Josh Bressers
@josh.bressers.name
Mostly on Mastodon - VP of Security at Anchore - Open Source Security https://opensourcesecurity.io - Hacker History http://hackerhistory.com - He/Him
I had a chat with @charlieeriksen.bsky.social about the recent NPM attacks
We chat about what happened (now that the dust settled), and we discuss what's next.
Charlie is doing some great work in this space, he understands the problem better than most
We chat about what happened (now that the dust settled), and we discuss what's next.
Charlie is doing some great work in this space, he understands the problem better than most
NPM supply chain attacks with Charlie Eriksen
Josh chats with Charlie Eriksen, a security researcher at Aikido Security. We discuss the recent NPM supply chain attacks that affect hundreds of packages. Charlie shares his experiences dealing with ...
opensourcesecurity.io
November 10, 2025 at 2:58 PM
I had a chat with @charlieeriksen.bsky.social about the recent NPM attacks
We chat about what happened (now that the dust settled), and we discuss what's next.
Charlie is doing some great work in this space, he understands the problem better than most
We chat about what happened (now that the dust settled), and we discuss what's next.
Charlie is doing some great work in this space, he understands the problem better than most
This week on #OpenSourceSecurity I talk to @ottoke.bsky.social about his blog post about detecting an attack like xz in Debian
It's a fascinating conversation about a very complicated topic
There are things that could be detected, but this one would have been very very difficult
It's a fascinating conversation about a very complicated topic
There are things that could be detected, but this one would have been very very difficult
Detecting XZ in Debian with Otto Kekäläinen
In this episode, Josh and Otto dive into the world of Debian packaging, exploring the challenges of supply chain security and the importance of transparency in open source projects. They discuss Otto’...
opensourcesecurity.io
November 3, 2025 at 3:11 PM
This week on #OpenSourceSecurity I talk to @ottoke.bsky.social about his blog post about detecting an attack like xz in Debian
It's a fascinating conversation about a very complicated topic
There are things that could be detected, but this one would have been very very difficult
It's a fascinating conversation about a very complicated topic
There are things that could be detected, but this one would have been very very difficult
I chat with @mikael.barbero.tech about security happenings at the Eclipse Foundation
My favorite project they have is helping projects generate #SBOMs, but there's a lot happening. If you want to see some public examples of how to do security right, give it a listen!
My favorite project they have is helping projects generate #SBOMs, but there's a lot happening. If you want to see some public examples of how to do security right, give it a listen!
Eclipse Foundation SBOMs with Mikael Barbero
In this conversation, Josh speaks with Mikael Barbero, head of security at the Eclipse Foundation. They discuss the foundation’s role in enhancing the security posture of open source projects, the imp...
opensourcesecurity.io
October 20, 2025 at 2:34 PM
I chat with @mikael.barbero.tech about security happenings at the Eclipse Foundation
My favorite project they have is helping projects generate #SBOMs, but there's a lot happening. If you want to see some public examples of how to do security right, give it a listen!
My favorite project they have is helping projects generate #SBOMs, but there's a lot happening. If you want to see some public examples of how to do security right, give it a listen!
Reposted by Josh Bressers
🎙 Just wrapped a fantastic conversation with @josh.bressers.name. We dive deep into enhancing open source security and how we do it at the @eclipse.org
Can't wait for you to hear the full episode, coming soon!
Can't wait for you to hear the full episode, coming soon!
October 16, 2025 at 4:18 PM
🎙 Just wrapped a fantastic conversation with @josh.bressers.name. We dive deep into enhancing open source security and how we do it at the @eclipse.org
Can't wait for you to hear the full episode, coming soon!
Can't wait for you to hear the full episode, coming soon!
On #OpenSourceSecurity I had a chat with @brianfox.bsky.social about the sustainability letter from the open source package registries
This one is a big deal. The costs for open source are paid by someone, if you don't know who, you need to read this letter
opensourcesecurity.io/2025/2025-10...
This one is a big deal. The costs for open source are paid by someone, if you don't know who, you need to read this letter
opensourcesecurity.io/2025/2025-10...
