository signing with Kairo De Araujo

Open Source Security

I recently had a chat with Kairo about a project he maintains called Repository Service for TUF (RSTUF). We explain why TUF is tough (har har har), what RSTUF can do, and some of the challenges around securing repositories. The show notes and blog post for this episode can be found at

info_outline
 
More Episodes

William Brown tells us all about how confusing and complicated the FIDO authentication universe is. He talks about WebAuthn implementation challenges to flaws in the FIDO metadata service that affect how hardware tokens are authenticated against. The conversation covers the spectrum of hardware security key quality, attestation mechanisms, and the barriers preventing open source developers from improving industry standards despite their expertise.

The blog post for this episode can be found at
https://opensourcesecurity.io/2025/2025-03-fido_auth_william_brown/