In this episode of The Tech Trek, Amir sits down with Matt Moore, CTO and co-founder of Chainguard, to explore the escalating importance of software supply chain security. From Chainguard’s origin story at Google to the systemic risks enterprises face when consuming open source, Matt shares the lessons, best practices, and technical innovations that help make open source software safer and more reliable. The conversation also touches on AI’s impact on the attack surface, mitigating threats with engineering rigor, and why avoiding long-lived credentials could be your best defense.🔑 Key Takeaways:Security Starts with Engineering: Doing engineering right makes security (and even compliance) much easier.Control the Full Chain: Building from source and applying best practices at every build stage significantly reduces exposure to CVEs.Attackers Exploit the Edges: Most attacks start small—with a leaked credential or compromised dependency—and cascade through the ecosystem.AI Introduces New Vectors: As AI tools integrate deeper into dev workflows, they bring both value and new risks that require thoughtful containment.You Can’t Leak What You Don’t Have: Eliminating long-lived credentials is one of the simplest and most effective ways to reduce breach risk.⏱ Timestamped Highlights:00:45 – What Chainguard does: securing open source consumption and curating safe containers.02:56 – Chainguard’s origin story and co-founders’ experience at Google.06:50 – Building minimal, hardened container images from source to mitigate CVEs.09:40 – Real-world example: how compiler hardening flags protected Chainguard from a high-severity CVE.10:59 – The invisible sprawl of open source in enterprise stacks—from Kubernetes to AWS SDKs.15:45 – How leaked credentials power cascading supply chain attacks.22:30 – “You can't leak what you don't have”: Chainguard's credential-less auth approach.24:30 – Most breaches come from known vulnerabilities—not zero-days.25:38 – AI and security: new use cases, new threats, and the need for explainability.30:41 – AI adoption in enterprises: security best practices still apply, just to new tools and risks.34:43 – Learn more at chainguard.dev and explore hardened images at images.chainguard.dev.💼 Career Tips (from the episode):Don’t wait for zero-days: Most real-world breaches stem from unpatched, well-known vulnerabilities. Ship secure, stay patched.Build from source: If you're in a security or DevOps role, aim to build and control your stack from the source code up—this provides auditability and trust.Engineering rigor is a differentiator: Whether you're launching a startup or working in enterprise tech, applying fundamental engineering principles helps you scale securely.📚 Resources Mentioned:🛡️ OpenSSF Projects – e.g., SIGstore, Scorecards, SLSA.🛠 Projects Mentioned: Kubernetes, Istio, Flux, Tekton, Cert-Manager, Cloud Code.💬 Quote of the Episode:“If you do engineering right, security becomes easier. And if you do security right, compliance becomes easier.” — Matt Moore

Utpal Nadiger is the cofounder of Digger.dev. Digger built a popular open source IaC orchestration tool. Their new product Infrabase is an AI DevOps agent that ...

In this episode, Michael Lieberman, Co-founder and CTO of Kusari, walks us through the intersection of open source software and security. We discuss Mike's extensive involvement in OpenSSF projects like SLSA and GUAC, which provide essential frameworks for securing the software development life cycle (SDLC) and managing software supply chains. He explains how these tools help verify software provenance and manage vulnerabilities. Additionally, we explore regulatory concerns such as the Cyber Resilience Act (CRA) and the vital role of the recently released Open SSF Security Baseline (OSPS Baseline) in helping organizations comply with such regulations. Mike also shares insights into the evolution of open source security practices, the importance of reducing complexity for developers, and the potential benefits of orchestrating security similarly to Kubernetes. We conclude with a look at upcoming projects and current pilots aiming to simplify and enhance open source security.   00:00 Introduction and Guest Welcome 00:19 Mike's Background and Role in Open Source 01:35 Exploring SLSA and GUAC Projects 04:57 Cyber Resiliency Act Overview 06:54 OpenSSF Security Baseline 11:29 Encouraging Community Involvement 18:39 Final Thoughts   Resources: OpenSSF's OSPS Baseline GUAC SLSA KubeCon Keynote: Cutting Through the Fog: Clarifying CRA Compliance in C... Eddie Knight & Michael Lieberman   Guest: Michael Lieberman is co-founder and CTO of Kusari where he helps build transparency and security in the software supply chain. Michael is an active member of the open-source community, co-creating the GUAC and FRSCA projects and co-leading the CNCF’s Secure Software Factory Reference Architecture whitepaper. He is an elected member of the OpenSSF Governing Board and Technical Advisory Council along with CNCF TAG Security Lead and an SLSA steering committee member.  