Sustaining Package Repositories with Brian Fox
Brian Fox discusses the challenges and future of open source package repository infrastructure. We discuss the complexities of managing public registries, the impact of overconsumption, and the import...
opensourcesecurity.io
October 6, 2025 at 2:26 PM
On #OpenSourceSecurity I had a chat with @brianfox.bsky.social about the sustainability letter from the open source package registries
This one is a big deal. The costs for open source are paid by someone, if you don't know who, you need to read this letter
opensourcesecurity.io/2025/2025-10...
This one is a big deal. The costs for open source are paid by someone, if you don't know who, you need to read this letter
opensourcesecurity.io/2025/2025-10...
Reposted by Josh Bressers
MCP is having a moment. @josh.bressers.name wanted to know: what are we actually shipping?
9,000 vulns
263 critical findings
36K+ NPM packages
Outdated base images
Not fear-mongering—just data-driven real... https://anchore.com/blog/analyzing-the-top-mcp-docker-containers/
#MCP #ContainerSecurity
9,000 vulns
263 critical findings
36K+ NPM packages
Outdated base images
Not fear-mongering—just data-driven real... https://anchore.com/blog/analyzing-the-top-mcp-docker-containers/
#MCP #ContainerSecurity
October 2, 2025 at 10:50 PM
MCP is having a moment. @josh.bressers.name wanted to know: what are we actually shipping?
9,000 vulns
263 critical findings
36K+ NPM packages
Outdated base images
Not fear-mongering—just data-driven real... https://anchore.com/blog/analyzing-the-top-mcp-docker-containers/
#MCP #ContainerSecurity
9,000 vulns
263 critical findings
36K+ NPM packages
Outdated base images
Not fear-mongering—just data-driven real... https://anchore.com/blog/analyzing-the-top-mcp-docker-containers/
#MCP #ContainerSecurity
This week on #OpenSourceSecurity I chat with @foxboron.bsky.social and Levente Polyak about Arch Linux security. It's a great chat where we talk about all the difficulties and oddities of trying to keep a Linux distribution secure
I learned a ton, I'm sure you will too
I learned a ton, I'm sure you will too
Arch Linux Security with Foxboron and Anthraxx
Join us for a conversation with Foxboron (Morten Linderud) and Anthraxx (Levente Polyak), members of the Arch Linux security team. We talk about the difficulties of maintaining a Linux distribution, t...
opensourcesecurity.io
September 29, 2025 at 3:00 PM
This week on #OpenSourceSecurity I chat with @foxboron.bsky.social and Levente Polyak about Arch Linux security. It's a great chat where we talk about all the difficulties and oddities of trying to keep a Linux distribution secure
I learned a ton, I'm sure you will too
I learned a ton, I'm sure you will too
This episode of #OpenSourceSecurity I chat with Hana Andersen and Anton Arapov about their upcoming #OpenSSL conference
They also answer a bunch of my questions about the structure of the OpenSSL project, how we got where we are today, and what's coming next
opensourcesecurity.io/2025/2025-09...
They also answer a bunch of my questions about the structure of the OpenSSL project, how we got where we are today, and what's coming next
opensourcesecurity.io/2025/2025-09...
OpenSSL with Hana Andersen and Anton Arapov
I discuss all things OpenSSL with Hana Andersen and Anton Arapov from the OpenSSL Corporation. Discover the intricacies of organizing the first-ever OpenSSL conference in Prague, the importance of pos...
opensourcesecurity.io
September 22, 2025 at 2:27 PM
This episode of #OpenSourceSecurity I chat with Hana Andersen and Anton Arapov about their upcoming #OpenSSL conference
They also answer a bunch of my questions about the structure of the OpenSSL project, how we got where we are today, and what's coming next
opensourcesecurity.io/2025/2025-09...
They also answer a bunch of my questions about the structure of the OpenSSL project, how we got where we are today, and what's coming next
opensourcesecurity.io/2025/2025-09...
Reposted by Josh Bressers
Don’t miss this podcast episode with the PSF’s Executive Director, @eximious.bsky.social, on funding open source, PyCon US, global community support & the importance of sustainability!
