Best Joshua Nicholson Podcasts (2025)

1
Eclipse Foundation SBOMs with Mikael Barbero 31:15

Play Pause

1d ago31:15

31:15

In this conversation, Josh speaks with Mikael Barbero, head of security at the Eclipse Foundation. They discuss the foundation's role in enhancing the security posture of open source projects, the importance of Software Bill of Materials (SBOMs), and the various security services provided to projects. Mikael explains the challenges and strategies i…

1
Surviving Ransomware: Strategies and Stories with Cybersecurity Expert Matthew Waddell 42:23

5d ago42:23

42:23

In episode 44 of Cyber Security America, host Joshua Nicholson sits down with Matthew Waddell, a battle-tested cybersecurity leader with over 25 years of experience in digital forensics, incident response, and ransomware defense. From conducting “just-in-time forensics” under combat conditions in Iraq and Afghanistan to leading global ransomware in…

1
Actually finding vulnerabilities using AI with Joshua Rogers 31:35

9d ago31:35

31:35

I chat with Joshua Rogers about a blog post he wrote as well as some bugs he submitted to the curl project. Joshua explains how he went searching for some AI tools to help find security bugs, and found out they can work, if you're a competent human. We discuss the challenges of finding effective tools, the importance of human oversight in triaging …

1
Sustaining Package Repositories with Brian Fox 42:20

16d ago42:20

42:20

Brian Fox discusses the challenges and future of open source package repository infrastructure. We discuss the complexities of managing public registries, the impact of overconsumption, and the importance of sustainable practices in the open source community. Brian tells us how organizations can reduce their footprint and contribute to a more balan…

1
Arch Linux Security with Foxboron and Anthraxx 38:08

23d ago38:08

38:08

Join us for a conversation with Foxboron (Morten Linderud) and Anthraxx (Levente Polyak), members of the Arch Linux security team. We talk about the difficulties of maintaining a Linux distribution, the challenges of handling CVEs, and the dedication of volunteers who keep the open-source community working (and how overworked those volunteers are).…

1
Penetration Testing and Social Engineering: Insights from Steve Stasiukoni 56:49

30d ago56:49

56:49

🎙 Inside the World of Cybersecurity with Steve Stasiukonis Tune in to the latest episode of Cyber Security America as we explore real-world solutions for defending against today's ever-evolving cyber threats. Our guest, Steve Stasiukonis, President of Secure Network Technologies, brings over 29 years of experience in penetration testing, informatio…

1
OpenSSL with Hana Andersen and Anton Arapov 28:48

30d ago28:48

28:48

I discuss all things OpenSSL with Hana Andersen and Anton Arapov from the OpenSSL Corporation. Discover the intricacies of organizing the first-ever OpenSSL conference in Prague, the importance of post-quantum cryptography, and the evolution of OpenSSL from a small team to a global community. Whether you're a seasoned cryptographer or just curious …

1
Episode 32 with Blandine French 1:04:51

1M ago1:04:51

1:04:51

Our last episode for a while... Max talks to Dr Blandine French, who not only found a problem (lack of knowledge in UK doctors about ADHD), she got up and did something about it! She's remarkable, and you can find out all about her at https://ndlab.org.uk/ Bye for now!By ADHDUK

51
The Python Software Foundation with Deb Nicholson 37:48

1M ago37:48

37:48

In this episode I discuss the Python Software Foundation with Deb Nicholson. We discuss their contributions to the Python programming community. Learn how this dedicated organization supports the growth and innovation of Python, fostering an ecosystem for developers worldwide. Everything funding open-source projects to organizing community events, …

1
Defense Contractors: CMMC Is Here — And the Clock Is Ticking 29:34

1M ago29:34

29:34

In our latest Cybersecurity America episode (42), I had the privilege of speaking with Jim Goepel, a true leader in cybersecurity and compliance — and someone who has helped shape the very ecosystem he now advises. Jim is the CEO of Fathom Cyber, a consulting firm in North Wales, PA specializing in: 🔹 CMMC assessment preparation 🔹 CUI education and…

