On the front lines of technology and business there is a battle of survival. Behind the scenes, businesses are on a mission to keep a vigilant watch for threats in an ongoing Cyber War. But it’s not just about malware, ransomware, and breaches anymore. The obstacles and barriers companies face today are bigger and badder than ever — and these cyber threats are forcing them to prove they’re secure for the future. So when you need answers to win the battle, tune into Cyber Security America wit ...
…
continue reading
Joshua Nicholson Podcasts
Open Source Security is a media project to help showcase and educate on open source security. Our goal is to give the community a platform educate both developers and users on how open source security works. There’s a lot of good work happening that doesn’t get attention because there’s no marketing department behind it, they don’t have a developer relations team posting on LinkedIn every two hours. Let’s focus on those people and teams then learn what they do and how they do it. The goal is ...
…
continue reading
A podcast about the science of ADHD, interviewing researchers about their work and what it means for ADHD people like us! (feed still contains old extraordinary brains episodes, don’t worry).
…
continue reading
Brendon Marotta is a filmmaker, author, and speaker. He is best known for his feature-length documentary American Circumcision, which appeared on Netflix. He is the author of multiple books, the next of which explores the treatment of children as a social justice issue.
…
continue reading
INTERSECT is a radio interview program that showcases interviews with musicians who were once/or still are prominent Christian music artist, discussing how their encounter with Christ not only influenced the direction and intent of their music, but also the direction and intent of their individual lives. The shows will be interesting, entertaining and inspirational as we learn how these musicians started, their experiences along the way and where they are now as artist and people. Aaron “The ...
…
continue reading

1
Eclipse Foundation SBOMs with Mikael Barbero
31:15
31:15
Play later
Play later
Lists
Like
Liked
31:15In this conversation, Josh speaks with Mikael Barbero, head of security at the Eclipse Foundation. They discuss the foundation's role in enhancing the security posture of open source projects, the importance of Software Bill of Materials (SBOMs), and the various security services provided to projects. Mikael explains the challenges and strategies i…
…
continue reading

1
Surviving Ransomware: Strategies and Stories with Cybersecurity Expert Matthew Waddell
42:23
42:23
Play later
Play later
Lists
Like
Liked
42:23In episode 44 of Cyber Security America, host Joshua Nicholson sits down with Matthew Waddell, a battle-tested cybersecurity leader with over 25 years of experience in digital forensics, incident response, and ransomware defense. From conducting “just-in-time forensics” under combat conditions in Iraq and Afghanistan to leading global ransomware in…
…
continue reading

1
Actually finding vulnerabilities using AI with Joshua Rogers
31:35
31:35
Play later
Play later
Lists
Like
Liked
31:35I chat with Joshua Rogers about a blog post he wrote as well as some bugs he submitted to the curl project. Joshua explains how he went searching for some AI tools to help find security bugs, and found out they can work, if you're a competent human. We discuss the challenges of finding effective tools, the importance of human oversight in triaging …
…
continue reading

1
Sustaining Package Repositories with Brian Fox
42:20
42:20
Play later
Play later
Lists
Like
Liked
42:20Brian Fox discusses the challenges and future of open source package repository infrastructure. We discuss the complexities of managing public registries, the impact of overconsumption, and the importance of sustainable practices in the open source community. Brian tells us how organizations can reduce their footprint and contribute to a more balan…
…
continue reading

1
Arch Linux Security with Foxboron and Anthraxx
38:08
38:08
Play later
Play later
Lists
Like
Liked
38:08Join us for a conversation with Foxboron (Morten Linderud) and Anthraxx (Levente Polyak), members of the Arch Linux security team. We talk about the difficulties of maintaining a Linux distribution, the challenges of handling CVEs, and the dedication of volunteers who keep the open-source community working (and how overworked those volunteers are).…
…
continue reading

1
Penetration Testing and Social Engineering: Insights from Steve Stasiukoni
56:49
56:49
Play later
Play later
Lists
Like
Liked
56:49🎙 Inside the World of Cybersecurity with Steve Stasiukonis Tune in to the latest episode of Cyber Security America as we explore real-world solutions for defending against today's ever-evolving cyber threats. Our guest, Steve Stasiukonis, President of Secure Network Technologies, brings over 29 years of experience in penetration testing, informatio…
…
continue reading