This episode of #OpenSourceSecurity I chat with Deb Nicholson about the Python Software Foundation. We discuss what they do, their current grant program, and how you can get involved
The PSF is the group behind the legendary Python community. It's a fun chat, Deb has so much knowledge to share
The PSF is the group behind the legendary Python community. It's a fun chat, Deb has so much knowledge to share
The Python Software Foundation with Deb Nicholson
In this episode I discuss the Python Software Foundation with Deb Nicholson. We discuss their contributions to the Python programming community. Learn how this dedicated organization supports the grow...
opensourcesecurity.io
September 17, 2025 at 12:51 PM
Don’t miss this podcast episode with the PSF’s Executive Director, @eximious.bsky.social, on funding open source, PyCon US, global community support & the importance of sustainability!
This episode of #OpenSourceSecurity I chat with Deb Nicholson about the Python Software Foundation. We discuss what they do, their current grant program, and how you can get involved
The PSF is the group behind the legendary Python community. It's a fun chat, Deb has so much knowledge to share
The PSF is the group behind the legendary Python community. It's a fun chat, Deb has so much knowledge to share
The Python Software Foundation with Deb Nicholson
In this episode I discuss the Python Software Foundation with Deb Nicholson. We discuss their contributions to the Python programming community. Learn how this dedicated organization supports the grow...
opensourcesecurity.io
September 15, 2025 at 3:52 PM
This episode of #OpenSourceSecurity I chat with Deb Nicholson about the Python Software Foundation. We discuss what they do, their current grant program, and how you can get involved
The PSF is the group behind the legendary Python community. It's a fun chat, Deb has so much knowledge to share
The PSF is the group behind the legendary Python community. It's a fun chat, Deb has so much knowledge to share
A new @cyphercon.bsky.social #HackerHistory is out!
This time I'm talking to Dr. Laura Scherling, EdD, Rachael Tubbs, and Ben Schmerler.
It's a super fun conversation where we cover some past, present, and future of hacking
This time I'm talking to Dr. Laura Scherling, EdD, Rachael Tubbs, and Ben Schmerler.
It's a super fun conversation where we cover some past, present, and future of hacking
The history of Laura, Rachael, and Ben - Hacker History Podcast
This is a packed episode where we talk to Laura Scherling, Ben Schmerler, and Rachael Tubbs about some hacker history, some hacker future, and the ten year anniversary of the IoT Village. We talk abou...
hackerhistory.com
September 10, 2025 at 3:34 PM
A new @cyphercon.bsky.social #HackerHistory is out!
This time I'm talking to Dr. Laura Scherling, EdD, Rachael Tubbs, and Ben Schmerler.
It's a super fun conversation where we cover some past, present, and future of hacking
This time I'm talking to Dr. Laura Scherling, EdD, Rachael Tubbs, and Ben Schmerler.
It's a super fun conversation where we cover some past, present, and future of hacking
I had a chat with Didier Barzin about his open source project Mercator
Mercator maps assets, monitors compliance, looks for vulnerabilities, and more. I learned so much talking to Didier about what managing assets at a large health care provider looks like.
Mercator maps assets, monitors compliance, looks for vulnerabilities, and more. I learned so much talking to Didier about what managing assets at a large health care provider looks like.
Using Mercator to map assets with Didier Barzin
In this episode, we the information system mapping tool Mercator with Didier Barzin, a CISO at a hospital in Luxembourg. Discover how Mercator revolutionizes the way organizations map their complex in...
opensourcesecurity.io
September 8, 2025 at 6:55 PM
I had a chat with Didier Barzin about his open source project Mercator
Mercator maps assets, monitors compliance, looks for vulnerabilities, and more. I learned so much talking to Didier about what managing assets at a large health care provider looks like.
Mercator maps assets, monitors compliance, looks for vulnerabilities, and more. I learned so much talking to Didier about what managing assets at a large health care provider looks like.
I had a chat with David Bernstein on the @cyphercon.bsky.social #HackerHistory podcast
David tells us all about his experience in emergency management. David isn't what many would consider a traditional hacker, but it's clear he has had incredible impact over the years.
David tells us all about his experience in emergency management. David isn't what many would consider a traditional hacker, but it's clear he has had incredible impact over the years.