51
Using Mercator to map assets with Didier Barzin 25:48

1M ago25:48

25:48

In this episode, we the information system mapping tool Mercator with Didier Barzin, a CISO at a hospital in Luxembourg. Discover how Mercator revolutionizes the way organizations map their complex information systems. From hospitals to universities and even the banking sector. Mercator helps manage and protect vast networks by creating dynamic, co…

51
Talos Linux security with Andrey Smirnov 38:04

2M ago38:04

38:04

In this episode, I discuss into the security features of Talos Linux with Andrey Smirnov. Andrey explains how Talos focuses on its immutability and minimal attack surface. Discover how these enhancements fortify your systems against vulnerabilities, ensuring a secure and resilient infrastructure. Join us as we explore the security advancements that…

51
Discussing the Open Source, Open Threats? paper with Behzad and Ali 34:59

2M ago34:59

34:59

In this episode I chat with the authors of a recent paper on open source security: Open Source, Open Threats? Investigating Security Challenges in Open-Source Software. I chat with Ali Akhavani and Behzad Ousat about their findings. There are interesting data points in the paper such as a 98% increase in reported vulnerabilities compared to a 25% g…

1
From Combat Boots to Cybersecurity - Nia Luckey on her journey 53:08

2M ago53:08

53:08

In this episode of the Cybersecurity America Podcast, sponsored by DarkStack7, host Joshua Nicholson sits down with Nia Luckey — Army veteran, published author, and cybersecurity leader — to talk about her powerful journey from military service to the frontlines of cyber defense. Nia shares lessons on resilience, leadership, and transitioning from …

51
crates.io trusted publishing with Tobias Bieniek 25:39

2M ago25:39

25:39

In this episode we discuss crates.io trusted publishing with Tobias Bieniek. We cover the steps crates.io is taking to enhance supply chain security through trusted publishing, a method that leverages short-lived tokens and GitHub actions to safeguard against unauthorized access. Tobias shares insights into the challenges of managing a large-scale …

1
Cybersecurity’s Golden Rule: The Legal Blueprint No One Shares 48:07

2M ago48:07

48:07

In this episode, sponsored by Darkstack7, Joshua sits down with Chris Cronin, partner at Halock Security Labs and founding partner of Reasonable Risk, to explore the intersection of cybersecurity, risk management, and the legal principles behind “reasonable” safeguards. Chris unpacks the DoCRA Standard and CIS RAM, sharing how historical and legal …

51
CVE update with Patrick Garrity 32:25

2M ago32:25

32:25

In this episode I chat with Patrick Garrity from VulnCheck. We discuss the chaos that has enveloped the CVE and NVD programs over the past two years. We cover some of the transparency and communication challenges with the existing program. What some of the new things that have started to emerge as well as why they seem to be struggling. We end on t…

1
GCVE with Cédric Bonhomme and Alexandre Dulaunoy 31:38

3M ago31:38

31:38

In this episode I discuss GCVE and Vulnerability-Lookup with Alex and Cedric from CIRCL. GCVE offers a decentralized approach, allowing organizations to assign their own IDs and publish vulnerabilities independently. Vulnerability-Lookup is the tool that makes GCVE a reality. The flexibility addresses many of the limitations we see today with a sin…

1
EU Regulations will change everything with Daniel Thompson 31:57

3M ago31:57

31:57

In this episode, we dive into the Product Liability Directive and Cyber Resilience Act with Daniel Thompson, CEO of Crab Nebula. The EU's new legislative framework impacts manufacturers in ways we don't totally understand, but are going to bring substantial changes to how companies use and develop open source. Daniel explains the broader implicatio…

1
Open source microprocessors with Jan Pleskac 30:51

3M ago30:51

30:51

In this episode Jan Pleskac, CEO and co-founder of Tropic Square, shares insights on the challenges and innovations in creating open and auditable hardware. While most hardware is very closed, Tropic Square is working to change this. WE discuss how open source can enhance security, the complexities of integrating third-party technologies, and the f…

