Close

July 7, 2021 • RBS

Categories: Videos

Christine Gadsby, Vice President of Product Security at BlackBerry, joins Jake Kouns, CEO and CISO at Risk Based Security to talk about Open Source Security and Maturity Model, the possibilities of upcoming SBOM regulations, and what steps any organization can take to build a risk-based vulnerability management program.

The world is changing and the need for secure software has become critical as the Internet of Things grows. As more organizations are attacked, security professionals are recognizing that identifying, protecting, and maintaining products that rely on OSS dependencies is crucial. However, establishing processes is challenging as vulnerability loads and velocity increase gets worse. To add to these troubles, attackers are also constantly identifying new attack surfaces in the supply chain, bypassing 99% of the security processes organizations put in place. 

How can organizations take the proper steps to secure their products? How can a one or two person security team start a risk-based vulnerability management program? Tune in to this episode of The Right Security to find out!

The Right Security

In The Right Security, join leaders and veterans in the security industry, as we tackle the biggest issues impacting organizations today.

Check out The Right Security series on YouTube, and subscribe to the Risk Based Security channel to see new episodes in your feed.

Show Notes

0:00 – Welcome and speaker introductions
1:30 – How does BlackBerry look at Open Source Software?
2:45 – What is the Open Source Maturity Model?
5:55 – How the Maturity Model has changed within the last five years
10:20 – How security management and saving money, time, and resources applies to OSS
13:40 – The processes for Software review
18:00 – Security Debt and Security Deficit
21:05 – The definition of a “Vulnerability”
21:53 – SBOM regulations and the new Cybersecurity Executive Order
26:41 – How the Open Source Maturity Model applies to the new Executive Order
28:20 – How BlackBerry applies security to different types of connected devices
30:55 – How BlackBerry views software releases for these new “end points”
34:13 – NIST SSDF, ISO 29147, and ISO 30111
36:38 – How security teams can work closely with development teams
41:30 – How organizations can get started on creating a “risk based” vulnerability management program
44:45 – What is the next thing for BlackBerry?
46:14 – Closing thoughts

Further Reading

Open Source Software and Maturity Model – Episode Transcript

JAKE

Hi, I’m Jake Kouns, CEO at Risk Based Security. Welcome to this edition of The Right Security, the show in which we spend time talking with leaders and veterans in the security space, tackling the issues of the day. Today I’m joined by Christine Gadsby. Christine is Vice President of Product Security at Blackberry. In order to drive product and supply chain security efforts at Blackberry, she’s focused on a lot of areas including SDLC capabilities, application security research, automation, and security tooling, risk mitigation strategies, incident response, and even more. Right now, she seems to be working on the NIST SSDF, ISO 29147, ISO 30111, Open Source software licensing, compliance, attack surface management and SBOM efforts. It’s kind of a mouthful these days, Christine. But you’ve been a known industry expert and keynote speaker. You spoke at loads of conferences including RSA, Black Hat, IoTSF, and FIRST. I’ve known Christine for while and it’s been really amazing to learn from her and watch how she applies security concepts that are talked about alot, but apply those in actually a large software company. So, Christine, it’s been a long time. It’s really great seeing you. Welcome to the show.

CHRISTINE

Hey, thank you, Jake. It’s awesome to talk to you again. Love talking with you. Thank you for having me.

JAKE

Alright. So today, I’m going to spend some time catch up. I want to get your views about Open Source Software as we… as we normally talk about. And so there are a lot of questions and a lot of topics that apply in this space. So if you don’t mind, we’re gonna jump right in here. And what I’m gonna ask is that for our viewers that are still trying to learn and come up to speed here, maybe start quickly. Could you share how you and Blackberry look at open source software? What’s in your mind? And why would you even want to use it?

CHRISTINE

Hey, that’s a great question. And I think Open Source Software in general allows companies to get to market quickly, right? It allows people to build in capability that if you were going to write yourself as an engineering organization, it would take eons of investment and take forever. I believe that even companies that don’t think that they need or use Open Source are always kind of surprised to find that they are huge consumers of Open Source. Nowhere does that become more apparent when you’re doing things like mergers and acquisitions, or you’re figuring out you have an attack surface that you didn’t know. But really, Open Source is kind of the way. It’s the way to build capability fast.

