Redefining CyberSecurity

Smashing the Stack; All Good Things | Exploring Software Lifecycles from Secure By Design to End of Life | An RSA Conference 2024 Conversation with Allan Friedman and Bob Lord | On Location Coverage with Sean Martin and Marco Ciappelli

Episode Summary

Dive into an engaging conversation with CISA's Allan Friedman and Bob Lord, hosted by Sean Martin, as they explore the challenging landscape of cybersecurity, focusing on software security by design, end-of-life software management, and the pivotal role of transparency in the software supply chain. Their insights offer a unique look into the evolving threats and strategies in cybersecurity, inspiring a collective push towards a more secure digital future.

Episode Notes

Guests: 

Allan Friedman, Senior Advisor and Strategist, Cybersecurity and Infrastructure Security Agency (CISA) [@CISAgov]

On LinkedIn | https://www.linkedin.com/in/allanafriedman/

At RSAC | https://www.rsaconference.com/experts/allan-friedman

Bob Lord, Senior Technical Advisor, Cybersecurity and Infrastructure Security Agency (CISA) [@CISAgov]

On LinkedIn | https://www.linkedin.com/in/lordbob/

On Twitter | https://twitter.com/boblord

At RSAC | https://www.rsaconference.com/experts/Bob%20Lord

____________________________

Hosts: 

Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/sean-martin

Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli

____________________________

Episode Notes

In this new On Location episode, Sean Martin hosted a conversation with Allan Friedman and Bob Lord from the Cyber Security and Infrastructure Security Agency (CISA) as part of the Chats on the Road to the RSA Conference series. The discussion centered around key topics such as securing software by design, navigating the intricacies of managing end-of-life (EOL) software, and emphasizing the crucial role of transparency in the software supply chain.

Allan Friedman, a vocal advocate for the Software Bill of Materials (SBOM) — he has the t-shirt to prove it! — explored the increasing competitiveness of getting accepted to speak at renowned conferences like RSA, reflecting the growing awareness and urgency around cybersecurity topics. His upcoming RSA presentation is set to delve into the looming challenge of end-of-life and end-of-support software—a topic that, while not new, demands innovative technical and policy-level responses to mitigate emerging threats effectively.

Bob Lord's discussion highlighted an area often overlooked yet critical for software security: memory safety. By sharing his experiences and underscoring the prevalence of vulnerabilities traced back to memory safety issues, Lord emphasized the necessity for developers and companies to adopt a more proactive and transparent approach in their software development practices. This call to action is not just about developing new solutions but also about ensuring that existing software is resilient against current and future threats.

One of the key takeaways from this episode is the imperative of transparency in the software supply chain. As Friedman notes, the path to a more secure digital infrastructure lies in the ability to have clear visibility into the software components businesses rely on—including their age, vulnerabilities, and update requirements. This clarity is essential not only for building trust between software manufacturers and their customers but also for enabling a proactive stance on cybersecurity, which can significantly reduce the risks associated with outdated or unsupported software.

Moreover, the conversation underscored the evolutionary nature of cybersecurity. As threats evolve, so too must our strategies and tools to combat them. The dialogue between Martin, Friedman, and Lord brought to light the importance of continuous learning, adaptation, and collaboration within the cybersecurity community to address these ongoing challenges.

The episode represents a microcosm of the larger conversations happening within the fields of cybersecurity and software development. As we move forward, the insights shared by Allan Friedman and Bob Lord remind us of the critical importance of design security, comprehensive policies, and, above all, the need for a collective belief in the possibility of creating safer software solutions for the future.

Be sure to follow our Coverage Journey and subscribe to our podcasts!

____________________________

Follow our RSA Conference USA 2024 coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage

On YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS-B9eaPcHUVmy_lGrbIw9J

Be sure to share and subscribe!

____________________________

Resources

Smashing the Stack: Let’s Make It Less Fun And Unprofitable!: https://www.rsaconference.com/USA/agenda/session/Smashing%20the%20Stack%20Lets%20Make%20It%20Less%20Fun%20And%20Unprofitable

All Good Things: End of Life and End of Support in Policy and Practice: https://www.rsaconference.com/USA/agenda/session/All%20Good%20Things%20End%20of%20Life%20and%20End%20of%20Support%20in%20Policy%20and%20Practice

Unforgivable Vulnerabilities: https://cwe.mitre.org/documents/unforgivable_vulns/unforgivable.pdf

Learn more about RSA Conference USA 2024: https://itspm.ag/rsa-cordbw

____________________________

Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage

To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast

To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast

Are you interested in sponsoring our event coverage with an ad placement in the podcast?

