Redefining CyberSecurity

Cybersecurity's Next Legal and Policy Frontier: AI, the Software Supply Chain, Software Liability | An RSA Conference 2024 Conversation With Jim Dempsey and Jacob DePriest | On Location Coverage with Sean Martin and Marco Ciappelli

Episode Summary

In this engaging episode of the On Location with Sean and Marco, the group explores the evolving landscape of software supply chain security and AI's role in cybersecurity with insights from Jim Dempsey of UC Berkeley and Jacob DePriest of GitHub. Their discussion uncovers the complexities of legal frameworks, the innovative use of AI technologies in defending against cyber threats, and the critical debate on software liability, promising a deep dive into the future challenges and opportunities within cybersecurity.

Episode Notes

Guests:

Jim Dempsey, Senior Policy Advisor, Stanford Program on Geopolitics, Technology and Governance [@FSIStanford]; Lecturer, UC Berkeley Law School [@BerkeleyLaw]

On LinkedIn | https://www.linkedin.com/in/james-dempsey-8a10a623/

At RSAC | https://www.rsaconference.com/experts/James%20Dempsey

Jacob DePriest, VP, Deputy Chief Security Officer, GitHub [@github]

On LinkedIn | https://www.linkedin.com/in/jacobdepriest/

At RSAC | https://www.rsaconference.com/experts/Jacob%20DePriest

____________________________

Hosts:

Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/sean-martin

Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli

____________________________

Episode Notes

In this new episode of On Location with Sean and Marco, the hosts, Sean Martin and Marco Ciappelli, dive into the intricate world of software supply chain challenges and the dynamic interplay of AI and cybersecurity. Joining the conversation are two distinguished guests: Jim Dempsey, a lecturer at UC Berkeley Law School and Senior Policy Advisor at the Stanford program on geopolitics, technology, and governance, and Jacob DePriest, Deputy Chief Security Officer at GitHub.

The episode kicks off with a vibrant discussion on the achievements of Jim and Jacob, who have both been accepted to speak at the RSA Conference, highlighting their significant contributions to the cybersecurity field. Jim Dempsey introduces his perspective from a legal and regulatory standpoint, emphasizing the importance of understanding the legal frameworks surrounding cybersecurity and his efforts to demystify this complex landscape through his published work.

Sean Martin skillfully navigates the conversation towards the juxtaposition of AI technology within the domain of software supply chain risks, probing into the potential benefits and dangers that AI presents for both attackers and defenders. Jacob DePriest provides a nuanced view of the software supply chain, emphasizing the multifaceted components, from development and deployment to the inherent risks posed by threat actors actively seeking exploitation opportunities.

A significant portion of the episode is dedicated to exploring the notion of software liability, with Jim Dempsey offering a thought-provoking analogy of constructing an airplane mid-flight to capture the evolving nature of technology and cybersecurity. He shares insights into the current legal debates surrounding software liability and the potential for legislative action to incentivize the creation of more secure software products.

Marco Ciappelli and Sean Martin deliberate on the implications of placing accountability on developers and the broader industry to enhance cyber hygiene as a societal norm. They underscore the vital role of collaboration across various stakeholders in addressing cybersecurity challenges.

As the discussion draws to a close, the episode previews the upcoming RSA Conference talks by Jim and Jacob, promising engaging sessions on the legal and policy frontiers of cybersecurity and the evolving landscape of AI and software supply chain management. The hosts encourage listeners to engage further with these critical topics at the conference, highlighting the importance of these discussions in shaping the future of cybersecurity and technology.

Episode Transcription

Cybersecurity's Next Legal and Policy Frontier: AI, the Software Supply Chain, Software Liability | An RSA Conference 2024 Conversation With Jim Dempsey and Jacob DePriest | On Location Coverage with Sean Martin and Marco Ciappelli

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.

_________________________________________

Sean Martin: [00:00:00] Marco.

Marco Ciappelli: Sean.

Sean Martin: Do you feel like you're on autopilot at this point?

Marco Ciappelli: Yeah, because you're driving. You're my autopilot.

Sean Martin: I am your autopilot. I guess for this conversation. You think it might be a technical conversation, but I challenge you on that. We'll see where this is going to go. I think there's a lot of connection to society here as well.