JAKE

Makes sense. So, at Black Hat in 2016, feels like a long time ago, you gave a presentation called OSS Security Maturity: Time to Put on Your Big Boy Pants. And I’m pretty sure you came up with that title from what I’ve heard, rumor has it.  And at that time you released the Blackberry Open Source Maturity Model. Can you give us sort of a quick recap of that talk and talk about, you know, specifically about the maturity model, please?

CHRISTINE

Yeah, absolutely… absolutely. That was a great talk and you know, back then Jake, you and I did a lot of talking about this. But we were really just on the cusp of figuring out that Open Source was going to introduce an attack surface that companies just weren’t ready for. It comes down to things like telemetry. And really this maturity model really focuses on how to get understanding that you do need Open Source Software to release products. But then if you do, how do you manage it? How do you look at that attack surface in that risk? You know, that you inherently bring to both your business and your customers’ business in the supply chain and how do you build a model around understanding it? And, you know, being able to respond to it in market? And so really it focuses on a few things. One, it focuses on telemetry. It focuses on understanding your attack surface and software releases are really an opportunity to do one of two things. In one of two things only, which is where I see companies really missing kind of the understanding. Every single software release is an opportunity to increase or reduce attack surface, that’s it. You’re doing one of those two things. So really understanding, how do you watch that? How do you understand it? How would you become realistic as a company and manage it and still be able to get to market quickly to continue and enhance the revenue cycle? Because that’s important. And then what do you do once it’s in market? How do you responsibly manage that attack surface? And how do you understand the vulnerabilities in your Open Source Software? It’s a huge dilemma for companies to really watch the vulnerability landscape and, you know, deal with that load and velocity of Open Source vulnerabilities coming in daily to product sorting and market. How do we update it? How do we keep it? How do we keep it patched in market? How do we make sure our customers are protected? So that talk was really around building a format for that in a program perspective, right? You have to manage that from its life cycle and it is its own little mini-business within your company. You’ve got to really treat it like it’s as important as you’re generating revenue to make sure that revenue stream is protected. So really that talk was all about, how do you look at it from a pyramid perspective? Build one thing on top of the other, start here. It really gave you a place to start and it’s really interesting looking back on that tactic. My gosh. We were so right when the guidance was straight on. So, you know, back then we really thought gosh, this is going to be a big thing. And now here we are, it’s a big thing, right?

JAKE

You know, so I… I think one of the greatest things about that talk was just, you were just mobbed with people that wanted more and more about the maturity model, right? I mean, you know, it, I think that… that was five years ago, some days, it feels like it was yesterday. Sometimes it feels like it’s even longer than that, but that… that was a while ago. It was early on, but the… but the… the model itself seemed to really resonate with people that were trying to figure out how to explain it to executives, where to start. So, as for… for anyone that’s watching as… as always, we’ll put… we’ll put links into it. It’s a great talk. Please go and watch it. But I… I guess has anything changed in the last five years to the model? Have you made updates to the model or is there anything sort of more? You can, you know, before I force viewers to watch the whole thing? Anything else that is spot on?

