Josh Bressers<p>This week on <a href="https://infosec.exchange/tags/OpenSourceSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSourceSecurity</span></a> I chat with Patrick Garrity about what's going on with <a href="https://infosec.exchange/tags/CVE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE</span></a> </p><p>It's a wild couple of months, we break down where are today and where we think it's going to go soon, and why there are some difficult times ahead for vulnerability nerds</p><p><a href="https://opensourcesecurity.io/2025/2025-08-cve-patrick-garrity/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">opensourcesecurity.io/2025/202</span><span class="invisible">5-08-cve-patrick-garrity/</span></a></p>
Verwaltet von:
#opensourcesecurity
1 Beitrag1 Beteiligte*r0 Beiträge heute
#OpenSourceSecurity chats with @Di4na about his blog post explaining hobbyist open source maintainers
Whatever you think you know about open source, you're going to learn something from this one
An enormous amount of the open source that runs the world is written by hobbyists, and how we can support them is not at all obvious or easy
https://opensourcesecurity.io/2025/2025-06-hobbyist-thomas-depierre/
Open Source Security · Hobbyist Maintainers with Thomas DePierreThomas DePierre joins Open Source Security to discuss the central idea from his blog post, “You are all on the hobbyist maintainers turf now,” exploring the massive disconnect between the corporate world that consumes open source and the hobbyist community that actually produces it. The conversation reveals this isn’t a new problem, but a long-standing reality whose consequences for security, stability, and the future of software we are only now beginning to truly confront.
This episode of #OpenSourceSecurity I chat with Aaron Lippold from MITRE about #STIG automation (it's one big open source project)
STIG has historically been incredibly difficult and a bit of a niche space. Thanks to #FedRAMP it's getting more attention than ever before, and the work Aaron has been doing makes it a lot easier
https://opensourcesecurity.io/2025/2025-06-stig-automation-aaron-lippold/
Open Source Security · STIG automation with Aaron LippoldI chat with Aaron Lippold, creator of MITRE’s Security Automation Framework (SAF), to discuss how to escape the pain of manual STIG compliance. We explore the technical details of open-source tools like InSpec, Heimdall, and Vulcan that automate validation, normalize diverse security data, and streamline the entire security authoring process.
Episode Links Aaron MITRE SAF This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
Build a homelab that’s responsive and secure — with open source tools like @CrowdSec 
Check out this great talk by community member Jonny5, recorded at @_bsideskc last month 
https://youtube.com/watch?v=TZFNesWJbTc
Set up CrowdSec IPDEX on OPNsense to enhance threat detection, response, and intelligence gathering.
Follow this guide by CrowdSec Ambassador Flaviu to start running CrowdSec IPDEX, a simple CLI tool that gathers insights on IP addresses, on @opnsense, the open source FreeBSD-based firewall.
Get started 
https://vlaicu.io/posts/crowdsec-ipdex/
Flaviu Vlaicu · Crowdsec IPDEX on OPNsenseIPDEX a simple CLI tool to gather insight about a list of IPs or an IP using the CrowdSec CTI
This week #OpenSourceSecurity chats with @andrewnez about @ecosystems
Ecosyste.ms is a massive collection of data about open source projects
It's an amazingly useful collection of data. If you're doing anything that needs information about open source packages, or git repos, or even the folks who work on this stuff, you should check it out
https://opensourcesecurity.io/2025/2025-06-ecosystems_andrew_nesbitt/
Open Source Security · Ecosyste.ms with Andrew NesbittI recently chatted with Andrew Nesbitt about his project, Ecosyste.ms. Ecosyste.ms catalogs open source projects by tracking packages, dependencies, repositories, and more. With this dataset Andrew is able to incredible insights into the world of open source. We chat all about how Ecosyste.ms works and how he manages to wrangle all this data.
Episode Links Andrew Ecosyste.ms Open Collective OpenSSF Issue 101 This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
70% of software uses open source, but only 15% of organizations are confident in their risk management. Attend our launch webinar to see how Anchore SBOM can help! We'll demo SBOM management, vulnerability prioritization, and more. Register here: https://go.anchore.com/introducing-anchore-sbom.html #OpenSourceSecurity #Webinar #Anchore
Fortgeführter Thread
As the image shows, we see that inside the results, many actors are classified as benign, which confirms that although the exploit is dangerous, the actual campaign is not. This level of enrichment provided by CrowdSec CTI helps security teams prioritize alerts, and IPDEX supports this workflow, allowing analysts to filter out harmless campaigns such as the one by the Shadowserver Foundation. You can also add a filter within IPDEX to remove those benign actors and filter on the date of last activity.