Learn More 👉 https://itspm.ag/podadplc

Want to tell your Brand Story as part of our event coverage?

Learn More 👉 https://itspm.ag/evtcovbrf

Episode Transcription

Smashing the Stack; All Good Things | Exploring Software Lifecycles from Secure By Design to End of Life | An RSA Conference 2024 Conversation with Allan Friedman and Bob Lord | On Location Coverage with Sean Martin and Marco Ciappelli

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.

_________________________________________

Sean Martin: [00:00:00] And hello, everybody. This is Sean Martin. I'm flying solo on our chats on the road to RSA conference. Marco normally joins me, but he's off recording another episode. So we're, we're splitting duties here today. And, uh, I'm kind of glad because he's not going to interrupt me as I'm talking to two cool people, Alan and Bob, uh, from SISA. 
 

Uh, they're both speaking at RSA conference, two different sessions. And, uh, we're going to explore the topics of those and the intertwining of the topics of, How we secure by design and keep it secure and, and know when it's time maybe to, to retire some stuff that we can't secure, right? It's a big, a big picture there. 
 

Um, so I'm excited to have this mashup of, of topics and, uh, thrilled to, thrilled to have you on. I'm going to pass the mic to each of you to kind of share a few things about what you've been up to. What prompted this, uh, [00:01:00] this, uh, topic to be submitted, which by the way, congratulations on getting accepted. 
 

It's not an easy feat, getting accepted as a speaker at the, at the conference. So, uh, I'll go alphabetical. Alan, uh, what are you up to?  
 

Allan Friedman: Sure. Uh, thanks, Sean. I really appreciate the chance to chat with you. Uh, we're looking forward to RSA this year, and as you pointed out, it has gotten a lot more competitive in the past couple of years. 
 

Um, most of you who've heard of me know me as the guy who doesn't shut up about SBOM, or Software Bill of Materials. Uh, and over the last couple of years, that work has been taking place at CISA. Thanks a lot. And just as a quick reminder, uh, CISA or the Cyber Security and Infrastructure Security Agency is America's cyber security agency. 
 

Not only do we work to secure the federal civilian government, but we work to defend the American infrastructure today and build out [00:02:00] a more secure future. Now, one of the challenges as we look forward to the future. Is understanding that not all software is going to be able to make that journey with us. 
 

Sad but true. And end of life and end of support software, I think, is a little bit like Software supply chain and software dependencies, which is everyone knows that it's there and everyone knows that it's a problem. In fact, it's such a background problem that we haven't really done much about it. And so, uh, the talk I'm going to give is really going to try to sort of launch. 
 

Uh, A broad scale, both technical and policy level approach to try to wrap our hands around it. And that's what I'm excited to present, uh, in a few short weeks.  
 

Sean Martin: I love it. [00:03:00] And I, I only picture you in an S bomb shirt, even though I've never seen you until today in an S bomb shirt, but that's how I picture you, Alan. 
 

Allan Friedman: You know, once you have a brain, you got to live it.  
 

Sean Martin: I  
 

Allan Friedman: know  
 

Sean Martin: you embrace it and then run with it. And I, I have so many thoughts on the end of life, um, not just purely for the end of life, but for the broader picture of, uh, security posture. So I'm excited for this chat. And Bob, it's been a while. Good to see you again. 
 

What, what have you been up to to,  
 

Bob Lord: well, uh, let's see. So I think, um, you know, just kind of taking the starting point of the RSA talking kind of. Unwinding that a little bit. Um, you know, I think a lot of what I'm I'm doing here. It says is trying to learn from the, uh, the scar tissue I developed earlier in my career, helping build products for both consumers and for enterprises and then transitioning to be a defender. 
 

Which is, I think, where we, when I was, you know, running security [00:04:00] programs at places like Twitter and then a Yahoo and the most recently at the Democratic National Committee after the 2016 hacks. And that's where I became, uh, really intimately familiar with the levels of safety and the software products that we, uh, that we all buy and use both as consumers and as, as enterprises. 
 

