In this episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by RunSafe Security Founder and CEO Joseph M. Saunders and embedded systems expert Elecia White, host of Embedded.fm and author of Making Embedded Systems, to discuss the trade-offs of using open source in embedded development.

The conversation goes beyond debates about “open vs. proprietary” to explore how a single library can quietly introduce sprawling dependency chains, unclear maintenance responsibilities, licensing obligations, and long-term security exposure,  especially in devices expected to operate for years or decades.

Elecia and Joe share guidance for using open source intentionally, including how to set guardrails early, limit dependency blast radius, and design systems that can respond when vulnerabilities emerge, even when patching isn’t easy.

Together, they cover:

• Why embedded teams don’t get burned by open source, they get burned by unexamined dependencies
• How transitive dependencies and “helpful” packages quietly expand attack surface
• Why professionalism, documentation, and disclosure practices signal trustworthy projects
• Why build-time SBOMs matter more than after-the-fact analysis
• How Secure by Design thinking reduces reliance on emergency patching

For embedded engineers, product leaders, and security teams balancing delivery pressure with long-lived risk, this episode offers advice for using open source without inheriting future incidents.