The EU Cyber Resilience Act joins the long list of regulations intended to improve the security of software delivered to users. Emily Fox and Roman Zhukov share their experience education regulators on open source software and educating open source projects on security. They talk about creating a baseline for security that addresses technical items, maintaining projects, and supporting project owners so they can focus on their projects.
Segment resources:
- github.com/ossf/wg-globalcyberpolicy
- github.com/orcwg
- baseline.openssf.org
Emily Fox is a DevOps enthusiast, security unicorn, and advocate for Women in Technology. She promotes the cross-pollination of development and security practices. She has worked in security for over 15 years to drive a cultural change where security is unobstructive, natural, and accessible to everyone. Her technical interests include containerization, least privilege, automation, and promoting women in technology. She holds a BS in Information Systems and an MS in cybersecurity.
Practicing cybersecurity expert, engineer and manager (17+ years). Currently: Principal Architect – Security Communities Lead at Red Hat. Formerly: Head of Product Security & Privacy for Data Center & AI SW at Intel. Roman has broad experience from security architecture & threat modelling to secure development & tooling to vulnerability management & incident response to security education programs for engineers & senior managers. Currently Roman leads industry engagement and several Open-Source security initiatives: Security Champion for open source projects, contributor to several working groups under OpenSSF, Eclipse, other foundations. Lecturer at Universities, Advisor for Startups and Security Evangelist. Member of the EU official CRA Standardization working groups.
Join us at InfoSec World 2025, October 27 to 29 at Disney’s Coronado Springs Resort, Lake Buena Vista! With pre-event workshops October 25–26, and post-event workshops October 29–30. Connect, learn, and level up your cyber game! Save 25% now with code ISW25-SW at https://www.securityweekly.com/ISW2025!
Mike Shema
- How We Exploited CodeRabbit: From a Simple PR to RCE and Write Access on 1M Repositories
- MCP vulnerability case study: SQL injection in the Postgres MCP server | Datadog Security Labs
The company whose model that copied from places like Stack Overflow created a reference implementation of a Postgres MCP that had a trivial SQL injection vuln. Nothing improved here.
- Weaponizing image scaling against production AI systems
- Securing the Agentic AI Control Plane: Announcing the MCP Security Resource Center
- Guess Who Would Be Stupid Enough To Rob The Same Vault Twice? Pre-Auth RCE Chains in Commvault
- FYI: .:: Phrack Magazine ::.
Issue 72 celebrated the 40 anniversary of the hacking culture "newsletter-type project" (as the first issue described itself).
- FYI: Trust & Safety Tycoon
A game more in the style of a visual novel than an open world exploration. But relevant as a reminder to appsec that securing code is only one step to securing a system, let alone securing a user experience.