So. DNC is sort of a classic, uh, small, medium sized business. Uh, when I joined there about 200 people there, and it was really me and some help desk folks and, uh, some sysadmins trying to keep the Russians out again. And that's when it dawned on me that this was inherently an unfair fight because the tools that we had were not really going to protect us. 
 

Um, and so I had the great privilege of joining sys a couple of years ago to start our Secure by Design program. And, uh, and really take advantage of some of those, uh, some of those, uh, rough times in some of those previous jobs to try to help [00:05:00] influence how software gets made, not just nationally, but really everywhere. 
 

So that's that's really been the focus of what I've been doing. And then almost exactly a year ago, we released the, uh, first iteration of our secure by design, uh, white paper. And then we had all sorts of iterations of that and, uh, other papers, RFIs, memory safety papers. I mean, you name it, we've really been trying to drive the conversation. 
 

So, um, this, this talk at RSA is really just yet another iteration of us, um, trying to give examples of secure by design, uh, and get people to, To really start to focus on what can be done.  
 

Sean Martin: Uh, I want to, I want to jump to the, the session, but first I want to talk about, um, this idea is we were supposed to secure by design, so we didn't. 
 

So now we have stuff running that shouldn't be. What, how, is it, what's the, the chicken or the [00:06:00] egg? Do we? Do we ditch the old stuff that doesn't work? Do we fix it? Um, do we just start over? I don't know. What's, what's the answer?  
 

Allan Friedman: You know, I, I think when you're thinking, when you're trying to build a security strategy, and then policies to implement that strategy, And also then ultimately implement it at companies with finite budgets and organizations with finite budgets. 
 

We always want to look forward to be making the future stuff better. And we know that the existing stuff is never going to go right. There's no easy solution. But what we can do is be a little more rigorous about how we talk about the old stuff. And so I think they, they almost necessarily have to go hand in hand. 
 

Bob Lord: Um, yeah, yeah, yeah. This is evolution. So like it's evolutionary, so we're unlikely just to start throwing everything out and starting from scratch. That would, [00:07:00] uh, also not work. Um, in addition to not being viable, you'd have, uh, you'd start using things like memory safe programming languages, but then you'd have a whole bunch of new logic bugs that you don't have today. 
 

And so, you know, I think the. The thing that people have been doing, so it's not just our opinion, it's what actual practitioners who've had success in this have been doing, is working to replace portions of systems, uh, in very thoughtful ways, to Alan's point, and really trying to analyze, uh, from the security perspective, what is it that the adversaries are going to go after, what is it that would be useful for them to take control of, And then to start figuring out ways to deny them that access. 
 

And there are all sorts of ways to do that. Um, the good news, bad news is there's a lot of really low hanging fruit. Um, you know, most of the vulnerabilities that we see on a regular basis are not head slappers. They are not brilliant innovations that come from left field. I'm sad to report that they are the same classes of vulnerability [00:08:00] year after year, decade after decade. 
 

There's a paper from 2007 that MITRE wrote called Unforgivable Vulnerabilities, and in it they lay out this list of criteria, like what would cause us to feel like a particular class of vulnerability is unforgivable, like it's just, it's just terrible that somebody would have this class of vulnerability. 
 

If you hold up that list against the 2023 MITRE analysis of the top recurring vulnerabilities over the previous five years, would it surprise you or anybody in the audience to learn that they're mostly the same? That it's directory traversal, it's memory safety, it's SQL injection, the list goes on. And so the good news is there's lots of ways in which organizations can simply become more aware of these facts and start thinking about classes of vulnerability and start chipping away at [00:09:00] the problem. 
 

Um, and those who have have had some pretty good successes. I mean, there are some, uh, like when was the last time you saw a cross site scripting vulnerability from any of the major, uh, Uh, online services. It just doesn't happen that often. It's, it's incredibly rare. I can't remember the last time. I'm sure somebody is going to do a search right now and pull one up that, you know, that is the evidence that proves always an exception. 
 

Always an exception. It proves real. Um, but like in the world of, of networking gear, it actually is not uncommon. And so there are, there are segments. That have found ways to eliminate certain classes of vulnerabilities and others that haven't. And so I think a lot of what we want to do is is have people share that information so they can begin those Uh those first steps of that thousand miles  
 

Allan Friedman: Then i'm going to pull this back here One of the challenges and one of the high priorities, why do we care about whether or not something's old? 
 