1
OpenSSL with Hana Andersen and Anton Arapov
28:48
28:48
Play later
Play later
Lists
Like
Liked
28:48I discuss all things OpenSSL with Hana Andersen and Anton Arapov from the OpenSSL Corporation. Discover the intricacies of organizing the first-ever OpenSSL conference in Prague, the importance of post-quantum cryptography, and the evolution of OpenSSL from a small team to a global community. Whether you're a seasoned cryptographer or just curious …
…
continue reading
Our last episode for a while... Max talks to Dr Blandine French, who not only found a problem (lack of knowledge in UK doctors about ADHD), she got up and did something about it! She's remarkable, and you can find out all about her at https://ndlab.org.uk/ Bye for now!By ADHDUK
…
continue reading

51
The Python Software Foundation with Deb Nicholson
37:48
37:48
Play later
Play later
Lists
Like
Liked
37:48In this episode I discuss the Python Software Foundation with Deb Nicholson. We discuss their contributions to the Python programming community. Learn how this dedicated organization supports the growth and innovation of Python, fostering an ecosystem for developers worldwide. Everything funding open-source projects to organizing community events, …
…
continue reading

1
Defense Contractors: CMMC Is Here — And the Clock Is Ticking
29:34
29:34
Play later
Play later
Lists
Like
Liked
29:34In our latest Cybersecurity America episode (42), I had the privilege of speaking with Jim Goepel, a true leader in cybersecurity and compliance — and someone who has helped shape the very ecosystem he now advises. Jim is the CEO of Fathom Cyber, a consulting firm in North Wales, PA specializing in: 🔹 CMMC assessment preparation 🔹 CUI education and…
…
continue reading

51
Using Mercator to map assets with Didier Barzin
25:48
25:48
Play later
Play later
Lists
Like
Liked
25:48In this episode, we the information system mapping tool Mercator with Didier Barzin, a CISO at a hospital in Luxembourg. Discover how Mercator revolutionizes the way organizations map their complex information systems. From hospitals to universities and even the banking sector. Mercator helps manage and protect vast networks by creating dynamic, co…
…
continue reading

51
Talos Linux security with Andrey Smirnov
38:04
38:04
Play later
Play later
Lists
Like
Liked
38:04In this episode, I discuss into the security features of Talos Linux with Andrey Smirnov. Andrey explains how Talos focuses on its immutability and minimal attack surface. Discover how these enhancements fortify your systems against vulnerabilities, ensuring a secure and resilient infrastructure. Join us as we explore the security advancements that…
…
continue reading

51
Discussing the Open Source, Open Threats? paper with Behzad and Ali
34:59
34:59
Play later
Play later
Lists
Like
Liked
34:59In this episode I chat with the authors of a recent paper on open source security: Open Source, Open Threats? Investigating Security Challenges in Open-Source Software. I chat with Ali Akhavani and Behzad Ousat about their findings. There are interesting data points in the paper such as a 98% increase in reported vulnerabilities compared to a 25% g…
…
continue reading

1
From Combat Boots to Cybersecurity - Nia Luckey on her journey
53:08
53:08
Play later
Play later
Lists
Like
Liked
53:08In this episode of the Cybersecurity America Podcast, sponsored by DarkStack7, host Joshua Nicholson sits down with Nia Luckey — Army veteran, published author, and cybersecurity leader — to talk about her powerful journey from military service to the frontlines of cyber defense. Nia shares lessons on resilience, leadership, and transitioning from …
…
continue reading

51
crates.io trusted publishing with Tobias Bieniek
25:39
25:39
Play later
Play later
Lists
Like
Liked
25:39In this episode we discuss crates.io trusted publishing with Tobias Bieniek. We cover the steps crates.io is taking to enhance supply chain security through trusted publishing, a method that leverages short-lived tokens and GitHub actions to safeguard against unauthorized access. Tobias shares insights into the challenges of managing a large-scale …
…
continue reading

1
Cybersecurity’s Golden Rule: The Legal Blueprint No One Shares
48:07
48:07
Play later
Play later
Lists
Like
Liked
48:07In this episode, sponsored by Darkstack7, Joshua sits down with Chris Cronin, partner at Halock Security Labs and founding partner of Reasonable Risk, to explore the intersection of cybersecurity, risk management, and the legal principles behind “reasonable” safeguards. Chris unpacks the DoCRA Standard and CIS RAM, sharing how historical and legal …
…
continue reading
In this episode I chat with Patrick Garrity from VulnCheck. We discuss the chaos that has enveloped the CVE and NVD programs over the past two years. We cover some of the transparency and communication challenges with the existing program. What some of the new things that have started to emerge as well as why they seem to be struggling. We end on t…
…
continue reading