Marco Ciappelli: I always find my way in, so don't worry. I know you do that. But I feel very comfortable and chilling as you take me on the highway, on these shots on the road, to RSA Conference.

Sean Martin: We're on our way to San Francisco, and, uh, we get to talk to some cool people who've I don't know how they do it, but they actually get accepted to speak at our RSA conference.

A huge, uh, huge accomplishment. And, uh, Jim and Jacob, you both, you both accomplished that. Congratulations and, and well done.

Jim Dempsey: It's good to be here.

Sean Martin: And, uh, you each have your own, your own topic [00:01:00] and, uh, we decided to do a mashup. I found some sliver of connection and we're gonna, we're gonna see how, how well that goes today.

I think we're looking at software supply chain and, uh, slice of AI in there and the connection to software liability and who's responsible for all this stuff. When it, when it goes well and goes wrong, both, I think who makes the money and who, who pays the price. Um, so I'm excited to have this conversation.

It's part of our coverage of our state conference. So we'll share a bit about each of your sessions, but before we do that, I'm going to share a bit about each of you, what you're up to and what's going on. So, uh, Jim, we'll start with you.

Jim Dempsey: So Sean, uh, Marco and Jacob, great to be with y'all this morning. Um, I'm a lecturer at UC Berkeley.

Law school, and I am also senior policy advisor. To the Stanford program on geopolitics, technology and governance. [00:02:00] I always say right up front. I'm a lawyer. I'm not a technologist. I look at these issues from a legal and regulatory standpoint, which is part of the picture. I don't Transcribed I'm not so myopic as to believe that it's the entire picture, but, um, there is a legal, uh, regulatory framework around cybersecurity generally.

And, um, I've actually written an entire book trying to make sense of it because it's a, it's a crazy quilt of criminal law, regulatory law, state law, federal law, common law, negligence doctrines going back hundreds of years. And so we're, we're, you know, it's the classic case. We're building the airplane in mid flight.

Putting together all these pieces of the pieces of law.

Sean Martin: Oh, crap. We forgot the wheels. Yeah, we'll, we'll figure that out later. Now it's a pleasure to have you on. And I'm excited for your perspective and I'll do it now. I'll invite you back to, to, uh, chat about your book at some point.

Jim Dempsey: Oh yeah, [00:03:00] absolutely.

Sean Martin: Yeah. I'd love to do that.

Jim Dempsey: Love that.

Sean Martin: Uh, Jacob, what are you up to?

Jacob DePriest: Hey all, great to be here today. Looking forward to our chat. I'm Jacob DePriest. Uh, I'm the deputy chief security officer at GitHub. And I am responsible for our security team internally. That's helping keep the platform safe and, uh, the product safe.

And we also work on the community security aspect as well. So I've been there about three years now. And before that, I spent a long time at the national security agency, doing all sorts of fun things and cross engineering and it and security.

Sean Martin: I love it. And I just did an episode with Sarah young.

Published a bunch of content on GitHub around security awareness, security training, not for not awareness training, but for. Helping individuals who are not in security understand security and that's all on GitHub. So that was pretty cool. So, uh, people should check that episode out. We're not here to talk about that.

We're here to talk about supply chain, software [00:04:00] supply chain, the risks involved. Um, who wants to paint the first picture of what the software supply chain looks like?

Jim Dempsey: Let me defer to Jacob. Jacob, why don't you? Jump in on that.

Jacob DePriest: Yeah, I'm happy to at least give my quick view of it here. I think it's, um, there's a lot of definitions of it out there.

And I think, you know, to some degree, they're all valid. My perspective is it includes, um, not just kind of where our software is coming from. If we zoom all the way out, we, a lot of people, and we tend to talk about supply chain is like what goes into the software we're running, what's on your phone, you know, what's the website you're using, the SAS tool you're using.

Um, But there's a lot that goes into that. And I think sometimes we focus on very specific components of it. So like, what are the ingredients of the software that's, uh, I'm running on my phone, for instance, but it also [00:05:00] plays into how that software is developed. What platform was it developed on? What was the security of that?

Are we worried about, um, That aspect of it. How about all the tools that went in to help those developers build that software? And then where was it produced? Where was it stored? And then the actual building and, and, you know, deploying of the software itself. So there's a lot of aspects to it. Um, it's a very complicated and fast moving space right now.

