Resilient Cyber

Nikki - What do you see as emerging trends around cybersecurity guidance and frameworks? With the newer NIST 800-53r5 and the SSDF, there is a TON of literature coming out from NIST. What's next? Chris - I wanted to dig into SSDF a bit. Can you tell us a bit about being involved in that? How it came about after the Cyber EO and your experience writing it? Chris - We know OMB is now requiring Federal agencies to start to self-attest to secure software development practices, specifically SSDF practices. How does it feel to have your work be cited in something this far reaching?Chris - What do you think organizations neglect most when it comes to secure software development, do you think the OMB memo will have a rising tide impact on the ecosystem like other frameworks such as CSF outside of Government?Nikki - What are some of the most fun parts of your job? You've written so much incredible content for not just the cybersecurity industry, but so many SMB's and non-for-profits can use the NIST guidance as a place to build their cybersecurity programs. Nikki - What is one of the biggest challenges in writing something like the SSDF or the Cybersecurity Framework? I would imagine there are so many considerations that go into deciding on everything from format to the type of language you use. Chris - What are your thoughts around the attention as of late on software supply chain security, SBOM's and topics in that domain? Do you think we need more guidance and publications on this front?Nikki - Before taking us to our last question, I wanted to ask you about your blog! It's called Scarfone Cybersecurity and I know you're just getting this going. Can you talk a little bit about why you wanted to start this blog? What are you interested in writing about? Nikki -  What does Cyber Resiliency mean to you?

Nikki: To start us off, I'm curious about your opinion on the current state of vulnerability management guidance and documentation available for organizations. There are some references from NIST, but a lot of it centers around compliance. Chris: How do you think things such as Cloud, DevSecOps and shift-left security have changed vulnerability management? Nikki: Can you talk a little bit about what organizations and their vulnerability management programs should be working on right now? With more sophistication of attacks by malicious actors, we have to create more Chris: Most of us know the Common Vulnerability Scoring System (CVSS) but many critique it saying CVSS scores alone aren't enough to drive vulnerability prioritization. What role do you think things such as Threat Intelligence should play?Chris: In addition to CVSS CISA recently has been making a push to evangelize the Stakeholder-Specific Vulnerability Categorization (SSVC) guide. Can you tell us a bit about it and your thoughts about how it fits into the conversation on vulnerability scoring and prioritization? Nikki: There is a renewed focus on exploitable vulnerabilities, with the Known Exploited Vulnerabilities catalog by CISA, as well as the EPSS, or Exploit Prediction Scoring System - do you think we're headed in the right direction with helping to prioritize vulnerabilities and not just remediate everything?

Nikki - I wanted to start with the major explosion of ransomware and ransomware-as-a-service across all industries. This seems like a good starting point for why cybersecurity advisors belong in the boardroom. Do you think the sophistication and ease of purchase with ransomware should be part of the conversation to bring more cyber experts in?  Nikki - You made a post recently about the vast cybersecurity risk that API's pose to organizations. API security has been top of mind given how prevalent they are and how useful they are to both administrators and developers. Do you think API security will become a more prevalent topic in the coming year? Chris - It seems logical that boards should have cybersecurity expertise in the mix given how critical technology is to most modern businesses. Why do you think it has taken us this long?Chris - What are some of the largest coming changes you think will drive this paradigm shift? I know groups like the SEC are pushing for organizations to disclose to what extent they have cyber expertise among the board. Nikki - What do you think organizations can do that may not have the budget or contacts in place to add cybersecurity expertise to their boards - is there somewhere they can start?Chris - I know you recently have spoken about the incident reporting timeline changes from the SEC and the need to provide insight into the "materiality" of a breach. For those unfamiliar with the term, what does it mean and is the CISO even in a position to know this? If not, who is?Chris - To flip it a bit from the boards perspective, for practitioners aspiring to fill this emerging need for cyber expertise in or among the board, where should folks begin? How do they position themselves as desirable candidates for these board opportunities?