And one is just a, you know, [00:10:00] I'm, I've got a lot more gray in my beard than I used to. And things don't work quite as well as they used to, right? This is everyone reaches this, uh, every generation discovers getting old for the first time. Um, but there's also one of the priorities is what happens. When the supplier of the software is no longer in a position to say, oh, that vulnerability that probably shouldn't have been in there in the first place is something we can no longer fix. 
 

Uh, and that is really sort of the foundation of why end of life and end of support. Is a key security issue is making sure that organizations are in a position to understand what their exposures just because it's old doesn't mean it's bad. Uh, but what we do need to do is be prepared for [00:11:00] these flaws because there will be vulnerabilities that are found at end of life and end of support software. 
 

We're going to need to know what to do about it and have a plan.  
 

Bob Lord: And that goes up against the idea that some things are battle hardened. And the question is, are they battle hardened for the battles that we're facing today and in the future? And that's always a harder question to answer.  
 

Sean Martin: Yeah, and I think the, for me, the challenge comes with visibility, especially in your world, Don, of course, all these things, what is the age of my extended family? 
 

Well, who are they? Where do they live? This is, I don't know all the stuff that's, it's part of my software supply chain and my bill of materials, let alone how old they are, if they have vulnerabilities that exist for ages and ages. Um. So I know you're doing a lot of work there on that. What, um, you mentioned policy [00:12:00] frameworks in, in your abstract. 
 

So I don't know what you're going to lean into some of that in, in your session.  
 

Allan Friedman: We, we definitely are. So, um, first again, how big and how bad is the problem? Well, I'll pull two examples. One piece in the Wall Street Journal that characterized end of support software as a 1. 2 trillion dollar problem. Um, Rip and Replace is simply not a scalable solution, right? 
 

Uh, and by the way, Your friends in the U. S. government are probably the biggest user of software that is out of support, right? You know, we kept Windows 98 in service well after what Microsoft wanted its end of date by because we said, hey, listen, we simply can't wean ourselves off it fast enough. The other piece in terms [00:13:00] of, you know, what's the, what's the scariness from recent headlines is a lot, uh, Avanti was yet another wake up call in a spring full of wake up calls of, oh my god, our software supply chain is terrible. 
 

Um, and one of the things that people looked at when they looked at the brand new I just paid for it Avanti Endpoint product that was connected to the internet. It had Eight year old components, 10 year old components, 15 year old components in there. Um, whether or not there were known vulnerabilities in these components, the idea that we're building our infrastructure on top of things that are that old has to be a warning sign. 
 

And I've spent the last six years of my life saying [00:14:00] we need transparency in the software supply chain and making the case for why and then trying to operationalize that. And so we're going to try to apply some of those lessons learned of what was really hard and what were the important pieces of it to having visibility. 
 

Into the age of things in our software world, starting with the top level products, but also explicitly incorporating this into the supply chain level. And of course, that means open source.  
 

Sean Martin: Yeah, because I, I mean, so you mentioned government agencies using Windows 95. I've, when I was building, slinging software and delivering stuff to, uh. 
 

Defense agencies, uh, the, the rules you have to, and basically you sign off on stuff ends up living for years and years and years, right? It's [00:15:00] to change it is, is a, like moving mountains. So you have the, we just, we can't because it's not easy. We can't because policy says we can't. And if you think like I'm thinking like to, uh, to Bo Woods and, and Josh Corman, we didn't start looking at the medical space and a lot of regulations around safety. 
 

Some of those things you can't easily change either. Um, so those are specific cases of where you can't, but then the majority, we could easily say you should still have to, but why do they get, why do they get the brunt of, of all these other areas say we can't.  
 

Allan Friedman: Uh, and, and so one of the core things that we've learned from the rise of SBOM is the value of separating definitions, machine readable, uh, labels and tooling and metadata, and then policy on top of that.[00:16:00]  
 

And if you build, if you try to build everything together, you're simply not going to scale. And so. You know, the tease of what we're gonna be talking about is definitions. Right now, there are like 20 different terms for different types of end of service and end of support and end of life. Let's try to have one core one that we can then map to what sectors are already used. 
 