And there's a lot of, uh, threat actors who spend an awful lot of time, uh, in this space, looking for opportunities to exploit every, uh, little opportunity that I can. So it's also, uh, I think a space that is evolving quickly and there's a lot of innovation in it right now as well, which is pretty exciting to see.

Sean Martin: And should we, should we just jump right into the, uh, the most I don't know, at least most talked about, I don't know if it's the most prevalent. Maybe you have some different thoughts on it, but, uh, AI, right? So AI is, to me, it's a [00:06:00] piece of software that's built in another, well, it's like any, uh, any other service bundled into services or a system of systems.

But what are you seeing in terms of, uh, AI and its impact on the ability to develop cool things and also, uh, the impact of risk on the supply chain?

Jim Dempsey: Well, you know, there's, um, there's the open question as to whether AI is going to be better for the, Attackers are better for the defenders. Um, I'm sure Jacob has views on on that.

Obviously, the attackers are using it. The defenders are using it. I think there's a third. Piece of the AI issue with respect to cyber security, which I've written about, which is the vulnerability of a lot of the models themselves, particularly the machine learning models. AI. Of course, it's not just one thing.

But if you look at large language models, if you look at [00:07:00] some of the image recognition models. It turns out that they are remarkably vulnerable to adversarial attack, and putting this in the context of supply chain, you know, since chat GPT, uh, sort of took over the public imagination now a year and a half ago, uh, a lot of companies have rushed forward.

To adopt AI, I think that hype cycle may be sort of on the down down slope now, but a lot of companies rushed to get a an AI play into their mix. And I think they may have taken on risk. A vulnerability, uh, that they didn't appreciate, namely the fact that these models that they were incorporating were vulnerable to adversarial attack, uh, they could be compromised, information could be leaked, uh, outputs could be, uh, perverted.

And [00:08:00] so, in a way, AI is a supply chain issue. How is it trained? Where did it come from? Who did the training? Uh, what was the training data? Is there a possibility that the training data itself had been polluted or poisoned? Um, so, You know, you may be able to use AI to solve part of that problem, but people do need to be acutely aware, uh, and look upon AI as they would look on any other software supply chain issue, uh, and ask all the questions that, uh, Jacob was referring to.

Marco Ciappelli: So I'm going to jump in because I'm still picturing in my head this airplane that is half made, half not, but it's still flying. And I feel like this is technology in general. I mean, maybe cyber security even more, but technology in general, you, you launch a product and then you improve it. And as you go, there is a moment that you say, well, it's At least I know it's gonna fly.

Now, it should be [00:09:00] secure to send people on the moon and back safely, like NASA did, but not everybody has that kind of budget like they had back in the days. So, my point is, this is not really about getting to a final point where the airplane is finished. But I think it's how do you keep the guardrail or the regulation so that as you keep building these are playing, um, things are safe enough.

And this is, I guess, the question for both of you. Jim.

Jim Dempsey: Well, just quickly, Marco, you know, certainly you're 100 percent right. Uh, we have an iterative, uh, software development, uh, foundation. I mean, the foundational concept of software development is, is iterative, but the, the downside of that is Patch Tuesday, um, which is every single second Tuesday of every single month for the last umpteen years.

Uh, [00:10:00] Microsoft issues, um, dozens, sometimes a hundred or more patches. Some of which are every month critical, some of which almost every month are being exploited in the wild. And I think, you know, as you say, you want the airplane to be safe enough. We're never going to have a perfectly safe airplane. We're never going to have perfectly safe software.

But I think right now we are in a situation where there's a growing recognition that the push to ship, the push to market, the push to get it out there quickly has left us in a bad spot. And that we need to recalibrate that calculus of how safe is safe enough. And that's what an issue that has obsessed me.

It's an issue that the administration put into its, uh, soft, into its cybersecurity strategy of [00:11:00] March 2023. So, uh, 13 months ago, they said we have a market failure that, uh, we're not producing the level of security that we need. And this industry has matured enough, has gotten far enough along, and it is, this industry, the software industry, is so pervasive, and we are all so dependent upon it, upon it in so many ways, business, personal, government, national security.