1
Episode 31 Late Diagnosis of women with Eve Holden and Helena Kobayashi-Wood 1:16:39

3M ago1:16:39

1:16:39

Max is joined by a brilliant double-act, Eve and Helena, who have explored the experience of late-diagnosed women, both from the inside and outside! The paper is here. The additional data is here. The episode that Eve liked was with Callie Ginapp, and is here On Bluesky... Eve can be found at @chimpanzeve.bsky.social Helena is @hkobayashiwood.bsky.…

1
Memory-Only Malware: The Threat You’re Probably Missing 51:27

3M ago51:27

51:27

In episode 39, host Josh Nicholson is joined by memory forensics expert Andrew Case, co-developer of the Volatility framework and co-author of The Art of Memory Forensics. Together, they explore the critical role of memory analysis in modern incident response—uncovering hidden malware, insider threats, and ransomware techniques invisible to traditi…

1
Episode 30 with Catherine Fava 55:37

4M ago55:37

55:37

Max and Tess are joined by Catherine Fava, Clinical Psychologist at Buckinghamshire CAMHS, to talk about her upcoming book about trauma and ADHD. How does trauma manifest? How can it look like ADHD? Should we be flipping the way we approach assessment and treatment in these children? Tess tries to open the can of worms which is the whole 'what is A…

1
Digital Forensics & Incident Response (DFIR) with Surefire Cyber. 35:42

4M ago35:42

35:42

Cyber threats aren't slowing down—and neither are we. In episode 38 of Cyber Security America, I sit down with two powerhouses from Surefire Cyber—Karla Reffold and Billy Cordio—to pull back the curtain on what’s really happening in today’s incident response and threat intelligence landscape. 💡 What we cover: 📈 Real-world ransomware trends (like lo…

1
Package URLs with Philippe Ombredanne 36:48

4M ago36:48

36:48

I'm joined by Philippe Ombredanne, creator of the Package URL (PURL), to discuss the surprisingly complex and messy problem of simply identifying open source software packages. We dive into how PURLs provide a universal, common-sense standard that is becoming essential for the future of SBOMs and securing the software supply chain. The show notes a…

1
Hobbyist Maintainers with Thomas DePierre 49:03

4M ago49:03

49:03

Thomas DePierre joins Open Source Security to discuss the central idea from his blog post, "You are all on the hobbyist maintainers turf now," exploring the massive disconnect between the corporate world that consumes open source and the hobbyist community that actually produces it. The conversation reveals this isn't a new problem, but a long-stan…

1
STIG automation with Aaron Lippold 33:28

5M ago33:28

33:28

I chat with Aaron Lippold, creator of MITRE's Security Automation Framework (SAF), to discuss how to escape the pain of manual STIG compliance. We explore the technical details of open-source tools like InSpec, Heimdall, and Vulcan that automate validation, normalize diverse security data, and streamline the entire security authoring process. The s…

1
Data Intelligence: Breaking Chaos with Kyle DuPont | Ohalo's Innovation in Unstructured Data 40:22

5M ago40:22

40:22

In this powerful episode, we sit down with Kyle DuPont, CEO and Co-Founder of Ohalo, the trailblazing company reshaping the way organizations understand and manage unstructured data. With deep experience in both finance and technology, including a background at Morgan Stanley, Kyle shares the origin story of Ohalo and how their flagship product, Da…

1
Ecosyste.ms with Andrew Nesbitt 35:38

5M ago35:38

35:38

I recently chatted with Andrew Nesbitt about his project, Ecosyste.ms. Ecosyste.ms catalogs open source projects by tracking packages, dependencies, repositories, and more. With this dataset Andrew is able to incredible insights into the world of open source. We chat all about how Ecosyste.ms works and how he manages to wrangle all this data. The s…