1
GCVE with Cédric Bonhomme and Alexandre Dulaunoy
31:38
31:38
Play later
Play later
Lists
Like
Liked
31:38In this episode I discuss GCVE and Vulnerability-Lookup with Alex and Cedric from CIRCL. GCVE offers a decentralized approach, allowing organizations to assign their own IDs and publish vulnerabilities independently. Vulnerability-Lookup is the tool that makes GCVE a reality. The flexibility addresses many of the limitations we see today with a sin…
…
continue reading

1
EU Regulations will change everything with Daniel Thompson
31:57
31:57
Play later
Play later
Lists
Like
Liked
31:57In this episode, we dive into the Product Liability Directive and Cyber Resilience Act with Daniel Thompson, CEO of Crab Nebula. The EU's new legislative framework impacts manufacturers in ways we don't totally understand, but are going to bring substantial changes to how companies use and develop open source. Daniel explains the broader implicatio…
…
continue reading

1
Open source microprocessors with Jan Pleskac
30:51
30:51
Play later
Play later
Lists
Like
Liked
30:51In this episode Jan Pleskac, CEO and co-founder of Tropic Square, shares insights on the challenges and innovations in creating open and auditable hardware. While most hardware is very closed, Tropic Square is working to change this. WE discuss how open source can enhance security, the complexities of integrating third-party technologies, and the f…
…
continue reading

1
Episode 31 Late Diagnosis of women with Eve Holden and Helena Kobayashi-Wood
1:16:39
1:16:39
Play later
Play later
Lists
Like
Liked
1:16:39Max is joined by a brilliant double-act, Eve and Helena, who have explored the experience of late-diagnosed women, both from the inside and outside! The paper is here. The additional data is here. The episode that Eve liked was with Callie Ginapp, and is here On Bluesky... Eve can be found at @chimpanzeve.bsky.social Helena is @hkobayashiwood.bsky.…
…
continue reading

1
Memory-Only Malware: The Threat You’re Probably Missing
51:27
51:27
Play later
Play later
Lists
Like
Liked
51:27In episode 39, host Josh Nicholson is joined by memory forensics expert Andrew Case, co-developer of the Volatility framework and co-author of The Art of Memory Forensics. Together, they explore the critical role of memory analysis in modern incident response—uncovering hidden malware, insider threats, and ransomware techniques invisible to traditi…
…
continue reading
Max and Tess are joined by Catherine Fava, Clinical Psychologist at Buckinghamshire CAMHS, to talk about her upcoming book about trauma and ADHD. How does trauma manifest? How can it look like ADHD? Should we be flipping the way we approach assessment and treatment in these children? Tess tries to open the can of worms which is the whole 'what is A…
…
continue reading

1
Digital Forensics & Incident Response (DFIR) with Surefire Cyber.
35:42
35:42
Play later
Play later
Lists
Like
Liked
35:42Cyber threats aren't slowing down—and neither are we. In episode 38 of Cyber Security America, I sit down with two powerhouses from Surefire Cyber—Karla Reffold and Billy Cordio—to pull back the curtain on what’s really happening in today’s incident response and threat intelligence landscape. 💡 What we cover: 📈 Real-world ransomware trends (like lo…
…
continue reading
I'm joined by Philippe Ombredanne, creator of the Package URL (PURL), to discuss the surprisingly complex and messy problem of simply identifying open source software packages. We dive into how PURLs provide a universal, common-sense standard that is becoming essential for the future of SBOMs and securing the software supply chain. The show notes a…
…
continue reading

1
Hobbyist Maintainers with Thomas DePierre
49:03
49:03
Play later
Play later
Lists
Like
Liked
49:03Thomas DePierre joins Open Source Security to discuss the central idea from his blog post, "You are all on the hobbyist maintainers turf now," exploring the massive disconnect between the corporate world that consumes open source and the hobbyist community that actually produces it. The conversation reveals this isn't a new problem, but a long-stan…
…
continue reading
I chat with Aaron Lippold, creator of MITRE's Security Automation Framework (SAF), to discuss how to escape the pain of manual STIG compliance. We explore the technical details of open-source tools like InSpec, Heimdall, and Vulcan that automate validation, normalize diverse security data, and streamline the entire security authoring process. The s…
…
continue reading

