Resilient Cyber
Resilient Cyber
Resilient Cyber w/ Kelly Shortridge & Ryan Petrich - OSS Security & the Federal Government
0:00
-58:59

Resilient Cyber w/ Kelly Shortridge & Ryan Petrich - OSS Security & the Federal Government

- First off, if you would, each tell us a bit about your background in the software and cybersecurity space 

- Let's start with the ONCD RFI, what is it, and what led you all to draft such a detailed response to this RFI?

- Right out of the gate you touch on the real potential to "poison resilience" through misguided regulation and recommendations. Can you touch on that a bit? You talk about the ability for regulation to stifle the OSS ecosystem and national innovation

- You talk about the potential for OSS to be considered "critical infrastructure" Some organizations and researchers have advocated for this - you all seem to talk an opposite stance, can you elaborate?

- I've been saying lately that in the "software supply chain security" dialogue as an industry we've hyperfocused on OSS, despite the reality that the largest breaches as of late are due to proprietary vendors and products. You all seem to make a similar case, pointing our metrics from DBIR and others. Can you touch on the false dichotomy the industry has seemed to draw targeting OSS as inherently less secure then vendor products, and why that may be?

- You also advocate for a "systems thinking approach", which is no surprise, for example, given Kelly's SCE book. Can you explain why this approach is important over the myopic component emphasis we see often?

- Memory Safe Programming Languages. There's been a push for adopting "memory safe" programming languages lately, even from sources such as CISA and the NSA. Can you explain what that is exactly for those who are unfamiliar and explain your thoughts on your recommendations on the topic, such as the incentives as well as some of the challenges you point out? For example you talk about social factors, like production pressures.

- One unique thing you called out was "free riding" by Federal contractors, using OSS without contributing back while selling products to the Federal government. You talk about the potential for the Government to require contractors to fund parts of the OSS ecosystem they use in the software they sell to the government. I'm not against this recommendation, but couldn't this also apply to the broader software vendor ecosystem, including proprietary large name software vendors who's products make it into the Federal market as well? 

- You also touch on the workforce, and the choice of continuing to pay contractors to write software or bringing more development in house as well as some of the challenges here on doing so. Can you speak about what those are and how they might be addressed? As well as some of the potential misaligned incentives that exist.

- The recommendations point out that release velocity of CI/CD can actually lead to substantial resilience and security benefits. This is at odds with much of the risk averse thinking in the Federal sector where I spend a lot of time, despite being backed up by reports such as the State of DevOps etc. Currently there is still a lot of "human in the loop" and manual activity and gating that goes on. How does the Federal ecosystem mature in this regard and reap these security benefits of increased velocity. It feels cultural to me, not a technical limitation, as we know it can be done already. 

- Resilience Stress Testing - Feels like another SCE concept we're advocating, and again, one this industry likely is uncomfortable with due to a lack of risk tolerance. Thoughts?

- SBOM's... of course we couldn't go without mentioning the often discussed SBOM term. You point out again that systems thinking is warranted, and that an SBOM wouldn't have helped in cases such as SolarWinds, Colonial, Exchange etc. The industry seems to be going the opposite direction, pushing heavily for artifacts like SBOM's. Some may make the case it can help address the lack of visibility and transparency of contractor software for example that you mention earlier in the document. Can you explain you're thought process on this one?

- We know one of the major challenges in the OSS ecosystem is a lack of compensation and incentivization, or at least that is the prevailing thoughts currently. What are your recommendations related to behavioral and economic incentives?

- Predictions are hard, but as you look forward a couple of years, what major actions do you suspect the Government can or will take on this front and where do you see the future of OSS security going, and will the Government have a role in that?

Resilient Cyber
Resilient Cyber
Resilient Cyber brings listeners discussions from a variety of Cybersecurity and Information Technology (IT) Subject Matter Experts (SME) across the Public and Private domains from a variety of industries. As we watch the increased digitalization of our society, striving for a secure and resilient ecosystem is paramount.