CHRISTINE

6:47 

Yeah. You know what, Jake, one of the most amazing things that came out of that talk, if you remember what we came forward with and what we sort of put out there was that we honed in on just a few libraries, right? We really wanted to know what the cost of maintaining free and open source software is. I mean, it’s free but it’s not free, right? It’s just like I think I’ve seen several presentations, and I have done one as well. We have a picture of my dog, Lucy. When we got her and we got our home, we paid for her and then didn’t really necessarily think about the cost of maintenance. And one day she gets into the garbage and causes a huge mess. Well, that’s kinda the same parameters of putting Open Source Software into your products. And I think the biggest thing that kind of came out of that talk, and I really ended up spending talking to, and I’m still talking to my peers and other companies about, is how to really dive in and look at the cost of Open Source Software maintenance, right? So I took one library out of that talk and I dove into what Blackberry is actually spending to maintain that library. Those are really key points to look at. Because when you look at the build versus buy decisions and you go back and you talk about how do you plan? You know, it’s great for every company to say, “Okay, well, we’re gonna take 10 percent or 15 percent or X amount of dollars for software maintenance to look at security and other things.” But the reality is, unless you really know what those vulnerabilities are, that Open Source Software is costing you. It’s really hard to sit down with an engineering team and say, okay, hey, I need 10 percent next year of your maintenance budget for, you know, software patching or for library updates or for security hygiene, or whatever. We really got into the nitty, gritty. I spent a lot of time going back through my own engineering and my own team’s work and really looking at the cost and actually how much we were spending and it was absolutely mind blowing. We were spending a lot of money. Some realized when you looked at how much it came down to, what does that actually cost? You know, you ship a security update, you know, you ship a maintenance update. But what’s gone into that? How much does it cost? What does it look like to investigate that? What does your staff look like? How much time are you spending? Remediate, eating all that stuff and I… I released some numbers and it was pretty eye opening. I’ve got a lot. I still get companies asking me how did you come up with all of that? And really, you know, the answer there is, you just have to go and start digging. I just really, I did all that work by hand. I wouldn’t call it “a lot” for people. I looked at a lot of, you know, investigation data and I used that. I use that to further sort of justify the spend to be able too, you know, look at our software security posture. When I started coming up with those costs and took that to the executive teams, there was a lot more head nodding that they understood my job, and how hard it is. Number one, number two, you know, the need to spend money to remediate your attack surface. So that I think Jake, to answer your question, has probably been the biggest thing that companies really have garnered from that model is that you really have to look at the actual dollars in, dollars out and make it a business. Because it is it’s own little mini kind of business. When you look at free software that’s not free. So that’s… that’s probably the biggest thing I took away.

JAKE

10:19 

I’m glad you brought up the savings of money, time, resources and… and what that does. I agree with you. That… that was one of the things that I have to say, I was really pleased and super impressed with Blackberry at the time that they were willing to openly share with the industry about the problem. And if you remember at that time, you know, there was a lot of conversation and… and no other companies were talking about this, right? I mean, that we’re not sharing in a way to help the industry and it was all kinds of looked at. Will, if you… if you openly say there’s an issue and you’re trying to fix it, well, that are you back, right? And… and could be, could be immediately used against you and whatnot. So I guess, I’m giving you and Blackberry kudos for talking about this stuff at a time when people weren’t talking about it. Now, I will say, I remember, one of the things that really caught me off guard was when you were sharing, you know, the number of libraries, you know, dependencies use that the company across all products and even in a particular product that… that was, so eye-opening and to see some of those things where it was actually a real company come out and say, “Yeah, this… this is a thing. Look at all these libraries.” And… and… and I remember the story you told about how sometimes there are different versions of the same library. I mean that was big for you guys to do that.

CHRISTINE

Yeah. And you know what? That alone, I’m so glad you brought that up. That has been. I think I’ve had so many other executives call me and say, “My gosh, we know this and we… we don’t want to talk about it. Thank you so much for breaking that silence. We’re in the same boat.” And if, you… you know, think about what’s happened in the industry, and the supply chain since then, it’s insane, right? All those things we were talking about, they’ve all proven to be true. The supply chain is Dependency after… Dependency after… Dependency after Dependency. And there’s version after… version after version. And that attack surface. You know, no matter how you look at it, it’s yours to maintain, you know, when you put that stuff in market, you have to own it. And, you know, working I’m… I’m really fortunate to work for a company like Blackberry that takes that so seriously where we know it’s our bread and butter, or not only do we develop secure software, but we have to maintain that secure software. And that starts with knowing what’s in it, right? You’re responsible for what’s in it. And I cannot tell you again how many executives I talk to after that talk who were beside themselves because they had, you know, really realized by doing some efforts to dig deep into their own supply chain when they came up with X amount of versions of the same Open SSL version or whatever it was in their software, they were very nervous about having to maintain all that. And really we’re looking for advice on, hey, how do we reduce that? How do we go from 64 to five? What do we set as a security baseline? You know, how do we really monitor all of that Open Source? I mean, and Jake, it comes down to just what we thought it was gonna come down to, which is automation. There are not enough humans. They’re just really aren’t so you have to build that telemetry and you have to, you know, work with a company like yourself to maintain that, just maintain that understanding of your own attack surface. It was pretty eye opening though. Lots of, I feel like there was a lot of engineering therapy that happened or needed to happen after that.