Uh, that we need to, we need to do better. And then the question is how.

Sean Martin: And Jacob, your thoughts on this. So back in the day, I used to sling code and run, run products through, uh, the delivery process. And, and a big part of it for me was driven by user stories, right? What are the outcomes we want to achieve?

How do we ensure that the software does that? And hopefully [00:12:00] not something that we didn't expect it to do. Typically looked at from, from a defect perspective. Eventually, the industry got around. Well, what does it look like from a security and risk perspective? Because when we're talking about software supply chain now, where we're pulling services from other areas, we're leveraging open source, where we're delivering on a daily, sometimes an hourly basis for large organizations that I can think of.

Um. How do, how do engineers kind of grapple with, I need to write this line of code balanced with, I need to ensure that all those use cases and user stories and workflows and everything are safe, that I'm not introducing something bad into the mix here.

Jacob DePriest: Yeah, no, it's a great question. And I think, you know, for, for me, it starts with the developer as do most things, because I think we sometimes focus on the end result of deployed software and, you know, the, the [00:13:00] edges of this, but ultimately it comes down to like, how easy are we as an industry making this for developers?

To do the right thing to ship software securely out of the gate, to understand what the risks are and build against those. And, you know, to date, that's still been a challenge, right? There's a lot of, uh, capabilities out there to help developers, but it often involves breaking flow, going out into another tool, looking at results.

And there's this pressure to ship. And so is everybody doing that? And how do you, how do you layer that on top? So I think. You know, while we were kind of talking about AI as part of the supply chain, I do think like any technology that is part of the supply chain, we, as security practitioners or leaders or anywhere in the industry have to become fluent in the risks there, just like we would any other technology that our teams are using.

I also think it's an opportunity for us to shift some of these security conversations back to where the developers are doing work. Right. And so being able to have a [00:14:00] chat. Uh, window open in your editor for us, we use GitHub copilot is a way to have some of those security conversations in real time as you're coding that today require a very significant and many are previously required a significant break and flow and having to get back out and then come back in and, you know, developers weren't incentivized necessarily to do that.

And then I think you layer on top of that, some of the other integrations of like, are we making it easier? We're harder to sign software, to ship software, to validate where software came from. Are you, are we curious about the build instructions that went into a piece of software, right? How as an industry are making those things easier?

I mean, SBOM is sort of step one. And some of these conversations, the software bill of materials, uh, but just kind of knowing what's in there still doesn't necessarily tell us how it was built. What service was it built on? What was the exact branch of the code that went into that? And these are all things I think we as industry are increasingly realizing are important to also factor [00:15:00] in alongside with what the developers are building.

So it kind of it kind of spans that whole side of the spectrum for me,

Marco Ciappelli: right? Let's get into the specific talk that you guys are going to have RSA conference. Jim started with you. I think you're focusing on the software liability and how things are changing. So what can people expect from you?

Jim Dempsey: Yeah, so we're going to have a session on this question of how can we use the law to change the current practice to incentivize the building of more secure software.

And, um, we're going to be taking as our starting point, this provision In the administration cyber security strategy, where they said it is now time to shift liability to the parties in the best position to do something about it, which is the final developers, compilers, assemblers, assemblers, compilers, assemblers, assemblers.

Of, uh, software. Currently, [00:16:00] all of the major developers of software disavow liability for their, uh, for any harm that might result as a result of a failure or a security flaw. In their product, the license terms all say there's no warranty. There's no liability. Even if we knew that the disclaimers explicitly say, even if we knew about the floor, even if we knew about the risk of loss, we, the developer are not responsible.

And, you know, that's a little bit where the automobile industry was 100, literally 100 years ago. Um, it's remarkable the parallels. You know, um, Buick Motor Company in a famous case said, well, you know, look, we just assemble the car. We get the tires from somebody else and we get the brakes from somebody else.

We go out and grab from, you know, this library or that library or that supplier and, and we, we, [00:17:00] we're not responsible for the tires. Because we didn't, we just grabbed them out of the, out of the library. And the courts back then said, finally said, 1918, famous case, No, wait a minute now. You are the final developer of the automobile.

