Viktor Petersson logo

Podcast

Follow Me

Join Viktor, a proud nerd and seasoned entrepreneur, whose academic journey at Santa Clara University in Silicon Valley sparked a career marked by innovation and foresight. From his college days, Viktor embarked on an entrepreneurial path, beginning with YippieMove, a groundbreaking email migration service, and continuing with a series of bootstrapped ventures.

Mastering OpenSSF Scorecards & SBOMs with Chris Swan

Play On Listen to podcast on YouTube Listen to podcast on Spotify Listen to podcast on Apple Listen to podcast on Amazon music
21 APR • 2024 59 mins
Share:

In this episode of “Nerding Out with Viktor”, Viktor sits down with Chris Swan, a seasoned engineer from the London tech scene, to dive into the world of open-source security and innovation. Chris shares his fascinating background as an engineer at AtSign, a company revolutionizing networking with end-to-end encrypted connections, and how his experience in security-critical functionalities led him to become involved with OpenSSF (Open Source Security Foundation) and Scorecards.

As they geek out over the concept of Scorecards, Chris explains that this project within OpenSSF allows organizations to demonstrate their commitment to security through a visual indicator of good practices. He shares how AtSign adopted Scorecards to show their dedication to security, especially for their open-source repositories, which has been effective in addressing potential customers’ security concerns. The conversation reveals the applicability of Scorecards to private repositories as well, highlighting their value in driving good security practices internally within organizations.

Chris delves into the specifics of Scorecards, explaining how they evaluate metrics such as dependency management, CI/CD (Continuous Integration/Continuous Deployment) practices, static and dynamic analysis, and compliance with OpenSSF best practices. He describes how Scorecards parse GitHub workflows and other indicators to assess these metrics, encouraging a culture of security within the development process.

As they discuss the impact of Scorecards on development practices, Viktor and Chris emphasize the cultural shift towards better security hygiene. They also touch on the challenges of maintaining quick feedback cycles in CI/CD pipelines while integrating comprehensive security checks. This conversation is sure to resonate with developers and engineers looking to improve their security game.

The conversation then shifts to SBOMs (Software Bill of Materials), with Chris explaining their importance in providing transparency about software dependencies and potential vulnerabilities. He outlines the genesis of SBOMs, driven by a US executive order, and their role in supply chain security. Viktor and Chris discuss the challenges and current state of SBOM tooling and its integration into CI/CD workflows.

Chris provides a brief overview of NIST 2.0, the updated cybersecurity framework recently released, noting its emphasis on governance and the inclusion of newer security paradigms. He emphasizes the evolving landscape of cybersecurity standards and their implications for organizations.

As they wrap up the episode, Chris highlights AtSign’s open-source product, SSH NoPorts, which allows for remote administration without open ports. He encourages listeners to explore this tool, especially those dealing with IoT devices and home labs.

Throughout the conversation, Chris’s expertise shines through, providing valuable insights into the world of open-source security and innovation. His passion for improving security hygiene and promoting good practices is contagious, making this episode a must-listen for anyone interested in tech security.

By tuning in to this episode of “Nerding Out with Viktor”, listeners will gain a deeper understanding of the importance of Scorecards, SBOMs, and other innovations in open-source security. They’ll also get to know Chris Swan’s fascinating background and experience in the London tech scene. So, grab your headphones, sit back, and join Viktor and Chris on this journey into the world of open-source security and innovation!

Found an error or typo? File PR against this file.