Today we sit down with John Cofrancesco from Fortress Information Security to get insights on the issues with the supply chain and the federal government. When it comes to federal technology, it is well known that bringing in chunks of software can introduce vulnerabilities. The real issue is not recognizing the code flaws, the issue is finding time in a hectic schedule to be able to remediate these problems.
For example, CISA has something called the Vulnerability Exploitability Exchange that lists known software vulnerabilities. Companies like Sonatype offer surveys where they identify thousands of lines of code with structural flaws.
One of the vulnerabilities (the Log4J) is well known. Rezilion announced it had scanned 90,000 servers that still had this problem.
So, having a list of vulnerabilities is not the issue. The concern is cleaning up the federal code in an effective manner.
Federal Tech Podcast: for innovators, entrepreneurs, and CEOs who want to increase reach and improve brand awareness