Deepak Prabhakara is the CEO and Co-founder of BoxyHQ. BoxyHQ enables you to add plug-and-play enterprise-ready features to your SaaS product.What we coverAn in...

Thomas DePierre joins Open Source Security to discuss the central idea from his blog post, "You are all on the hobbyist maintainers turf now," exploring the massive disconnect between the corporate world that consumes open source and the hobbyist community that actually produces it. The conversation reveals this isn't a new problem, but a long-standing reality whose consequences for security, stability, and the future of software we are only now beginning to truly confront. The show notes and blog post for this episode can be found at

Don't forget to visit cupogo dot dev, where you can find links to all the things!🤖 Ezo Saleh - How We Built Rock-Solid Agentic Orchestration with Go🔥 Anubis🥨 Godump - pretty printer🪳 gcassert💧 isLitOrSingle

Josh Twist is the founder of Zuplo, an API gatewayIntroducing Josh Twist, the founder of Zuplo. 0:00Zuplo vs Azure API management.How do you make this fit into ...

How do you do onboarding in a way developers actually like?Kilian is the founder of Polypane - The browser for ambitious web developers https://polypane.app/Kil...

Lessons from 100+ DevTool founders - DevTools successes, failures and stories in a free weekly email and podcast.

Justin Searls joins Jerod in Apple's WWDC wake for hot takes about frosty UIs. We go (almost) point-by-point through the keynote, dissecting and reacting along the way. Concentricity!

The Future of Sustainability in Open Source Can open source ever truly be sustainable?In this mind-bending episode, Hazel Weakly guides us through the social, economic, and emotional layers of open...

Getting out there, showing what you're currently doing / learning, starting a blog, creating content to help other software engineers, those are all good way to distinguish yourself. You might want to consider speaking at conferences as well. In this episode we're talking with Matt Boyle about...

Kent Beck—creator of Extreme Programming and co-author of the Agile Manifesto—reflects on decades of coding, from the birth of TDD to his experiments with AI tools shaping software’s future.

Listen to Scott & Mark Learn To... How Not to Ship the Org Chart from Scott & Mark Learn To.... In this episode of Scott & Mark Learn To, Scott Hanselman and Mark Russinovich discuss the concept of shipping the org chart, a term used to describe when different teams' outputs are inconsistently integrated, reflecting the organizational structure rather than a cohesive product. Scott recounts his experience test-driving an electric vehicle with a disjointed interface, which made him question the internal coordination within the automaker. Mark explains how Microsoft addresses this issue through standardization and tooling, emphasizing the need for consistent APIs and user experiences. They also debate the balance between maintaining consistency and fostering innovation, and how large tech companies like Microsoft and Apple manage these challenges.   Takeaways:    Establishing UX design standards helps maintain a consistent user experience across features Inconsistent design or functionality can impact user perception and trust in a product Integrating quality checks early (shift left) helps prevent issues and reduces later fixes    Who are they?     View Scott Hanselman on LinkedIn  View Mark Russinovich on LinkedIn          Listen to other episodes at scottandmarklearn.to  Watch Scott and Mark Learn on YouTube         Discover and follow other Microsoft podcasts at microsoft.com/podcasts   Download the Transcript  

Lessons from 100+ DevTool founders - DevTools successes, failures and stories in a free weekly email and podcast.

