Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room. Today, my guest is Kyle Kelly, Tech Lead for Supply Chain Security Research at Semgrep and the founder of the CramHacks weekly newsletter. You can subscribe here 👉 cramhacks.com With a background in consulting and research, he specializes in supply chain security, using his expertise to shape the insights he shares. Through CramHacks, he empowers readers to take an active role in software security and deepen their understanding of supply chain vulnerabilities. In this episode, Kyle shares when you should focus on open source vs commercial tools and why open-source vulnerability management is, in his words, "a dumpster fire." We explore whether open-source versions of commercial tools are more trustworthy, and Kyle debunks the common theory that vulnerabilities persist simply because open-source maintainers haven’t fixed them yet. But that's not all! We also dive into Kyle's passion for malware analysis and hear about his experiences as a cyber creator—like the time he was banned from Reddit (like me 🥲) for sharing his work. Dive right in!