What's in the SOSS? An OpenSSF Podcast

Hannah Braswell and Jenn Power, security engineers from Red Hat and contributors to the OpenSSF, join host Sally Cooper to discuss the Gemara project. Gemara, an acronym for GRC Engineering Model for Automated Risk Assessment, is a seven-layer logical model that aims to solve the problem of incompatibility in the GRC (Governance, Risk, and Compliance) stack. By outlining a separation of concerns, the project seeks to enable engineers to build secure and compliant systems without needing to be compliance experts. The speakers explain how Gemara grew organically to seven layers and connects with other open source initiatives like the OpenSSF Security Baseline and Finos Common Cloud Controls. They also touch on the ecosystem of tools being built, including Queue schemas and a Go SDK, and how new people can get involved.
Chapters:
00:00 Welcome music + promo clip
00:22 Introductions
02:17 What is Gemara and what problem does it address?
03:58 Why do we need a model for GRC engineering?
05:50 The seven-layer structure of Gemara
07:40 How Gemara connects to other open source projects
10:14 Tools available to help with Gemara model adoption
11:39 How to get involved in the Gemara projects
13:59 Rapid Fire
16:03 Closing thoughts and call to action
Episode links:
Jenn Power LinkedIn page
Hannah Braswell LinkedIn page
Gemara Website
Blog: Introducing the Gemara Model
Publication: Gemara: A Governance, Risk, and Compliance Engineering Model for Automated Risk Assessment
OpenSSF OSPS Baseline
Finos Common Cloud Controls
Privateer
Cyber Resilience Act (CRA) Brief Guide for OSS Developers
LFEL1001: Understanding the EU Cyber Resilience Act (CRA) (Education/Training) 
Get involved with the OpenSSF
Subscribe to the OpenSSF newsletter
Follow the OpenSSF on LinkedIn

In this final episode of our AI Cyber Challenge (AIxCC) series, CRob and Jeff Diecks wrap-up the journey from DARPA's groundbreaking two-year competition to the exciting collaborative phase happening now. Discover how winning teams are taking their AI-powered vulnerability detection systems into the real world, finding actual bugs in projects like the Linux kernel and CUPS. Learn about the innovative OSS-CRS project that aims to create a standard infrastructure for mixing and matching the best components from different systems, and hear valuable lessons about how to responsibly introduce AI-generated security findings to open source maintainers. The competition may be over, but the real work—and collaboration—is just beginning.
This episode is part 4 of a four-part series on AIxCC:
AIxCC part 1: From Skepticism to Success: The AI Cyber Challenge (AIxCC) with Andrew Carney
AIxCC part 2: From Skeptics to Believers: How Team Atlanta Won AIxCC by Combining Traditional Security with LLMs
AIxCC part 3: Buttercup's Hybrid Approach: Trail of Bits' Journey to Second Place in AIxCC

Chapters:
00:00 - Welcome and Introduction to AICC
01:37 - OpenSSF's AI Security Mission: Two Lenses
03:54 - Competition Highlights: What the Teams Discovered
07:43 - Real-World Impact: From Research to Production
10:44 - Lessons Learned: Working with Open Source Maintainers
13:13 - OSS-CRS: Building a Standard Infrastructure
14:29 - Breaking Down Walls: Post-Competition Collaboration
15:39 - How to Get Involved

Episode links:
Jeff Diecks LinkedIn page
Christopher “CRob” Robinson LinkedIn page
AI Cyber Challenge (AIxCC)
OSS-CRS Project
OpenSSF AI/ML Security Working Group
Cyber Reasoning Systems Special Interest Group (Slack)
Get involved with the OpenSSF
Subscribe to the OpenSSF newsletter
Follow the OpenSSF on LinkedIn

In the final episode of our AI Cyber Challenge (AIxCC) series, CRob sits down with Michael Brown, Principal Security Engineer at Trail of Bits, to discuss their runner-up cybersecurity reasoning system, Buttercup. Michael shares how their team took a hybrid approach - combining large language models with conventional software analysis tools like fuzzers - to create a system that exceeded even their own expectations. Learn how Trail of Bits made Buttercup fully open source and accessible to run on a laptop, their commitment to ongoing maintenance with prize winnings, and why they believe AI works best when applied to small, focused problems rather than trying to solve everything at once.
This episode is part 3 of a four-part series on AIxCC:
AIxCC part 1: From Skepticism to Success: The AI Cyber Challenge (AIxCC) with Andrew Carney
AIxCC part 2: From Skeptics to Believers: How Team Atlanta Won AIxCC by Combining Traditional Security with LLMs
AIxCC part 4: Cyber Reasoning Systems: The Real-World Journey After AIxCC
Chapters:
00:04 - Introduction & Welcome
00:12 - About Trail of Bits & Open Source Commitment
03:16 - Buttercup: Second Place in AIxCC
04:20 - The Hybrid Approach Strategy
06:45 - From Skeptic to Believer
09:28 - Surprises & Vindication During Competition
11:36 - Multi-Agent Patching Success
14:46 - Post-Competition Plans
15:26 - Making Buttercup Run on a Laptop
18:22 - The Giant Check & DEF CON
18:59 - How to Access Buttercup on GitHub
21:37 - Enterprise Deployment & Community Support
22:23 - Closing Remarks