Two, think about metadata. Um, right, how do we make machine readable labels and build an infrastructure where people can provide that data, share that data, consume that data. And then the last piece is having policy informed by data and what that's going to look like is going to depend on organization, capacity, risk, sector, et cetera. 
 

There isn't going to be a one size fits all, but what we can do is create a world where it's reasonable to expect an [00:17:00] organization to happen. And sort of, I, I stole a line from a supply chain expert, Dan Lawrence, who, uh, Paraphrases, uh, famous Marine General Mattis, which is, you know, be kind, be polite and have a plan to update every piece of software you use. 
 

You don't have to do it, but you need to have visibility of everything that you might have to update and have a plan of what you're going to do when something comes along that makes it makes that a, a higher priority.  
 

Sean Martin: And Bob, so that, that plan might be to. Upgrade, replace, rewrite, refactor, some, something to help mitigate some of the challenges. 
 

And I think you're, you're going to take things even deeper and looking at memory safe code. So tell us a little bit about what you're going to be sharing.  
 

Bob Lord: Yeah. So I can tell you a little bit about my, my origin story here. So I [00:18:00] consider myself reasonably plugged into a variety of things and I'll, I'll confess. 
 

That in two, uh, in 2020, I was helping shepherd a couple of conference talks at the Enigma conference, and they were about memory safety, and it was just a random coincidence. And so I had the great honor of working with Alex Gainer and Chris Palmer to help them rehearse a number of different times to get their timing down and make sure I had the right impact. 
 

And I think it was maybe on the second time I had heard them. We had three different sessions the second time. I, I believe them. I think the first time I didn't, I literally didn't believe them and I had to go back and do a bunch of research and look at their citations because what, what they were telling the audience, it just seemed like an exaggeration. 
 

It just seemed like if this problem or is. big as they said, there should be, there should be just a monumental wave of energy from the software industry to go fix this. And I saw no such sign. [00:19:00] And on the second time, second rehearsal, um, during the briefing afterwards, I said, guys, I don't know that you have enough punch here. 
 

Like, like what you're saying, these statistics need to have emotional Punch and I just got punched and I just felt like this was a huge blind side blind spot for my and so we did the third time and they delivered great talks there. They're out on the Internet and. I just couldn't get this out of my head. 
 

Like if we really do see the largest companies, um, who are doing thoughtful analysis of their code, determining that 70 percent of their, their vulnerabilities are tied to memory safety issues. This just seemed like this should, there should be a call to action. And what's interesting is I, I talked to other people who's, you know, I tell them that I was shocked by all of this and they say, you know, I'm shocked that you're shocked, Bob, everyone knows. 
 

And I was like, well, define everyone, because I think what you have is a small priesthood of people [00:20:00] who have been doing amazing work in a certain, in a certain bubble. And those of us who are just outside the bubble, we just didn't see inside for whatever reason. And so when I got to CISA, uh, one of the things I wanted to do is not just push secure by design, but I wanted to raise awareness, both that, you know, the People have been really working hard on this for decades, and they've come up with literally dozens of different mitigations, which have raised the cost to the attackers to be sure that the work has not been in vain, but that we still see just a tremendous number of vulnerabilities that are tied back to memory safety. 
 

And so we need, we need to take some action.  
 

Sean Martin: Can you, can you share an example, Bob, of maybe a well known or a common scenario where memory safety has been an issue? Um, and maybe a mitigation that. That the group's put together.  
 

Bob Lord: Yeah. So, uh, don't want to, don't want to give away anything on the second half of the talk, [00:21:00] but, uh, in terms of it's, it's like when you watch a movie trailer, it's like, I'm pretty sure that that was the end of the movie. 
 

Like I, why did they do that? You shouldn't show anything.  
 

Sean Martin: But, uh, I  
 

Bob Lord: just saw the whole thing. I saw the hero save the one liner and then everything blew up and, and, uh, America and the world is saved. Great. Um, so. You know, I think, um, the in terms of the set up, you know, it's not just that these these problems exist and that it's two thirds of the vulnerabilities, um, you see from various manufacturers, um, who are, of course, primarily using CNC plus plus for a lot of their products. 
 