You can get started with IPDEX by heading over to the CrowdSec GitHub https://github.com/crowdsecurity/ipdex
[2/2]
Spike in Fortinet CVE-2024-55591 vulnerability rapidly increased in the past week 
The #CrowdSec Network has detected a wave of exploitation attempts targeting CVE-2024-55591, a Fortinet vulnerability that affects FortiWAN versions before 5.3.2. First seen on April 23rd, the CrowdSec Network still sees elevated levels of probing and exploitation.
About the exploit:
This flaw allows remote attackers to perform unauthenticated command injection on exposed FortiWAN instances. This vulnerability affects FortiWAN versions prior to 5.3.2. It enables attackers to execute arbitrary commands via crafted HTTP requests — no authentication required.
Trend analysis:
April 23rd: The CrowdSec Network detects a shift in the long-term trend of CVE-2024-55591 exploits. April 23rd - April 28th: Activity increases rapidly from 30 to about 80 malicious IPs reported daily, producing over 400 distinct attack events. April 29 - May 2nd: The attackers take a break. This provides a key point of insight into the nature of this attack campaign. May 3rd - May 19th: The attack picks back up with increased intensity. It now originates from around 200 unique IP addresses per day and produces about 900 attack events per day. May 19th: The CrowdSec Network still sees elevated levels of probing and exploitation attempts.
How to protect your systems: You can use CrowdSec’s open CTI search bar and blocklists to stay ahead of the curve. https://app.crowdsec.net/cti?q=cves%3A%22CVE-2024-55591%22&page=1 Alternatively, you can use CrowdSec’s newest tool, IPDEX, to build instant reports for this particular CVE and explore the data CrowdSec has aggregated. https://www.crowdsec.net/blog/introducing-crowdsec-ipdex
For more information, visit http://crowdsec.net [1/2]
The #SBOMlearningWeek series concludes! We've covered fundamentals, implementation, scaling, expert insights, and now the crucial intersections with compliance, #opensourcesecurity, and #DevSecOps. Software supply chain attacks continue to escalate—is your org prepared? https://anchore.com/blog/sboms-as-the-crossroad-of-the-software-supply-chain-anchore-learning-week-day-5/ (Miss any? Start at day #1: https://anchore.com/blog/sbom-fundamentals-anchore-learning-week-day-1/) #AppSec
Looking to break into #Cybersecurity or gain hands-on experience in #OpenSourceSecurity? The OpenSSF BEAR WG is teaming up with LFX Mentorship for the Summer 2025 program — and applications are now open!
Projects include #RSTUF and #gittuf, with a stipend for mentees! 
Deadline: May 18, 2025
Read the blog for details + tips to apply: https://openssf.org/blog/2025/05/08/announcing-the-summer-2025-openssf-mentorship-program/
Apply now: https://mentorship.lfx.linuxfoundation.org/project/682e1c59-cd50-4602-ac91-2da8a9be01ea
This episode of #OpenSourceSecurity I talk with @paulasadoorian about embedded security, but with an open source twist
It's open source all the way down. And old open source quite often. It's a really fun discussion, I learned a lot!
https://opensourcesecurity.io/2025/2025-05-embedded-security-with-paul-asadoorian/
Open Source Security · Embedded Security with Paul AsadoorianRecently, I had the pleasure of chatting with Paul Asadoorian, Principal Security Researcher at Eclypsium and the host of the legendary Paul’s Security Weekly podcast. Our conversation dove into the often-murky waters of embedded systems and the Internet of Things (IoT), sparked by a specific vulnerability discussion on Paul’s show concerning reference code for the popular ESP32 microcontroller.
Episode Links Paul Eclypsium Below the surface podcast RVAsec This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
This episode of #OpenSourceSecurity I chat with Dimitri Stiliadis of @endorlabs about the tj-actions/changed-files backdoor
Endor did some great research into how many repos were affected and we cover some of the background on this attack. It's way weirder than you can imagine
https://opensourcesecurity.io/2025/2025-04-tjactions_with_dimitri_stiliadis/
Open Source Security · tj-actions with Endor Lab's Dimitri StiliadisDimitri Stiliadis, CTO from Endor Labs, discusses the recent tj-actions/changed-files supply chain attack, where a compromised GitHub Action exposed CI/CD secrets. We explore the impressive multi-stage attack vector and the broader often-overlooked vulnerabilities in our CI/CD pipelines, emphasizing the need to treat these build systems with production-level security rigor instead of ignoring them.
Episode Links Dimitri’s Linkedin Endor Labs Harden-Runner detection: tj-actions/changed-files action is compromised Unit 42 tj-actions analysis This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.