Episode links:
Michael Brown’s LinkedIn page
AI Cyber Challenge (AIxCC)
Trail of Bits
Buttercup GitHub Repo
OpenSSF AI/ML Security Working Group
Cyber Reasoning Systems Special Interest Group (Slack)
Get involved with the OpenSSF
Subscribe to the OpenSSF newsletter
Follow the OpenSSF on LinkedIn

In this 2nd episode in our series on DARPA's AI Cyber Challenge (AIxCC), CRob sits down with Professor Taesoo Kim from Georgia Tech to discuss Team Atlanta's journey to victory. Kim shares how his team - comprised of academics, world-class hackers, and Samsung engineers - initially skeptical of AI tools, underwent a complete mindset shift during the competition. He shares how they successfully augmented traditional security techniques like fuzzing and symbolic execution with LLM capabilities to find vulnerabilities in large-scale open source projects. Kim also reveals exciting post-competition developments, including commercialization efforts in smart contract auditing and plans to make their winning CRS accessible to the broader security community through integration with OSS-Fuzz.
This episode is part 2 of a four-part series on AIxCC:
AIxCC part 1: From Skepticism to Success: The AI Cyber Challenge (AIxCC) with Andrew Carney
AIxCC part 3: Buttercup's Hybrid Approach: Trail of Bits' Journey to Second Place in AIxCC
AIxCC part 4: Cyber Reasoning Systems: The Real-World Journey After AIxCC
Chapters:
00:00 - Introduction
00:37 - Team Atlanta's Background and Competition Strategy
03:43 - The Key to Victory: Combining Traditional and Modern Techniques
05:22 - Proof of Vulnerability vs. Finding Bugs
06:55 - The Mindset Shift: From AI Skeptics to Believers
09:46 - Overcoming Scalability Challenges with LLMs
10:53 - Post-Competition Plans and Commercialization
12:25 - Smart Contract Auditing Applications
14:20 - Making the CRS Accessible to the Community
16:32 - Student Experience and Research Impact
20:18 - Getting Started: Contributing to the Open Source CRS
22:25 - Real-World Adoption and Industry Impact
24:54 - The Future of AI-Powered Security Competitions

Episodes Links:
Taesoo Kim’s LinkedIn page
AI Cyber Challenge (AIxCC)
OSS-Fuzz Project
OpenSSF AI/ML Security Working Group
Cyber Reasoning Systems Special Interest Group (Slack)
Get involved with the OpenSSF
Subscribe to the OpenSSF newsletter
Follow the OpenSSF on LinkedIn

This episode of What’s in the SOSS features Andrew Carney from DARPA and ARPA-H, discussing the groundbreaking AI Cyber Challenge (AIxCC). The competition was designed to create autonomous systems capable of finding and patching vulnerabilities in open source software, a crucial effort given the pervasive nature of open source in the tech ecosystem. Carney shares insights into the two-year journey, highlighting the initial skepticism from experts that ultimately turned into belief, and reveals the surprising efficiency of the competing teams, who collectively found over 80% of inserted vulnerabilities and patched nearly 70%, with remarkably low compute costs. The discussion concludes with a look at the next steps: integrating these cyber reasoning systems into the open source community to support maintainers and supercharge automated patching in development workflows.

This episode is part 1 of a four-part series on AIxCC:
AIxCC part 2: From Skeptics to Believers: How Team Atlanta Won AIxCC by Combining Traditional Security with LLMs
AIxCC part 3: Buttercup's Hybrid Approach: Trail of Bits' Journey to Second Place in AIxCC
AIxCC part 4: Cyber Reasoning Systems: The Real-World Journey After AIxCC
Chapters:
00:00 - Introduction and Guest Welcome 
00:59 - Guest Background: Andrew Carney's Role at DARPA/ARPA-H
02:20 - Overview of the AI Cyber Challenge (AIxCC)
03:48 - Competition History and Structure
04:44 - The Value of Skepticism and Surprising Learnings
07:11 - Surprising Efficiency and Low Compute Costs
08:15 - Major Competition Highlights and Results
13:09 - What's Next: Integrating Cyber Reasoning Systems into Open Source
16:55 - A Favorite Tale of "Robots Gone Bad"
18:37 - Call to Action and Closing Thoughts

Episode links:
Andrew Carney’s LinkedIn page
AI Cyber Challenge (AIxCC)
OpenSSF AI/ML Security Working Group
Cyber Reasoning Systems Special Interest Group (Slack)
Get involved with the OpenSSF
Subscribe to the OpenSSF newsletter
Follow the OpenSSF on LinkedIn