- Before we dive into the technical topics, you're a repeat Founder, including some acquisitions of firms you've founded. Can you tell us a bit about that Founders journey and what leads you to creating organizations?- Something you've been focused on a lot lately is Software Supply Chain Security. Why is this such a complicated topic, and has it always been, or do you feel it is increasingly complex? - One of the challenges organizations have around OSS use is OSS Governance and software component inventory. Can you speak a bit about that challenge and how you are looking to solve it?- A term thrown around a lot is "Dependency Hell" - which is the term developers use when it comes to managing their often large dependency footprints when it comes to updates, patches, versioning and so on. How are you seeing this problem addressed?- There's a lot of hype around SBOM's and VEX. What are your thoughts on SBOM's and how they fit into the conversation around securing the software supply chain?- One issue with the increased transparency is development teams drowning in hundreds or thousands vulnerabilities. As you know, this doesn't actually mean they are exploitable. How do we cut through that noise to drive down risk but also frustration?- We talk a lot about CVE's and Vulnerabilities and so on but I know you recently shared research from Chinmayi Sharma who I've interviewed - and she points out CVE's are just one potential risk of OSS dependencies. Any thoughts on leading indicators of risk, as they're often called?- Moving forward, what are some things you are focusing on at ENDoR Labs and where do we see us heading as an industry on this topic, in say 2-3 years? 

- You recently wrote an article about the SBOM Frenzy being Pre-Mature. For those not familiar with SBOM's, what is an SBOM and what has led to the frenzy as you call it?- In your article you discuss challenges related to the build environments and hosts that can cause different outputs and SBOM's unless a build occurs on two identical machines. Can you explain why that is? - What role do you think emerging frameworks such as SLSA or SSDF and higher maturity requirements for things such as Reproducible Builds or Hermitic Builds play in alleviating some of these concerns?- Given the challenges of dynamic ephemeral build environments and hosts, do you think this undermines the usefulness of SBOM's as an industry artifact related to software supply chain security?- You also recently wrote a follow-up article about why Software Composition Analysis (SCA) is really hard. What are some of the reasons you think that is the case?- You mentioned challenges with CVE's and their accuracy. As many know, CVE's are created via CNA's and as part of NVD. Do you think alternative vulnerability databases such as the Global Security Database (GSD) or OSV will alleviate any of the vulnerability issues in the industry? - You were involved in founding OWASP. I personally, and I suspect many others would love to hear about that a bit, given just how much of an industry staple OWASP is from Top 10 lists, CycloneDX and countless other widely used projects.- You recently ran a campaign to be elected to the OWASP Board to try and modernize it and address many gaps you state lead to OWASP being on a path to irrelevance. Can you tell us what some of those issues are and your plan to address it to keep such a great organization a key part of our industry in the modern era of Cloud-native and DevSecOps?

Nikki: With your latest book, the Security Yearbook for 2022 ,this is the third iteration of the series right? It started in 2020 and has only grown since then. Can you talk a little bit about why you started this annual compilation of research? Nikki: For any other security practitioners or anyone in the field who's interested in writing a book or putting together a comprehensive manuscript or research, do you have any tips or advice for them to get started?Chris: Can you tell us about your endeavors with IT-Harvest and your IT industry research, what is it and how did you get started?Chris: I know you serve in various advisory roles. How does your industry research help inform your advisory perspective?Chris: Based on your current IT industry research what are some of the most alarming or interesting trends around vendors, investors and M&A you see currently? Nikki: What is one of the most surprising statistics that you've uncovered year after year? I know one that continues to surprise me is just how prevalent and SUCCESSFUL phishing attacks are. What about you? Nikki: What are your top recommendations, based on your research, for security practitioners and business owners to be aware of and focus on when it comes to risk mitigation?Chris: Looking at the current IT industry and trends, what is one prediction you have for some of the most significant changes we can expect in say 3-5 years?

- First off, tell us a bit about your background, you were a developer prior to focusing on Law. Why the change and do you feel that technical background helps you in your legal and academic career?- Before we dive into the specifics of the paper and topics, what led you to focus on this issue for research and publication?- You penned an article about how modern digital infrastructure is built on a "house of cards". Can you elaborate on that?- Your paper is broken down into several sections, so let's step through those and dissect each area a bit.- You touch on the unique aspects of OSS from proprietary code and discuss the benefits and also the risks. Can you discuss some of those?- You claim that OSS should be designated critical infrastructure and arguably under areas such as the IT Sector. First off, why do you think it should be, and why do you think it already hasn't been?- In part II of your paper you went into topics around the origins of OSS security issues and barriers to resolution. What are some of the major issues and barriers to resolving them?- You touch on economic theory such as the least-cost avoider. What exactly is that, and why do you think software vendors in this case are best-suited to fix some of the core OSS security issues?- In part III of the paper you discuss some of the current interventions and efforts. Can you touch on what some of those major efforts are?- You discuss emerging things such as the Open Source Software Security Act as well as the OMB Memo requiring vendors to self-attest to NIST's SSDF and even provide SBOM's. What are your thoughts on these emerging requirements?- How do you think we balance the need to keep the spirit of OSS, in terms of being open to everyone, cultivate a society of citizen developers and a thriving FOSS ecosystem while also pushing for more rigor and governance? Do we risk constraining the ecosystem and limiting the Federal government (and industry's) access to small innovative software projects and initiatives? 