JAKE

Yeah. I could keep asking tons of questions on that talk. Anyone who’s watching now that hasn’t watched that talk, Christine provides amazing numbers and models. Please… please… please go watch but wait, I’m going to move on to the next topic. For a long time, we here at RBS have been saying everything is vulnerable and you know, while I still believe it’s true, it drives me insane. You’ve even given me shout outs to it that software is horrible and it’s just okay. But you did talk at Black Hat in 2018 that you called, Stop That Release: There’s a Vulnerability. You did start to talk if I remember saying “I hate to break the news to you but every software out there is flawed, and if someone tells you the release in perfect software, they’re not telling the truth.” Another great talk again, I’ll put the link in the show notes for everyone. But I have a bunch of questions for you… on this talk as well. So I will turn off first with… can you give a little bit thoughts on the software needing maintenance? You start… you start to go down that path a little bit of a little bit more there. And then can you talk to us a little bit about the software ready review process and templates and those things?

CHRISTINE

Yeah. Yeah. Absolutely. Great question. First of all, I will say another shocking thing that came off of that second talk, Jake with their talk, was how many companies aren’t looking at the, how many companies are shipping software of any kind? And not looking at it’s attack surface before it goes out the door? That absolutely blew me away. You know, it’s one of those things where you kind of have a feeling but you don’t really know until people kind of reach out to you and ask for guidance or questions and I will tell you that, you know, back then and I think still to this day we have this understated industry norm of “Well, I’m shipping secure software.” And that is absolutely if you’re not looking at it before it leaves the building and there is no security gate or security review, then you’re not shipping secure software because that’s reality. So one of the things that at Blackberry we’ve developed, this is a software readiness review process that has many criteria of which security is one, of course, because every company does this. But I think the unique thing that blackberry does is a criteria. So we understand when we’re shipping software, you know, has it met the pre-established security baselines that we’ve agreed upon because we have, you know, security baselines that we as a company have agreed upon. We don’t ship products without it. You know, it goes through this really strenuous review and, you know, business is business, if it comes to things that we need to look at, we look at them. That is a CEO-driven marketplace fact and, you know, right now it has issues. We’re seeing the supply chain under attack. I’m so glad we built it because as you know, Jake, it is like steering the Titanic to change, you know, product engineering processes when you have, you know, lots of products, flowing, lots of products and market, you know, quick release cycles. It’s difficult. So the fact that we built that, you know, ages ago and our kinds of, you know, leveraging it so much these days is, just the great thought that Blackberry had about the need to ship and, you know, keep product secure and market.

I think I get a lot of questions on how to build that program and the answer in our talk. One of the things we talked about is… is templatizing things like that and the need to create the baseline. I talked to so many executives who are just trying to figure out how to even create the baseline. What does a secure software release look like? What is, you know, the ability or hampering the ability to generate revenue and what is okay to leave as maintenance. So templates are just critical and crucial here and back in that talk, I think I actually shared the exact templates that we use, which is, you know, what are you actually looking at in a software release? How are you actually kind of building a scoring, a product security scorecard, right? The scorecard is critical. What did you do since the last release? What are you gonna do with the next release? You know, what is the attack surface that you’re fixing? How are you communicating that to customers? All those great things? They’re all really important to templatize and really important to automate. And if you’re not starting that process, start now. It takes a while. So, so my advice to every, you know, leader of any product security team, our engineering team is start talking about that now.

JAKE

So this kind, some of the things you talked about within the talk, the building upon other ones… Can you talk a little bit about the security debt and security deficit? When you were talking about maintenance? Give a little thought of what you were saying in 2018 and how you view the world now.