1
Data Intelligence: Breaking Chaos with Kyle DuPont | Ohalo's Innovation in Unstructured Data
40:22
40:22
Play later
Play later
Lists
Like
Liked
40:22In this powerful episode, we sit down with Kyle DuPont, CEO and Co-Founder of Ohalo, the trailblazing company reshaping the way organizations understand and manage unstructured data. With deep experience in both finance and technology, including a background at Morgan Stanley, Kyle shares the origin story of Ohalo and how their flagship product, Da…
…
continue reading
I recently chatted with Andrew Nesbitt about his project, Ecosyste.ms. Ecosyste.ms catalogs open source projects by tracking packages, dependencies, repositories, and more. With this dataset Andrew is able to incredible insights into the world of open source. We chat all about how Ecosyste.ms works and how he manages to wrangle all this data. The s…
…
continue reading
Daniel Stenberg, the maintainer of Curl, discusses the increase in AI security reports that are wasting the time of maintainers. We discuss Curl's new policy of banning the bad actors while establishing some pretty sane AI usage guidelines. We chat about how this low-effort, high-impact abuse pattern is a denial-of-service attack on the curl projec…
…
continue reading
I recently had a chat with Kairo about a project he maintains called Repository Service for TUF (RSTUF). We explain why TUF is tough (har har har), what RSTUF can do, and some of the challenges around securing repositories. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-05-rstuf-with-kairo-de-a…
…
continue reading

1
Securing GitHub Actions with William Woodruff
31:50
31:50
Play later
Play later
Lists
Like
Liked
31:50William Woodruff discussed his project, Zizmor, a security linter designed to help developers identify and fix vulnerabilities within their GitHub Actions workflows. This tool addresses inherent security risks in GitHub Actions, such as injection vulnerabilities, permission issues, and mutable tags, by providing static analysis and remediation guid…
…
continue reading
Recently, I had the pleasure of chatting with Paul Asadoorian, Principal Security Researcher at Eclypsium and the host of the legendary Paul's Security Weekly podcast. Our conversation dove into the often-murky waters of embedded systems and the Internet of Things (IoT), sparked by a specific vulnerability discussion on Paul's show concerning refer…
…
continue reading
Delighted to welcome Robin Ince, legendary comedian and lovely man, to the pod. Robin's new book, Normally Weird and Weirdly Normal, is out today!!By ADHDUK
…
continue reading

1
tj-actions with Endor Lab's Dimitri Stiliadis
32:39
32:39
Play later
Play later
Lists
Like
Liked
32:39Dimitri Stiliadis, CTO from Endor Labs, discusses the recent tj-actions/changed-files supply chain attack, where a compromised GitHub Action exposed CI/CD secrets. We explore the impressive multi-stage attack vector and the broader often-overlooked vulnerabilities in our CI/CD pipelines, emphasizing the need to treat these build systems with produc…
…
continue reading

1
Telegram Exposed: The Super App Enabling Cyber Crime
53:28
53:28
Play later
Play later
Lists
Like
Liked
53:28In episode 36, Josh welcomes renowned intelligence systems expert Stephen Arnold to shine a light on one of the most underestimated threats in cybersecurity today—Telegram. Known to most as a simple messaging app, Telegram is quietly operating as a “super app” for cyber crime. From crypto laundering and hamster games masking gambling platforms, to …
…
continue reading

1
Episode 28: Cognitive disengagement with Stephen Becker
36:45
36:45
Play later
Play later
Lists
Like
Liked
36:45Max is joined by Stephen Becker, Professor of Pediatrics at Cincinnati, about the fascinating Cognitive Disengagement Syndrome, a condition that is both in some ways the opposite of ADHD, but also commonly co-exists. If you want to know more, Stephen has made a lot of the work on this open access- here for example: https://pubmed.ncbi.nlm.nih.gov/3…
…
continue reading
I chat with Alan Pope about the open source security tools Syft, Grype, and Grant. These tools help create Software Bills of Materials (SBOMs) and scan for vulnerabilities. Learn why generating and storing SBOMs is crucial for understanding your software supply chain and quickly responding to new threats like Log4Shell. The show notes and blog post…
…
continue reading
Aaron Frost explores the overly complex world of vulnerability identifiers for end of life software. We discuss how incomplete CVE reporting creates blind spots for users while arming attackers with knowledge. The conversation uncovers the ethical tensions between resource constraints and security transparency, highlighting why the "vulnerable unti…
…
continue reading

