Episode 24

Securing the FOSS Ecosystem with Gareth Rushgrove


February 14th, 2020

43 mins 44 secs

Your Hosts
Special Guest

About this Episode

Sponsored By:


Eric Berry | Justin Dorfman | Richard Littauer | Allen “Gunner” Gunn


Gareth Rushgrove

Show Notes

In this episode, we talk with Gareth Rushgrove, from Cambridge, UK, Director of Project Management at a security software startup called Snyk. He has spoken at a number of international technology conferences over the past few years, including FOSDEMRAMPBACONQConPuppetConfMonitoramaGOTO and Velocity. Security and Open Source don’t often go together, in this episode we explore the topic and more.

01:20 Gareth explains that Snyk provides tools for developers who use Open Source Software and help them stay secure. He also expands on vulnerability landscapes.

02:10 Justin asks Gareth at what point does he think the collective community decided that we need to start digging into security holes within our software and he answers the question.

04:00 One of the guys asks Gareth if security is a passion of his and if he joined the company because that’s what he loves or was it more for Open Source.

05:30 The guys talk about Guy Podjarney (a.k.a Guypod) and Steve Souders and how they started the web performance movement.

07:30 Richard states Snyk has 400,000 users on the website and three times more vulnerability than a public database. Gareth goes further in-depth about this and what his company does using Java, Ruby, or Python and how he does a bunch of propriety research and helps projects do profit disclosure.

11:10 Gareth discusses the Heartbleed attack & the Equifax data breach and its effect on the industry’s view on Open Source. Companies want Open Source ecosystem to be more secure,

17:50 Gunner chimes in with a question about if there is a list of things Gareth wishes Open Source projects would do to be better members of ecosystems visa the security and if there are checklists or places to go for best practices. Gareth expands on this.

23:49 Gareth talks about DevSecCon which is a conference that brings developers and security together in one place. There are eight conferences around the world this year.

24:33 One of the guys is curious about the effect of security and how people out there have packages that are used by millions of other users and how often they don’t know how many users are using it. Gareth explains.

26:44 Gunner asks about the role of threat modeling in the work Gareth does and what he recommends.

28:25 Gareth goes in-depth about the Helm Project and CNCF sponsoring.

37:31 Gareth gives advice on where people can go to find more information about security besides talking to Snyk.


  • 38:40 Justin’s spotlight this week is a blog post by Andrew Mason about [Ruby on Rails Development with VS Code](ttps://andrewm.codes/posts/ruby-on-rails-development-with-vs-code-p1i/)
  • 39:07 Eric suggests getting off Google Chrome and using Firefox (Developer Edition).
  • 40:15 Gunner’s pick is guix.gnu.org
  • 40:46 Richard’s pick is crubadan.org
  • 41:34 Finally, Gareth’s pick is openpolicyagent.org


Gareth Rushgrove Twitter
Open Policy Agent GitHub
Guy Podjarny Twitter
Steve Souders Twitter
Andrew Mason - Ruby On Rails
An Crúbadán
Open Policy

Support Sustain