CHRISTINE

Yeah, absolutely. So security debt is interesting, Jake, you know, especially with us releasing Jarvis as a product in the embedded space, I think and I, I’ve talked to several leaders with another companies that would agree with me, if you ask any a team or, you know, company that’s building software and they have this kind of false sense of security that everything is fine and everything is golden. And then they scan a binary and figure out that they actually have way more attack surfaces then they actually thought they did. I’m talking at the binary level, you know, they have way more attack service than they thought they did. And they are, you know, a miss and… and don’t understand how to remediate the, you know, the number of, you know, CVEs that pop out like a pinata. Now it’s Christmas time and they have, you know, these things, you know, they have to worry about. And so I think especially when you use a tool like Jarvis and you figure out what that attack surface actually looks like. There’s a need and kind have a quick wakeup call to knowing what that attack surface is… is really like and… and trying to figure out how to do it or how to… how to remediate or… or mitigate those vulnerabilities and I think that… that is a needed maturity space that everybody needs to get to if they’re shipping software, you aren’t really going to know until you actually look at a binary and figure out what you’re really shipping out the front door. And that can be an eye opening experience. And it can be a very scary experience for if you’ve never really seen that… that, you know, amount of a vulnerability debt on how to figure out how to solve it. So, I think with looking at a sort of reality check that a lot of executives have had. Especially again lately, what I think we’re looking at right now Jake is a lot… a lot more people are being forced with, you know, the upcoming executive order and, you know, the Solarwinds attacks, you know, I think a lot more companies are forced to look at this picture where, you know, it’s just kind of been a thing that we do, you know, we ship products and updates. And now it’s become more where you really need to strategize every release and you need to really think about every release. What are we going to do? What security fixes or we’re going to put in it? What are we going to leave for maintenance? Again? It all stems back to having that plan. Starting with that security baseline and being able to… to create a process like a readiness review where you’re really recognizing that there needs to be a gate every single time, where you’re really looking at that and making a conscious decision to, you know, increase or reduce the tax services because you’re going to be one of the two.

JAKE

Of the things you said in that talk which struck me and I hope it’s not still the case but I’m gonna ask you, are you still finding people that are arguing over the definition of what is a vulnerability?

CHRISTINE

You know, not as much, right? Because back then it was this debatable topic, right? And now I think people are really leaning more towards everything is, right? Because we’re seeing so many things exploited the, you know, gosh and our dreams, would we have ever thought things would be chained together and exploited like they are now? So I don’t think so as much I really think it’s leaning towards that. We really need to clean up all the debt and everything that’s left is… is… is liability. So that’s definitely something I feel like it’s turned for, you know, for the… for the better, I would say in this case of being more realistic.

JAKE

So in your Loco Moco talk in 2019 and the talk was called Shifting Product Security from Forceful to Resourceful. You a blackberry were early on with the product security team. So it was really neat talking in I’ll add talk notes in there. But one of the things that… that you said in that talk was you said without a doubt, SBOM (Software Bill of Materials) regulation is definitely coming. And of course, in previous talks, you know, you’ve said it all other times that hey, regulations probably are coming, maybe even said it’ll be a little scary if it was coming. But in that 2019 talk, that was probably the firmest I’ve ever heard you say that this is coming right and lo and behold. Now we have the new cyber security executive order that you just mentioned. So what are your thoughts currently on Software Bill of Material? And can say what’s the impact of this executive order?

CHRISTINE

Yeah, great question. We’re focusing very heavily on that right now. So, yes, back in 2000, I think it was probably 18 or 19. We really started looking at our own security posture as far as… as problem was, you know, was really there were a couple of things we thought about back then is SBOM right? There’s kind of two separate efforts for software Bill of Materials, right? I think there’s a Software Bill of Materials that you’re going to create and maintain so that you understand your own software. And then there’s the Security Software Bill of Materials that I feel like is going to be something that the industry is going to standardize on. And we’re seeing a lot of that, right? You know, the ANTIA got a fantastic effort happening right now to look at how do we as an industry rally around that? But, you know, what we predicted back in 2019, Jake is really what we’re starting to see and fruition here, is that industry is going to regulate around it. Your customers are going to require that you ship it with, you know, any kind of software release for any kind of purchase. It should be part of the contractual requirements at some point to get a copy of that SBOM. And I think it’s gonna really my prediction going forward, is there is going to be companies that are left behind because they’re not understanding the impact that’s going to have on their sales model. You know, you have to think about highly regulated industries like financial and medical who are not only going to require that SBOM, but they’re gonna figure out quickly how to establish minimum requirements on that SBOM. Meaning, hey, if you’re running, you know, this out of date something… something, we’re going to come back and tell you we’re not going to purchase your software until you clean it up. That’s what’s going to end up being the reality. Companies aren’t gonna take, you know, they’re not going to purchase software that doesn’t have some kind of a security baseline built in. And again, my prediction is I think a lot of companies are going to be caught off guard because they’re not gonna have really thought through how to build a program around managing that. And this is going to be key. Again, changing the way you enterprise or, you know, you engineer software to be able to meet some of these things, isn’t a fast process for any company let alone some, you know, Blackberry, we’re you know, we’re shipping software daily. It takes a long time to, you know, hire experts and think about security baselines and you know, ensure that you can be helpful and resourceful to your engineering teams. And this is where, I think, you know, my one piece of advice I would leave on SBOM is for other executives to really think about how are you going to establish a program to be resourceful to your revenue stream instead of forceful. Product security and security teams in general are looked at as huge speed bumps. And so, how do you stop becoming a speed bump and start being part of the revenue stream? How do you become an asset to your engineering organization to allow them to ship an SBOM and confidently send that out the door? Knowing that the highly regulated and financial and medical and all of your customers who care about security, whether or not the government’s telling them to or not? How do you ship that out the front door and make sure that your confident, knowing that your customers are getting a secure product and that you’ve done your job. That is difficult to be a resourceful resource or resource in general. So we take a very much consulting view internally. Our team is really here to help our product teams achieve that. But if you’re not building that as a program right now and really understanding how your supply chain in software, your own supply chain from, you know, your… your own vendor management to your own release of software, if you’re not building that program, you’re going to be left really scrambling. And I… and I think that’s going to be a big shocker when it all comes to reality, Jake, it’s… it’s gonna be a tough one.

