In this episode, I’m joined by Chris Swan from Atsign to explore the evolving landscape of open-source security. Chris’s experience with end-to-end encrypted connections and his work with the Open Source Security Foundation (OpenSSF) offers unique insights into how we can better secure our software supply chains.

We start with a deep dive into Scorecards, an OpenSSF project that helps organizations demonstrate their security practices. What particularly caught my attention was how Atsign has used Scorecards to address customer security concerns, especially for their open-source repositories. Chris’s explanation of how Scorecards evaluate everything from dependency management to CI/CD practices reveals the practical impact of these tools on everyday development.

The conversation gets especially interesting when we explore SBOMs (Software Bill of Materials). Chris breaks down how these inventory lists of software components are reshaping supply chain security, driven by recent executive orders and growing security concerns. His insights into the challenges of SBOM tooling and CI/CD integration highlight the practical hurdles teams face in implementing these security measures.

I was particularly intrigued by our discussion of NIST 2.0 and its implications for cybersecurity frameworks. Chris’s breakdown of how governance and modern security paradigms are evolving shows just how much the security landscape has changed. We also explore Atsign’s open-source SSH NoPorts project, which offers a fascinating approach to remote administration without open ports.

If you’re interested in software security, supply chain management, or the future of open source, you’ll find plenty of practical insights here. Chris brings both deep technical knowledge and real-world experience to the discussion, making complex security concepts accessible while maintaining their technical depth.

Found an error or typo? File PR against this file.