Welcome to The New Stack Context, a podcast where we discuss the latest news and perspectives in the world of cloud native computing. This week we have two guests who discuss their experience with the challenges of securing open source software.
First, we talk to Frank Nagle, a professor at Harvard Business School and co-director of the Census II project to assess security practices in open source software components, in partnership with The Linux Foundation’s Core Infrastructure Initiative (CII). The report, “‘Vulnerabilities in the Core,’ a Preliminary Report and Census II of Open Source Software,” attempts to understand the “structural and security complexities in the modern day supply chain where open source is pervasive but not always understood.” We discuss his findings, including the surprising state of under-management for most open source projects.
We also chat with Neeraj Poddar, Aspen Mesh co-founder and engineering lead who developed the fix for a recent vulnerability in the Istio service mesh project. We speak with Poddar about the challenges of quickly fixing an bug in an open source program when there are so many stakeholders, and how the work should be cordoned off until a public announcement is ready to be made.