JAKE

So, you know, I’m a huge fan of the Maturity Model that you released. How do you, how do you think that’s gonna apply? Or how do you think maybe companies can look at that maturity model to help them figure out how to deal with this executive order a little bit?

CHRISTINE

Yeah. You know… you know, that’s a great question. Jake. I’m so glad you asked because what that Maturity Model allows you to do is take a step by step approach. It is impossible for any company doing nothing right now to be, you know, to, in a month from now to even think that they would have this amazingly mature model. And I love the Maturity Model because it allows you to kind of take a step one start here, step to start, you know, do this next step three, do this next. I’ve seen very large companies doing absolutely nothing, adopt that model and be successful. Every company is gonna look different because everybody’s starting from a different place. But the key here, Jake is you have to start somewhere, you know, I’ve again recently talked to a few executives that have not started anything and they’re beginning to panic because they’re watching this executive order gain more traction. And I’m here to tell you, it’s getting more traction. So start somewhere, start, take a model, any model. Mine, look at those different parts of the pyramid and start in that step one and at least start getting telemetry and start getting a plan together because that’s kind of where you have to start. But yes, the executive order in this model definitely goes hand in hand. And I, I’m hoping people can take that and use it because it’s at least a place to start.

JAKE

So, you know, the world continues to change. Software is even more critical and the, you know, the physical world as we’ve seen it, you know, in blackberry, you guys have been focused on all kinds of things – connected cars, the embedded devices. And… and so, I know for you security is so important. It’s… it’s been built in what, you know, from shipping handsets to now all these other things that… that you guys are doing, what’s different about all this sort of physical connected embedded device stuff.

CHRISTINE

Yeah, that’s a great question. And boy, you know, working for a company like Blackberry, we were so ahead of our time. We didn’t you know, at the time we made all these grand predictions, myself included. And now here we are. I think what’s really different is looking at kind of our focus just on one particular thing, Jake, which is kind of the… the more of the IoT space on the side of Blackberry and you look at things that are up and coming like IVY and looking at the connected car again where blockers really ahead of its time, you know, with QNX as a product and… and partnering with Amazon and… and working on IVY. And how do we understand the data flowing through a car and… and products like Jarvis, which again, Jarvis is really key because taking something really… really… really complicated when you think about the ease of use and a vehicle and you think about how many vendor components go into that car and you think about that rolling attack surface and you think about electric vehicles and all the changes coming. Jarvis was just really ahead of its time and being able too, you know, understand that attack surface and get down into the depth of software where, you know… you know, tier one suppliers will ship something and say, “Yeah, it’s secure and, you know, drive is kind have allows you to dig into that and go, yeah, no, it’s not.” So really we were again kind of ahead of our time and looking at the needs for secure software and the needs for products to actually do security. It’s been fascinating to be part of Blackberry through the transition going from, you know, I worked on android is a handset. I worked in the 30 day patching program that was again the first of its kind for a vendor to come out and do, you know, commit to doing that? And now here we are all the way fast forward into looking at security of, you know, software in a vehicle. It’s… it’s been a pretty amazing transition and it’s been pretty awesome to be part of a company that really that’s our first priority. So, yeah, it’s… it’s been a wild ride. But I’m… I’m really looking forward to looking at how products like IVY are really going to continue to… to kind of change the world. It’s been… it’s been a lot of fun.