1
cargo-semver-checks with Predrag Gruevski
33:35
33:35
Play later
Play later
Lists
Like
Liked
33:35Cargo Semver Checks is a Rust tool by Predrag Gruevski that is tackling the problem of broken dependencies that cost developers time when trying to upgrade dependencies. Predrag's work shows how automated checks can catch breaking changes before they're released, potentially saving projects from unexpected failures and making dependency updates les…
…
continue reading

1
Cyber Battlefield Insights: Lessons in Incident Response and Dark Web Tour
1:03:48
1:03:48
Play later
Play later
Lists
Like
Liked
1:03:48Join host Joshua Nicholson, a seasoned cybersecurity veteran with over 24 years of frontline experience, as he dives deep into the high-stakes world of incident response and takes you on an exclusive dark web tour. In this power-packed episode, Joshua shares real-world lessons learned from handling hundreds of cyber incidents, breaking down the bes…
…
continue reading

1
Distributed CI and Git with Lars Wirzenius
27:27
27:27
Play later
Play later
Lists
Like
Liked
27:27Lars Wirzenius discusses his innovative CI/CD system Ambient, which uses isolated virtual machines without network access to enhance security, and his work on Radicle, a peer-to-peer Git collaboration platform. Together, these projects offer a glimpse into a more distributed future for software development, addressing key challenges in current CI/C…
…
continue reading
William Brown tells us all about how confusing and complicated the FIDO authentication universe is. He talks about WebAuthn implementation challenges to flaws in the FIDO metadata service that affect how hardware tokens are authenticated against. The conversation covers the spectrum of hardware security key quality, attestation mechanisms, and the …
…
continue reading
Max is joined by Isabella Barclay to talk about what factors lead to children getting an earlier vs later diagnosis- or even a diagnosis at all. Isabella is a passionate advocate for ADHD, and needs to be listened to!By ADHDUK
…
continue reading
In this episode, open source legal expert Luis Villa breaks down what the EU's Cyber Resilience Act means for developers and businesses, exploring carve-outs for individual contributors and the complex relationship between security and sustainability. Luis provides practical guidance on navigating this evolving regulatory landscape while explaining…
…
continue reading

1
Episode 26: The trouble with positive emotions, with Julia McQuade
37:49
37:49
Play later
Play later
Lists
Like
Liked
37:49Max is joined by Julia McQuade from Amhurst College, USA. Julia has published this paper: https://link.springer.com/article/10.1007/s10802-024-01237-2 She studied the regulation of positive emotion in adolescents with ADHD, and found that control of these emotions predicted social success. Max unpicks the implications of this and tries to to get to…
…
continue reading
Brian Fox discusses findings from a recent Sonatype report about the growing challenge of malicious packages in open source repositories. At the time of recording there are now over 820,000 malware packages in public repositories. Brian explains why certain ecosystems are more vulnerable than others and how behavioral detection methods can identify…
…
continue reading

1
Open Source Foundations with Kelley Misata of Suricata
31:45
31:45
Play later
Play later
Lists
Like
Liked
31:45In this episode Open Source Security talks to Dr. Kelly Masada about the Open Information Security Foundation (OISF). The way OISF is managing Suricata through a foundation is super interesting. There are a lot of lessons in this one for both open source projects and existing open source foundations. The blog post for this episode can be found at h…
…
continue reading

1
Episode 25: The positives of ADHD with Dr Tom Nicholson
58:06
58:06
Play later
Play later
Lists
Like
Liked
58:06Is ADHD a superpower? Is that a helpful way of talking about it. Our guest, once again Dr Tom Nicholson, has done actual research on the positives of ADHD, as experienced by ADHD people ourselves! Catch up with Tom on social media or at https://www.drtomnicholson.com/By ADHDUK
…
continue reading

1
Forking Open Source Projects with Sheogorath
22:14
22:14
Play later
Play later
Lists
Like
Liked
22:14In this episode Open Source Security chats with Sheogorath about HedgeDoc project's journey from HackMD to CodiMD and finally to HedgeDoc. We learn what forking a project looks like, including license changes (MIT to AGPL), security vulnerability management across different codebases, naming challenges, and infrastructure migrations. The conversati…
…
continue reading