The history of David Bernstein - Hacker History Podcast
Hacker History sits down with David Bernstein. We learn about David's past in emergency management. David has seen a ton of wild events, and has some really interesting commentary about how emergency ...
hackerhistory.com
September 3, 2025 at 4:16 PM
I had a chat with David Bernstein on the @cyphercon.bsky.social #HackerHistory podcast
David tells us all about his experience in emergency management. David isn't what many would consider a traditional hacker, but it's clear he has had incredible impact over the years.
David tells us all about his experience in emergency management. David isn't what many would consider a traditional hacker, but it's clear he has had incredible impact over the years.
This week on #OpenSourceSecurity I talk to Andrey Smirnov about Talos Linux security
If you run Kubernetes clusters, big or small, you should look at Talos! Also listen to this discussion, in the order of your choosing.
If you run Kubernetes clusters, big or small, you should look at Talos! Also listen to this discussion, in the order of your choosing.
Talos Linux security with Andrey Smirnov
In this episode, I discuss into the security features of Talos Linux with Andrey Smirnov. Andrey explains how Talos focuses on its immutability and minimal attack surface. Discover how these enhanceme...
opensourcesecurity.io
September 2, 2025 at 2:23 PM
This week on #OpenSourceSecurity I talk to Andrey Smirnov about Talos Linux security
If you run Kubernetes clusters, big or small, you should look at Talos! Also listen to this discussion, in the order of your choosing.
If you run Kubernetes clusters, big or small, you should look at Talos! Also listen to this discussion, in the order of your choosing.
The Register wrote a story about a single maintainer open source project, I think it's shameful and upsetting
So I wrote a blog post about it
An absolutely ridiculous amount of open source is one person projects. I have the data to prove it
opensourcesecurity.io/2025/08-oss-...
So I wrote a blog post about it
An absolutely ridiculous amount of open source is one person projects. I have the data to prove it
opensourcesecurity.io/2025/08-oss-...
Open Source is one person
The Register recently published a story titled Putin on the code: DoD reportedly relies on utility written by Russian dev. They should be ashamed of this story, and the company behind the ambulance ch...
opensourcesecurity.io
August 28, 2025 at 1:41 AM
The Register wrote a story about a single maintainer open source project, I think it's shameful and upsetting
So I wrote a blog post about it
An absolutely ridiculous amount of open source is one person projects. I have the data to prove it
opensourcesecurity.io/2025/08-oss-...
So I wrote a blog post about it
An absolutely ridiculous amount of open source is one person projects. I have the data to prove it
opensourcesecurity.io/2025/08-oss-...
This episode of #OpenSourceSecurity I chat with Ali Akhavani and Behzad Ousat about their paper
Open Source, Open Threats? Investigating Security Challenges in Open-Source Software
We chat about what some of this means now and what it could mean in the future. It's a great discussion!
Open Source, Open Threats? Investigating Security Challenges in Open-Source Software
We chat about what some of this means now and what it could mean in the future. It's a great discussion!
Discussing the Open Source, Open Threats? paper with Behzad and Ali
In this episode I chat with the authors of a recent paper on open source security: Open Source, Open Threats? Investigating Security Challenges in Open-Source Software. I chat with Ali Akhavani and Be...
opensourcesecurity.io
August 25, 2025 at 2:13 PM
This episode of #OpenSourceSecurity I chat with Ali Akhavani and Behzad Ousat about their paper
Open Source, Open Threats? Investigating Security Challenges in Open-Source Software
We chat about what some of this means now and what it could mean in the future. It's a great discussion!
Open Source, Open Threats? Investigating Security Challenges in Open-Source Software
We chat about what some of this means now and what it could mean in the future. It's a great discussion!