- Looking at your background, you've held a lot of Identity-centric roles and positions in the industry. How do you think Identity and associated security is evolving with the continued adoption of Cloud?- Identity is obviously at the core of the conversation around Zero Trust, what do you think some of the fundamental things organizations get wrong when it comes IAM at-scale?- You recently made the pivot from roles with a strong Identity focus to API and API Security. What drove you to make that shift? - What do you think some of the most interesting challenges are in the current API Security landscape?- I noticed you also have an Army background. It is very common to see veterans make their way into Cybersecurity. Why do you think that is, and there are any lessons from the Army you feel have benefited you in your Cyber career?

Chris: Before we dive into too many specific topics, one thing I wanted to ask is, you've been working in/around the topic of SBOM and Software Supply Chain for sometime via NTIA, CycloneDX, SCVS etc. How did you have the foresight or what drove you to focus on this topic well before many others in the industry?Nikki: You mentioned recently about the SBOM Forum and their recommendation of the NVD adopt Package URL. I think the recommendations are great for NVD, because the NVD, CVE ID mechanisms, and CWE's weren't technically built for al ot of the updated vulnerabilities and concerns we see today, especially in the software supply chain. Can you talk a little bit about the challenges around vulnerability management when it comes to software supply chain?Chris: I wanted to ask you about SaaSBOM which has been a topic of discussion in the CISA SBOM WG that I know you and I participate in. What is a SaaSBOM in your mind and where does it begin and end, given most of the Cloud, including Infrastructure is software-defined.  Nikki: I liked your article titled "SBOM should not exist! Long live the SBOM" - what really caught me was the idea that BOM's or Bill of Materials have been around for a while, and in other industries as well. I'm curious because there are a lot of potential implications for using BOM's outside of software. What are you thoughts on how we could potentially use the idea of BOMs in other cybersecurity or software development areas? Chris: I want to discuss some critiques of SBOM. VEX Is promising but of course requires information from software producers, and then of course trusting their assertions. VEX: Do you see a future where both SBOM and VEX and automated in terms of generation and ingestion to inform organizational vulnerability management and potentially procurement activities? Nikki: I would be re-missed if I didn't ask you about the human element in all of this. I fee like the complexity of the software supply chain, on top of infrastructure, operations, cloud deployments, etc, can get somewhat complex. How do you think the increased complexity around software supply chain is affecting the management and operations groups?Chris: You have long been the lead on the wildly popular Dependency Track project. Can you tell us a bit about its origins, where it stands today and where it is headed?Chris: There has been a lot of guidance lately on Software Supply Chain, such as NIST EO outputs from Section 4, NIST SSDF, guidance from CSA, CNCF et. al - how does SCVS fit into the mix and do you see organizations using all, or rallying around some of the guidance? Chris Follow Up: Some have claimed that these requirements are simply impractical for anyone except large enterprise organizations and software producers. Any thoughts on the practicality of the guidance for smaller organizations who still play a major role in the software ecosystem?

Chris: To start us off, why do you think OSS and the software supply chain are now beginning to get so much attention, despite being widely used for years now?Chris: When it comes to OSS, any thoughts on how we balance security while also not stifling the innovative creative environment that is the OSS ecosystem?Nikki: On one of your recent podcast episodes, you discussed how open source can be unfair, whether that's to users or to developers. Can you break that down a little bit for our audience?Nikki: I think there are a lot of valuable lessons from the past that inform future trends. What would you say some of the top emerging trends are around open-source software - what should we be concerned about today versus a year from now?Chris: What are your thoughts on the current state of Vulnerability Databases, we know you have some strong opinions and have been involved in an effort titled the Global Security Database with CSA - can you tell us a bit about that and why it is needed?Chris: Do you think the emerging frameworks such as NIST 800 161 R1, SSDF, SLSA etc. are going in the right direction?Chris: We couldn't let you go without discussing SBOM. What are your thoughts on the current state and direction of both SBOM and VEX. Do you think this increased level of transparency and granularity of vulnerabilities will be something most organizations can manage successfully?Nikki: You have 341 episodes of your podcast - can you talk a little bit about why you wanted to get into podcasting? And also if you have any tips or advice for anyone who wants to start their own podcast?Nikki: One of the major areas I don't hear being discussed around open source software is the 'human factor'. I see the integration of open source software as alleviating some of the mental workloads and information processing for developers and teams, but may also introduce other concerns. How do you feel about the human factor around OSS?