You are the one in the best position to look at all of these papers. Pieces all of these components and to assess how they work. You can't avoid liability for the product. You develop any flaw in it in any resulting harm. And the theory is okay. Is it time or the question really is, is it time to start applying similar concepts to software development?

And basically, it would take legislation. This is a long term project [00:18:00] here. This is not something you could snap your fingers or the president can't make this happen by himself. But as we have in other fields, could you say those disclaimers of liability, those licensing terms that say, even if we knew there was a risk, we're not liable.

Those are no longer, um, enforceable. Those are no longer effective. And in fact, put that cost, because right now, of course, the cost is borne by the user. It's not like it's a cost free situation. The cost is borne by the user. Can we start pushing some of that cost back upstream to the developer? Tons and tons of issues.

What do you do about open source? What do you do if the user, in fact, was negligent because they reconfigured the software or, uh, uh, changed the settings on it? What about the impact on innovation? Lots and lots of issues. But the time [00:19:00] it's time to start that debate. That's sort of the premise of my session.

Sean Martin: I love it. And it's funny the time I can recall about 10 years ago when we founded ITSB magazine, one of the first conversations I had. Was on software warranties with Jeremiah Grossman, then from a white hat security. He was on a big, big push to make this happen. Um, we're still talking about it. Oh yeah.

Jim Dempsey: No, people have been talking about this for not 10 years, probably for 20 years, but this is the first time last year in March with the Biden administration. The first time any white house has ever taken on this issue. This is, this is, this has been called the third rail. of cybersecurity policy. You touch it and you die.

Um, people have just, in Washington at least, it's been written about in academic journals. People have talked about it. Theoretically, man, no one has wanted to really get into the [00:20:00] nitty gritty on this. And to their credit, this administration said it's time.

Sean Martin: It is time. And I think, uh, Legislation or not.

Typically we turn to the law because entities aren't doing the right thing to begin with. But I think I think there's an opportunity for organizations to do the right thing. And I or they'll be called out on it. I can't remember if it was an airline that had some bot running that offered some discount that they then had to honor for all their customers.

Jim Dempsey: That's right. That's right.

Sean Martin: Um, so ultimately, like you said, it's going to come back. I think at that point, That particular company paid the price and the consumer didn't pay the price. Um, for that flaw we'll say in that, in that business process, using that technology. So I want to go to Jacob. How, and let's, let's kind of focus in on your talk where you're looking at attacks specifically, I think in your talk, but [00:21:00] it doesn't necessarily have to be a software attack.

It could be a logic attack. Right as well. Perhaps. I don't know. Do you, do you look into any of that as part of what you're talking about at the conference?

Jacob DePriest: I mean, we definitely talk about some of that. I'll, I'll say before we kind of dig into that, although it's related, like, I'm, I'm excited to go to Jim's talk when I'm at RSA as well.

I think, you know, it's, it's clear, like, we sit in sort of the central point at GitHub and in the center of like the software ecosystem in many ways. And so. Recognizing that cyber attacks threat actors don't recognize like roles, corporations, national boundaries, none of that stuff. Right. But then we have all these, these things that Jim was talking about to layer on top of that.

And so I think, you know, to drive this is we're going to all have to work together on this. And so I'm excited to hear more about that conversation because we all play a role in that. And we have to be committed to helping build a more resilient world where cyber hygiene is considered part of the social good versus just something that is, [00:22:00] uh, on the side or an afterthought.

So, uh, excited to hear more about that, Jim, when we go.

Jim Dempsey: Right. Good, good, good.

Jacob DePriest: Um, kind of a, sort of, Adjacently, where I'm going to be talking about is sort of the, the supply chain and AI fundamentals, because, you know, as, as a security practitioner or leader or startup or seasoned company, when you go look into this and like, okay, I recognize this as a challenge for my business, for my organization, for my, for the company I work with, what do I do?

Where do you start? Right? And you go out and there's thousands and thousands of companies and tools and security scanners and all these other things that sort of have an element. And there's some fantastic vendors out there, by the way, really, really good tools. But it can be a bit of a daunting task to think about.

Where do we go from there? And then you add AI into it and you think about, I think somebody brought it up earlier, how threat actors are using AI, how we should [00:23:00] use AI to defend against threat actors. How does that mesh with software development? How do all these things fit together? And then, okay, at the end of the day, like what are the three things I should actually go think about doing?