This episode of #OpenSourceSecurity I chat with @tobias.bieniek.cloud about crates.io trusted publishing
I learned a ton about how trusted publishing works, it's one of those very new and very interesting topics
And of course anytime I can talk about #Rust it's a great chat :)
I learned a ton about how trusted publishing works, it's one of those very new and very interesting topics
And of course anytime I can talk about #Rust it's a great chat :)
crates.io: Rust Package Registry
crates.io
August 18, 2025 at 3:36 PM
This episode of #OpenSourceSecurity I chat with @tobias.bieniek.cloud about crates.io trusted publishing
I learned a ton about how trusted publishing works, it's one of those very new and very interesting topics
And of course anytime I can talk about #Rust it's a great chat :)
I learned a ton about how trusted publishing works, it's one of those very new and very interesting topics
And of course anytime I can talk about #Rust it's a great chat :)
This week on #OpenSourceSecurity I chat with @patrickmgarrity.bsky.social about what's going on with #CVE
It's been a wild couple of months, we break down where are today, where we think it's going to go soon, and why there are some difficult times ahead for vulnerability nerds
It's been a wild couple of months, we break down where are today, where we think it's going to go soon, and why there are some difficult times ahead for vulnerability nerds
CVE update with Patrick Garrity
In this episode I chat with Patrick Garrity from VulnCheck. We discuss the chaos that has enveloped the CVE and NVD programs over the past two years. We cover some of the transparency and communicatio...
opensourcesecurity.io
August 11, 2025 at 3:41 PM
This week on #OpenSourceSecurity I chat with @patrickmgarrity.bsky.social about what's going on with #CVE
It's been a wild couple of months, we break down where are today, where we think it's going to go soon, and why there are some difficult times ahead for vulnerability nerds
It's been a wild couple of months, we break down where are today, where we think it's going to go soon, and why there are some difficult times ahead for vulnerability nerds
I talked to Daniel Thompson-Yvetot on the latest episode of #OpenSourceSecurity
The main topic was the coming regulation for software developers. While there are carve outs for open source projects, what counts as an open source project isn't as clear as I thought it was.
The main topic was the coming regulation for software developers. While there are carve outs for open source projects, what counts as an open source project isn't as clear as I thought it was.
EU Regulations will change everything with Daniel Thompson
In this episode, we dive into the Product Liability Directive and Cyber Resilience Act with Daniel Thompson, CEO of Crab Nebula. The EU’s new legislative framework impacts manufacturers in ways we don...
opensourcesecurity.io
July 28, 2025 at 4:22 PM
I talked to Daniel Thompson-Yvetot on the latest episode of #OpenSourceSecurity
The main topic was the coming regulation for software developers. While there are carve outs for open source projects, what counts as an open source project isn't as clear as I thought it was.
The main topic was the coming regulation for software developers. While there are carve outs for open source projects, what counts as an open source project isn't as clear as I thought it was.
This #OpenSourceSecurity episode I chatted with Jan Pleskac from Tropic Square about open source microprocessors
I learned an incredible amount about how this all works, what Tropic Square is trying to do, and what we can start to expect in the future
I learned an incredible amount about how this all works, what Tropic Square is trying to do, and what we can start to expect in the future
Open source microprocessors with Jan Pleskac
In this episode Jan Pleskac, CEO and co-founder of Tropic Square, shares insights on the challenges and innovations in creating open and auditable hardware. While most hardware is very closed, Tropic ...
opensourcesecurity.io
July 21, 2025 at 2:36 PM
This #OpenSourceSecurity episode I chatted with Jan Pleskac from Tropic Square about open source microprocessors
I learned an incredible amount about how this all works, what Tropic Square is trying to do, and what we can start to expect in the future
I learned an incredible amount about how this all works, what Tropic Square is trying to do, and what we can start to expect in the future
I chatted with Philippe Ombredanne about Package URLs, or PURLs. He created them, so he knows a thing or two.
We do complain about CPE quite a bit :)
But it's a really hard problem. It feels like a package identifier should be easy, but it's way harder than you think it is.
We do complain about CPE quite a bit :)
But it's a really hard problem. It feels like a package identifier should be easy, but it's way harder than you think it is.
Package URLs with Philippe Ombredanne
I’m joined by Philippe Ombredanne, creator of the Package URL (PURL), to discuss the surprisingly complex and messy problem of simply identifying open source software packages. We dive into how PURLs ...
opensourcesecurity.io
June 24, 2025 at 5:55 PM
I chatted with Philippe Ombredanne about Package URLs, or PURLs. He created them, so he knows a thing or two.
We do complain about CPE quite a bit :)
But it's a really hard problem. It feels like a package identifier should be easy, but it's way harder than you think it is.