1
Curl vs AI with Daniel Stenberg 34:23

5M ago34:23

34:23

Daniel Stenberg, the maintainer of Curl, discusses the increase in AI security reports that are wasting the time of maintainers. We discuss Curl's new policy of banning the bad actors while establishing some pretty sane AI usage guidelines. We chat about how this low-effort, high-impact abuse pattern is a denial-of-service attack on the curl projec…

1
Repository signing with Kairo De Araujo 33:29

5M ago33:29

33:29

I recently had a chat with Kairo about a project he maintains called Repository Service for TUF (RSTUF). We explain why TUF is tough (har har har), what RSTUF can do, and some of the challenges around securing repositories. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-05-rstuf-with-kairo-de-a…

1
Securing GitHub Actions with William Woodruff 31:50

5M ago31:50

31:50

William Woodruff discussed his project, Zizmor, a security linter designed to help developers identify and fix vulnerabilities within their GitHub Actions workflows. This tool addresses inherent security risks in GitHub Actions, such as injection vulnerabilities, permission issues, and mutable tags, by providing static analysis and remediation guid…

1
Embedded Security with Paul Asadoorian 34:24

6M ago34:24

34:24

Recently, I had the pleasure of chatting with Paul Asadoorian, Principal Security Researcher at Eclypsium and the host of the legendary Paul's Security Weekly podcast. Our conversation dove into the often-murky waters of embedded systems and the Internet of Things (IoT), sparked by a specific vulnerability discussion on Paul's show concerning refer…

1
Episode 29 with Robin Ince 1:27:00

6M ago1:27:00

1:27:00

Delighted to welcome Robin Ince, legendary comedian and lovely man, to the pod. Robin's new book, Normally Weird and Weirdly Normal, is out today!!By ADHDUK

1
tj-actions with Endor Lab's Dimitri Stiliadis 32:39

6M ago32:39

32:39

Dimitri Stiliadis, CTO from Endor Labs, discusses the recent tj-actions/changed-files supply chain attack, where a compromised GitHub Action exposed CI/CD secrets. We explore the impressive multi-stage attack vector and the broader often-overlooked vulnerabilities in our CI/CD pipelines, emphasizing the need to treat these build systems with produc…

1
Telegram Exposed: The Super App Enabling Cyber Crime 53:28

6M ago53:28

53:28

In episode 36, Josh welcomes renowned intelligence systems expert Stephen Arnold to shine a light on one of the most underestimated threats in cybersecurity today—Telegram. Known to most as a simple messaging app, Telegram is quietly operating as a “super app” for cyber crime. From crypto laundering and hamster games masking gambling platforms, to …

1
Episode 28: Cognitive disengagement with Stephen Becker 36:45

6M ago36:45

36:45

Max is joined by Stephen Becker, Professor of Pediatrics at Cincinnati, about the fascinating Cognitive Disengagement Syndrome, a condition that is both in some ways the opposite of ADHD, but also commonly co-exists. If you want to know more, Stephen has made a lot of the work on this open access- here for example: https://pubmed.ncbi.nlm.nih.gov/3…

1
Syft, Grype, and Grant with Alan Pope 31:04

6M ago31:04

31:04

I chat with Alan Pope about the open source security tools Syft, Grype, and Grant. These tools help create Software Bills of Materials (SBOMs) and scan for vulnerabilities. Learn why generating and storing SBOMs is crucial for understanding your software supply chain and quickly responding to new threats like Log4Shell. The show notes and blog post…

1
CVE for EOL with Aaron Frost 30:00

6M ago30:00

30:00

Aaron Frost explores the overly complex world of vulnerability identifiers for end of life software. We discuss how incomplete CVE reporting creates blind spots for users while arming attackers with knowledge. The conversation uncovers the ethical tensions between resource constraints and security transparency, highlighting why the "vulnerable unti…