If I really want to make an impact for my company, for this broader social good conversation, whatever the case may be, it depends on where an organization kind of sits in the ecosystem, I think. Um, so we're going to dig into that. We will talk a little bit about the specifics there and. Uh, you know, if all goes well in the Internet, the Internet God shine, we'll do some live demos as well, which will be fun and show some of the show some of the security tools that are available, but also some of the capabilities that that I think are really We're seeing just the very beginning of it right now, but I think integrating AI capabilities with a security slant into the development process is going to shift AI, actually to the left.

I mean, we've kind of been talking about that for 15 or 20 years, but I think there's an opportunity now where it can be actually true that it's shifted about as far left as we can go. So before suggestions and edits are being made by [00:24:00] the developer. There's sort of the security lens being put on what is suggested in the code and, and things like that, um, that obviously assumes all the things we talked about earlier of like AI of the supply chain or the supply chain.

Situation of the AI itself and all the other things that go into it. How's it integrated? What did we take? Are we taking the output and just running with it? We want developers to actually look at that and be responsible for how they integrate it. Um, but I do think it's, it's going to be a really interesting shift that we're going to see and are starting to see now, but it's going to accelerate over the next couple of years.

So we're going to kind of dig into all aspects of that. I

Sean Martin: love it. I love it. And I don't know if it's part of it or not, but I have this, I was a product manager as well, writing PRDs. And I'd love to see AI write all of the, here's the scope, here's the scope and that somehow translate into here's how engineering should build this and here's how tests should validate and here's how security should audit.[00:25:00]

Because I think the hardest part

Marco Ciappelli: So then AI is responsible?

Sean Martin: Then AI is responsible.

Well

then, well then sadly the product manager is responsible. But not the engineer. I think, I honestly believe putting all this on the engineer's shoulders is not the right. Yes, there's to your point, Jacob, there's a role there, of course, but who, whomever is defining what it should and shouldn't do, and oftentimes they only define what it should do and not what it shouldn't do, I think we're missing a lot of stuff there.

That's my personal thing. I'm not, I'm not talking at the conference.

Jacob DePriest: I think we're, I think we're closer to that vision, Sean, of being able to kind of lay out an idea and have a lot of stuff going on. Um, kind of sketched out the scaffolding pulled together, uh, through AI assistance, then I think we're, I think we're actually pretty close, but I think the key here is like, does that mean we need less people with these skill sets?

And I don't think that's true. I think we actually. Are now going to lean into the skill sets that these folks went to school or trained for [00:26:00] years and spent nights and weekends on hobby projects that, you know, oftentimes, if they're doing kind of wrote repetitive tasks, they're not leaning into that.

Well, instead, if we can speed up the. The kind of the scaffolding part of this, they can spend time on the harder problems, whether that's a product manager or an engineer or developer security person, like I, my security team, I would love them to spend more time on, uh, the kind of meaningful security outcome work and less on repetitive tasks.

And I think that's started, that's, we're starting to see that, uh, happen with the adoption of some of these AI tools.

Sean Martin: And I didn't see anybody going, just, just becoming more. Capable and scalable.

Jim Dempsey: That's related to one of the issues we're going to be talking about, uh, in my session, which is if you do think about liability, if one of the things you're gonna have to do is define the standard of care as Marco raised initially with the airplane.

How good is good enough? How [00:27:00] secure is secure enough? And how do you measure that? How do you define that? And there are two schools of thought in the debate now. One is you define it by product feature. The other is you define it by the development process. NIST has issued a secure software development framework.

It's not suitable for legal application because it's too high level and generic, but it talks about the process. Of software development, and that's one approach to thinking about if you're going to have a liability regime, how good was your process? The other approach, which is when I favor, um, I still have not 100 percent made up my mind on this, and I'm eager for any and all input.

The other approach is to look at features, to look at the actual product features, the outcome. And to my mind, there are certain defects. In [00:28:00] fact, um, NIST and, uh, not NIST, but CISA, the Cybersecurity and Infrastructure Security Agency and MITRE Corp, which is a government funded contractor, compile a list of exploited vulnerabilities, and they rank the top most exploited software vulnerabilities.