We do complain about CPE quite a bit :)
But it's a really hard problem. It feels like a package identifier should be easy, but it's way harder than you think it is.
#OpenSourceSecurity chats with @[email protected] about his blog post explaining hobbyist open source maintainers
Whatever you think you know about open source, you're going to learn something from this one
Whatever you think you know about open source, you're going to learn something from this one
Hobbyist Maintainers with Thomas DePierre
Thomas DePierre joins Open Source Security to discuss the central idea from his blog post, “You are all on the hobbyist maintainers turf now,” exploring the massive disconnect between the corporate wo...
opensourcesecurity.io
June 16, 2025 at 1:40 PM
#OpenSourceSecurity chats with @[email protected] about his blog post explaining hobbyist open source maintainers
Whatever you think you know about open source, you're going to learn something from this one
Whatever you think you know about open source, you're going to learn something from this one
This episode of #OpenSourceSecurity I chat with Aaron Lippold from MITRE about #STIG automation (it's one big open source project)
STIG has historically been incredibly difficult
Thanks to #FedRAMP it's getting more attention than ever before and the work Aaron has been doing makes it a lot easier
STIG has historically been incredibly difficult
Thanks to #FedRAMP it's getting more attention than ever before and the work Aaron has been doing makes it a lot easier
STIG automation with Aaron Lippold
I chat with Aaron Lippold, creator of MITRE’s Security Automation Framework (SAF), to discuss how to escape the pain of manual STIG compliance. We explore the technical details of open-source tools li...
opensourcesecurity.io
June 9, 2025 at 2:21 PM
This episode of #OpenSourceSecurity I chat with Aaron Lippold from MITRE about #STIG automation (it's one big open source project)
STIG has historically been incredibly difficult
Thanks to #FedRAMP it's getting more attention than ever before and the work Aaron has been doing makes it a lot easier
STIG has historically been incredibly difficult
Thanks to #FedRAMP it's getting more attention than ever before and the work Aaron has been doing makes it a lot easier
This week #OpenSourceSecurity chats with @andrewnez.bsky.social about Ecosyste.ms
Ecosyste.ms is a massive collection of data about open source
It's an amazingly useful collection of data. If you're doing anything that needs information about open source you should check it out
Ecosyste.ms is a massive collection of data about open source
It's an amazingly useful collection of data. If you're doing anything that needs information about open source you should check it out
Ecosyste.ms with Andrew Nesbitt
I recently chatted with Andrew Nesbitt about his project, Ecosyste.ms. Ecosyste.ms catalogs open source projects by tracking packages, dependencies, repositories, and more. With this dataset Andrew is...
opensourcesecurity.io
June 2, 2025 at 5:58 PM
This week #OpenSourceSecurity chats with @andrewnez.bsky.social about Ecosyste.ms
Ecosyste.ms is a massive collection of data about open source
It's an amazingly useful collection of data. If you're doing anything that needs information about open source you should check it out
Ecosyste.ms is a massive collection of data about open source
It's an amazingly useful collection of data. If you're doing anything that needs information about open source you should check it out
I chatted with @daniel.haxx.se about #Curl and the recent #AI happenings
It's always fun talking to Daniel, and I think there's a lot of good ideas in this one, especially on how to approach AI fueled contributions that aren't slop. And even suggestions on how to deal with slop contributions :)
It's always fun talking to Daniel, and I think there's a lot of good ideas in this one, especially on how to approach AI fueled contributions that aren't slop. And even suggestions on how to deal with slop contributions :)
Curl vs AI with Daniel Stenberg
Daniel Stenberg, the maintainer of Curl, discusses the increase in AI security reports that are wasting the time of maintainers. We discuss Curl’s new policy of banning the bad actors while establishi...
opensourcesecurity.io
May 27, 2025 at 4:46 PM
I chatted with @daniel.haxx.se about #Curl and the recent #AI happenings
It's always fun talking to Daniel, and I think there's a lot of good ideas in this one, especially on how to approach AI fueled contributions that aren't slop. And even suggestions on how to deal with slop contributions :)
It's always fun talking to Daniel, and I think there's a lot of good ideas in this one, especially on how to approach AI fueled contributions that aren't slop. And even suggestions on how to deal with slop contributions :)