Hosts Richard, Abby, and Eriol chat with Sarah Rainsberger of Astro about her journey from teaching math to open source, inclusive docs, and using low-tech tools like Chromebooks for coding.

We're on location at Microsoft Build 2025 with Amanda Silver, Corporate Vice President of Microsoft's Developer Division. Amanda leads product, design, user research, and engineering systems for some of the tools you use every day. We discuss the latest AI announcements from Microsoft at Build 2025, how AI is reshaping...

Go 1.24.4 and 1.23.10 releasedCommit 4d1c255: net/http: strip sensitive proxy headers from redirect requests🚫 [ On | No ] syntactic support for error handling by Robert Griesemer💉 You probably don't need a DI framework by Redowan Delowar🌩️ Lightning Round🗳️ Stack Overflow 2025 Developer Survey🪲...

The ever-provocative Steve Yegge joins us fresh off a vibe coding bender so productive, he wrote a book on the topic alongside award-winning author Gene Kim. Steve tells us why he believes the IDE is dead, why babysitting AI agents is more fun than coding, when vibe coding might take over the enterprise, how software d...

We bring you back to Microsoft Build 2025 to nerd out with Craig Loewen on Windows Subsystem for Linux and Mads Torgersen on leading the design of C#.

Last week, our colleague (and frequent Oxide and Friends guest) Steve Klabnik made some new friends on the Internet with a blog entry on AI discourse. Bryan and Adam were joined by Steve to try to de-polarize the discussion a little.In addition to Bryan Cantrill and Adam Leventhal, we were joined...

Welcome back to #define, our game of obscure jargon, fake definitions, and expert tomfoolery. We've gathered some awesome friends, new and old, to see who has the best vocabulary and who can trick the everyone else into thinking that they do.

We all use open source software on a daily basis. Even though the software is free to consume doesn't mean it's free to produce. Over the years, there have been many attempts to support open source...

99 Dev Problems features candid developer conversations on challenges, career growth, and tech trends. With insights, stories, and solutions from those in th...

I recently chatted with Andrew Nesbitt about his project, Ecosyste.ms. Ecosyste.ms catalogs open source projects by tracking packages, dependencies, repositories, and more. With this dataset Andrew is able to incredible insights into the world of open source. We chat all about how Ecosyste.ms works and how he manages to wrangle all this data. The show notes and blog post for this episode can be found at

Lessons from 100+ DevTool founders - DevTools successes, failures and stories in a free weekly email and podcast.

Listen to Ep 200: Ed Gamble and James Acaster (with special guest genie Rylan Clark) from Off Menu with Ed Gamble and James Acaster. As we round off another hundo, it’s time to flip the table once again and make Ed and James the guest diners in the dream restaurant. Have their choices changed over the last 100 episodes? And will they exploit as many loopholes as their first attempt? And, once again, the genie is transferring his powers to one of our favourite guests from the last century, Rylan Clark!A massive thanks to Rylan for being our guest genie. A huge thank you to you all for listening to our stupid podcast over the last 200 episodes. And an extra special thanks, as per, to No Context Off Menu, for memeing the heck out of us (follow them @nocontxtoffmenu). Recorded by and edited by Ben Williams for Plosive.Artwork by Paul Gilbey (photography and design) and Amy Browne (illustrations).Follow Off Menu on Twitter and Instagram: @offmenuofficial.And go to our website www.offmenupodcast.co.uk for a list of restaurants recommended on the show.Watch Ed and James's YouTube series 'Just Puddings'. Watch here.

Service catalogs promise a lot of things: powerful automations, insights into your technology estate.But over the last few years, many of us have learned tha...

See why organizational awareness is an incident superpower with incident.io Product Engineer Lawrence Jones. Lawrence discusses the importance of leveraging organizational context during incident response. He emphasizes using structured data and service catalogs to enhance incident management by bringing valuable organizational knowledge directly to responders.

About the talk: Technical Documentation - How Can I Write Them Better and Why Should I Care?Gathering pieces of information for a task to deliver/modify a f...