We actually see real world harm in the form of things like, um, the, uh, Google's project zero, um, taking a look at. In the wild zero days that are that are fired and again, two thirds of those turn out to be related to memory safety. So it's almost like no matter which way you you look at the data, [00:22:00] you get a very high number, often around two thirds. 
 

And so there are real world harms caused by this. And, um, You know, odds are when you see certain kinds, like when I see the news, I don't know, Alan, if you do the same thing, or maybe you do the same thing, like you see a particular vulnerability and you're like, Oh, that's, that's in the SMS system, that's, that's memory safety problem. 
 

Like I, there's just no way that they rewrote the whole subsystem in the last few years. Like that's, that's a lot of work. And then it turns out almost always to be correct. So there's some real world harms here. And, um, if you take a look at a lot of the edge networking systems that are getting compromised, um, Memory safety is implicated in some of those as well. 
 

So, um, it's, it's something that we really just need to take a look at and start working towards. Um, and one of the things that we called for in our memory safety white paper was a roadmap. So you're talking a little about like, how do you know what your upgrade cycle is? Well, we want to know when you're [00:23:00] buying a product, we know that you can't rewrite everything in a memory safe programming language anytime soon. 
 

You should have a plan. I want to see the plan, and could you please post the plan? The plan might be a 15 year plan, and you might say, I wish it was 5, but like, I'll take 15 if you're actually making reasonable progress towards your goal. And so, like Ellen said, like, have a serious plan is, is gonna be key. 
 

But we really want that to be public. We really want software companies to explain to their customers what it is that they're doing, how long they think it's going to take, how they're training the developers to, uh, to migrate the code, how they're measuring success, all that good stuff.  
 

Sean Martin: Yeah. Transparency. 
 

Good. I'm sensing a theme here. Have a plan.  
 

Bob Lord: Absolutely. You have to have the right plan, right? I mean, and so we're seeing things like upgrading and making sure that you have the right products in your deployment from a defender side, but from the software developer side. We want you to have a plan to make sure that you're not falling victim to the [00:24:00] classic, uh, vulnerabilities. 
 

Memory safety is, is really just the one at the top, but it's obviously not, uh, it's not the only one again with the edge routers, uh, command injection, SQL injection, um, you know, these things have been around for literally decades. Mitigations have been known for, for decades. So, um, you know, whichever way you look at it, having a plan, uh, that, you know, That really talks about making real progress. 
 

Not just activity is critical and customers deserve that. And you should be explaining that to them, along with all the other feature improvements and integration points and all the other great stuff that a company is doing. We want to see how you're making sure that you're building something that's going to get safer every time you do an upgrade. 
 

Well, businesses  
 

Sean Martin: care about resiliency, right? And I think that speaks directly to that. Yes. We want to be concerned about the end customer as well, but, uh, those. Those aren't there if the business doesn't exist. Something, something goes haywire. So I, I have a [00:25:00] dream for cybersecurity that we as infrasecurity professionals have a view of this world like nobody else. 
 

And we have data at our fingertips like nobody else to help guide the business to say, we need to. Not just by another control to mitigate the risk. We need to help define how we build our business. And to me, that goes to what, uh, what is, you mentioned, uh, the logic earlier, Bob, that to me, that goes to what is the end to end? 
 

How does this stuff flow? How does the data flow? How do the systems connect? How does the network support that? Who's then down to the supply chain and bill of materials who, who has all these pieces, parts that make all this work. And I guarantee in there. There is a bunch of stuff making security teams pull their hair out, patching all the [00:26:00] time, not able to patch, configuring, configuring firewalls to compensate for not being able to, whatever it is. 
 

And if we could just say, we have this knowledge. If we change this stack in this way, we help our team. We build a better workflow. We reduce logic issues, perhaps. And we can overcome some of this end of life junk that we're dealing with and perhaps replace it with some secure by design stuff. That's memory safety. 
 

That's my dream in a nutshell. Do you think we're getting close to something like that?  
 

Bob Lord: Alan, you want to go first?  
 

Allan Friedman: I mean, you know, whenever we look at a data filled world, there, there are two things we acknowledge one scalable 
 

machine readable data. across the ecosystem is really one of the only things that we have in our favor as defenders to help [00:27:00] scale, right? We need more automation. We're only going to get more automation with more data that is aimed towards automation. So that's one of the good pieces. Who's going to be using this data is something we need to be very real about. 
 