1
cargo-semver-checks with Predrag Gruevski 33:35

7M ago33:35

33:35

Cargo Semver Checks is a Rust tool by Predrag Gruevski that is tackling the problem of broken dependencies that cost developers time when trying to upgrade dependencies. Predrag's work shows how automated checks can catch breaking changes before they're released, potentially saving projects from unexpected failures and making dependency updates les…

1
Cyber Battlefield Insights: Lessons in Incident Response and Dark Web Tour 1:03:48

7M ago1:03:48

1:03:48

Join host Joshua Nicholson, a seasoned cybersecurity veteran with over 24 years of frontline experience, as he dives deep into the high-stakes world of incident response and takes you on an exclusive dark web tour. In this power-packed episode, Joshua shares real-world lessons learned from handling hundreds of cyber incidents, breaking down the bes…

1
Distributed CI and Git with Lars Wirzenius 27:27

7M ago27:27

27:27

Lars Wirzenius discusses his innovative CI/CD system Ambient, which uses isolated virtual machines without network access to enhance security, and his work on Radicle, a peer-to-peer Git collaboration platform. Together, these projects offer a glimpse into a more distributed future for software development, addressing key challenges in current CI/C…

1
FIDO authentication with William Brown 29:26

7M ago29:26

29:26

William Brown tells us all about how confusing and complicated the FIDO authentication universe is. He talks about WebAuthn implementation challenges to flaws in the FIDO metadata service that affect how hardware tokens are authenticated against. The conversation covers the spectrum of hardware security key quality, attestation mechanisms, and the …

1
Episode 27 with Isabella Barclay 58:54

7M ago58:54

58:54

Max is joined by Isabella Barclay to talk about what factors lead to children getting an earlier vs later diagnosis- or even a diagnosis at all. Isabella is a passionate advocate for ADHD, and needs to be listened to!By ADHDUK

1
CRA with Luis Villa 25:46

7M ago25:46

25:46

In this episode, open source legal expert Luis Villa breaks down what the EU's Cyber Resilience Act means for developers and businesses, exploring carve-outs for individual contributors and the complex relationship between security and sustainability. Luis provides practical guidance on navigating this evolving regulatory landscape while explaining…

1
Episode 26: The trouble with positive emotions, with Julia McQuade 37:49

7M ago37:49

37:49

Max is joined by Julia McQuade from Amhurst College, USA. Julia has published this paper: https://link.springer.com/article/10.1007/s10802-024-01237-2 She studied the regulation of positive emotion in adolescents with ADHD, and found that control of these emotions predicted social success. Max unpicks the implications of this and tries to to get to…

1
Open Source Malware with Brian Fox 30:18

8M ago30:18

30:18

Brian Fox discusses findings from a recent Sonatype report about the growing challenge of malicious packages in open source repositories. At the time of recording there are now over 820,000 malware packages in public repositories. Brian explains why certain ecosystems are more vulnerable than others and how behavioral detection methods can identify…

1
Open Source Foundations with Kelley Misata of Suricata 31:45

8M ago31:45

31:45

In this episode Open Source Security talks to Dr. Kelly Masada about the Open Information Security Foundation (OISF). The way OISF is managing Suricata through a foundation is super interesting. There are a lot of lessons in this one for both open source projects and existing open source foundations. The blog post for this episode can be found at h…

1
Episode 25: The positives of ADHD with Dr Tom Nicholson 58:06

8M ago58:06

58:06

Is ADHD a superpower? Is that a helpful way of talking about it. Our guest, once again Dr Tom Nicholson, has done actual research on the positives of ADHD, as experienced by ADHD people ourselves! Catch up with Tom on social media or at https://www.drtomnicholson.com/By ADHDUK

1
Forking Open Source Projects with Sheogorath 22:14

8M ago22:14

22:14

In this episode Open Source Security chats with Sheogorath about HedgeDoc project's journey from HackMD to CodiMD and finally to HedgeDoc. We learn what forking a project looks like, including license changes (MIT to AGPL), security vulnerability management across different codebases, naming challenges, and infrastructure migrations. The conversati…