And year after year, the same kinds of flaws, the same kinds of features. Buffer overflow, path traversal, uh, uh, inadequate control of, uh, user input. Um, time and again, these same errors are occurring in software. These same bugs or features, these same vulnerabilities emerge. And what I'm proposing is, is let's have the really stupid stuff category Of things and focus the liability [00:29:00] there and maybe over time we raise that floor But I don't know what you guys think.

I'm eager to hear what people at the at rsa think about this Do we define liability by your process? Or do we define liability by your outcome

Sean Martin: impact because impact?

Jacob DePriest: Jim you said you're not an engineer. I'm not a lawyer So I don't necessarily know about the liability part of it But when I think about the security aspect aspect of it I think it's a bit of both when I think about like how to defend what our team's built. So it's important for me that we have solid processes in place that when our engineers are going to go ship a production service, it's been through.

Code scanning to look for known vulnerabilities. Like we have our dependencies up to date. We've made sure there's no secrets in code. Like those things are to me sort of table stakes for what we're doing. But at the end of the day, just because you've checked all those boxes doesn't necessarily mean you're resilient against all the attacks that might be outlined in like the minor attack framework, for instance.[00:30:00]

And so then we need to have. These kind of other things that are in place. So maybe safeguard rails from cloud providers or our configuration systems and tests against what is produced so that we know like, okay, we actually did all the right things, but the weird combination of, of the resulting output has this.

This flaw or this vulnerability in it. And so we kind of think about it both ways. I think, um, to try and integrate the two together.

Jim Dempsey: Yeah. And you may be right on that. I think that maybe a hybrid approach is the correct one. Ultimately. Yeah.

Sean Martin: It's always hybrid. Never one side of the

Marco Ciappelli: truth is always in the middle.

Exactly. No, no, that's, that's the, that's the, that's the truism. Yes.

Sean Martin: You know what else is true? These are two amazing sessions that I'm excited to, uh,

Marco Ciappelli: I'm going to pop in for sure.

Sean Martin: Exactly. So, uh, Jim's is cybersecurity, cybersecurity is next legal and policy frontier, software liabilities, [00:31:00] Monday, May 6th, 830 in the morning.

And, uh, where are you? You're trying to figure it out

Jim Dempsey: yet. I am going to, um, I'm going to, I'm going to, uh, raffle off three free copies of my book. We'll have a little fishbowl at the front of the room just to get people there at eight 30 in the morning. And Bruce Schneier, who many of you know, and is sort of a legend in the RSA and cybersecurity world, Bruce is going to bring a couple copies of his book and we'll raffle those off too.

It'll be 8 30 in the morning on the first day, so. We've got to have some other way to get people in the door. Well, that's a bonus.

Sean Martin: I think the topic is enough for me. That's always good to have the, have the read. So, uh, yeah, so Monday the 6th, 830 and then also the 6th at 220. Also TBD on location is Jacob's session, which is AI, the software supply chain and other not so puzzling pieces.

Um, so not back to back. You have time to [00:32:00] walk from one to the other. Go see Jim, then on to Jacob, and, uh, chat with both of them. Seriously, uh, this is an important topic, which is why we brought it here to, uh, to include as part of our coverage. And I'm thrilled that this mashup worked. Uh, Jim and Jacob, appreciate you guys both, uh, both joining.

Marco, good to have you on as well, of course, as we, uh, continue our chats on the road to RSA.

Marco Ciappelli: Yeah, just so you know, I have no responsibility.

Sean Martin: I know you tell me that all the time.

Marco Ciappelli: It

was

fascinating. I love to keep having this conversation more in a societal perspective as well. So, um, more to come for sure.

But for now, Everybody need to show up to the, to the sessions and, uh, follow us with many more conversation, uh, chats on the road before we get to RSA conference. And then a ton of content that we're going to create right there, broadcast alley in the corridor, in the [00:33:00] garden, wherever we got, we got the mics and we know how to use it.

So thank you everybody.

Jacob DePriest: Thank you guys. Great. Thank you all.

Jim Dempsey: Buon fine settimana, Marco.

Marco Ciappelli: Grazie. La prossima in italiano, allora, Jim.

Jim Dempsey: Graziale. Sto imparando. Benissimo. Ciao.

Sean Martin: Ciao.