Um, You know, one of the things we talk a lot about CISA here at CISA is the cyber have nots. Um, and we want to acknowledge that, right? Small and medium enterprises have a lot of things going on. Sean, you've already invoked my friend Josh Korman, who spends time using the Maslow's hierarchy of needs for security. 
 

I think we didn't sort of get that. So a lot of what we try to build here are things that, you know, the super elite hyperscalers may not need the government's help. Um, as we slowly move down that Fortune 500, they have resources, but they have to, security has to fight for [00:28:00] resources. And so how can we help them sort of make it a little easier and cheaper to scale? 
 

And get that first wave of tools out into the marketplace that can handle, well, I'll say SBOM, I'll say Secure by Design concepts, uh, including memory safety, and of course, I'll talk about end of life, where So, We need to sort of build this into our existing tools. And then the hope is that down the road for the ones that have scaled, this just becomes turnkey. 
 

It's something that gets integrated into every MSSP, something gets integrated in every policy. Into every compliance framework that whether it's government or like PCI or something like that and and build it into that. So I think that's how we try to integrate this idea of transparency can't just be visibility in terms of surveys. 
 

Or or manually fill [00:29:00] that reports. It has to scale for automation and that should be where we are aiming  
 

Bob Lord: Yeah, and I I do I I love that vision and I do think that that is absolutely attainable I I think that there's no reason why we can't um in 1965 ralph nader wrote a book called unsafe at any speed and it was about the uh unsafety of american automobiles and that book Uh, caused such a furor that, uh, the government had to act and it created what we now know is the Department of Transportation and some of the other agencies that are responsible for automotive safety, and that really dramatically helped improve the safety of American cars. 
 

And I think looking back. I think part of Nader's vision and part of his genius was articulating the idea that car manufacturers couldn't make safer cars until we all believed that cars could be safer. And we're in that exact situation with software, where software makers can't [00:30:00] make their software safer until we all truly believe in the idea that it can be. 
 

Can be made safe. And so a lot of what we're trying to do is raise awareness, have the conversation and say, you know, what is it that is causing some organizations to build products that are resilient against these common attacks and others that just keep playing whack a mole with these recurring classes of vulnerability. 
 

And so I do think that we can do that. And, uh, that's, that's what we're, that's what we're working on.  
 

Sean Martin: I love it. Um, I have faith in both of you and the bigger team surrounding you. And, uh, the, the first steps in having the conversation is your sessions.  
 

Allan Friedman: Is given that talk at RSA. And the other thing I'll also say is, uh, Without both Bob and I do try to be a little more entertaining than your average government bureaucrat when we're it should be more fun. 
 

Bob Lord: Yeah, it should  
 

Allan Friedman: be a little more means a little more jokes than we  
 

Bob Lord: [00:31:00] all study. We all study your technique. We are all working to be as entertaining as you. I have not yet achieved that, but I do promise to be a little bit above average.  
 

Sean Martin: Um, I'm looking forward to both sessions. So I'm going to, I'm going to share those with everybody now. 
 

So smashing the stack, let's make it less fun and unprofitable. That's Monday, May 6th at nine 40. That's you, Bob with Dan Wallach from DARPA. Yep. He's amazing. Yep. And, uh, all good things, end of life and end of support and policy and practice. That's Tuesday, May 7th, one 15. And, uh, that's Alan flying solo on that one. 
 

You get the stage all to yourself there, my friend.  
 

Allan Friedman: That way no one can upstage me.  
 

Sean Martin: There you go. Ah, well, gentlemen, this has been really fun. It's good to see both of you again. Congratulations on the session. It's important. Uh, these conversations need to be had and, uh, hope you hope the rooms are filled. 
 

And then you have a lot of people coming up to the stage after and, [00:32:00] and, uh, meeting you and learning more. And I think. What I heard earlier is a plan and I think taking action on that. So engaging with, with you and the rest of the CISA team is important.  
 

Bob Lord: So we can do hard things. Yes.  
 

Thanks Sean. I'm looking forward to seeing you in San Francisco. 
 

Sean Martin: Right on. Safe journey and everybody listening, watching. Thanks for, uh, thanks for joining me on this Chats on the Road RSA conference. Loads of stuff coming still. Please stay tuned. ITSBMagazine. com forward slash RSAC. See you all in San Francisco.