JAKE

So let’s talk in terms of software releases in terms of frequency, right? And, you know, when you’re thinking about these different endpoints, right? Embedded devices, connected cars, these sorts of things. While that may change over time right now, the frequency of release or those major releases which I’ve heard you’ve talked about are, there are few and far between compared to where maybe a security practitioner’s sale just pulled up this fix or this patch or whatever. So, but how do you, how do you view that from a security standpoint, working with software teams when there’s not as many frequent releases?

CHRISTINE

Yeah, that’s a great question. So, and you know, one of the great things about having a centralized product security function is it allows our organization to scale both like the CI/CD side of, you know, that continuous release. And it allows us to look at embedded systems which might have a different release cycle. So we take a very holistic approach and my guidance here to anybody listening is definitely to have a security baseline and to know the release cycle. It is really critical to look at if you’re only going to ship a product or a, you know, a maintenance release to a product or a big release or a big image, you know out every six months will then, you know, you really have to look at what does that security debt look like over that last six months? And maybe you have to build in a frequency of hot fixes that are just dedicated to security. And this is again, when you have a centralized model, you’re not a product team looking to figure that out. You’re looking at it from a product security model of “Okay, that’s great. If you’re gonna really software every six months, but you need a maintenance release” Then you need to plan for security only maintenance releases and they need to go to whatever interval. And, you know, that sounds really simple, Jake, but I can tell you getting into the… the part where you go, you know, no executive wants to go into a budgeting review meeting or, you know, planning to say, “Hey engineering team. I know you’re making money but I need 10 percent of your resources for security maintenance releases.” But I can tell you it’s… it’s critical. You have to do it. And when you, the… the beauty of it is when you have a product security centralized, you know, model, you can then show the cost savings. You can actually go in. And again, if you look at that talk that we did at Black Hat you can go and look at, okay that Open Source, you know, attack surface costing you X amount of dollars. If we do this maintenance release, we’re actually going to save money. And I think that’s really… really key is being able to… to look at all the, you know, software products you ship are all the different kinds of releases that you have and make a different plan for each of them because they’re not the same. It is not a one size- all fits model. CI/CD is definitely different than a, you know, a software release cycle that’s you know, looking at a golden image every six months, those are different and you have to plan for them differently. CI/CD is moving so fast that you have to take a different approach. You know, those longer term software releases, you’ve really got to strategize how in between you’re going to make sure that, you know, you’re looking at your tax or facilities typically. So it is, it’s a it’s you know, it needs a plan and needs a plan.

JAKE

So, I know you’re working on a lot of things right now. Can you give us maybe just a quick blurb on, you know, what’s going on within this SSDF, that framework, and… and the iso standards that you’re working on.

CHRISTINE

Yeah. And this is the, you know, great question. Take this is the amazing part about being part of product security right now. You know, back in the day when you know, you and I just first began talking and things there were, there was so much less guidance for us. We were sort of ship sailing with our hands in the air, you know, trying to, you know, tell everybody that security was important to, you know, again years ago, that was sort of the way. But now we have these great standards that we can fall back on and I feel like the newest SSDF framework and the executive order times just perfectly because the newest SSDF framework really gives us a solid backing for anybody watching this to take to your executive team and saying, this is the way, you know, this is what we have to be doing.

It allows you to build practices and space in security baselines built on, you know, this standard. So that has been a huge game changer really to validate lots of stuff we’ve already been doing which is fantastic. We’re ahead of the game, which is great, but it allows any company to really take a view of that. To any executive who might not understand exactly what the executive order means for software development. It allows the NIST framework really allows you to go, you know, hand in hand with that executive order saying if I look at ISO 29-147 and 30-111, and I understand how to handle vulnerabilities and how to disclose, you know, the NIST SSDF framework will allow us to shift left and really build that in. And that’s critical… critical to take that SSDF framework right now and look at your, you know, software development life cycle and ask, you know, do you have a secure software development life cycle or is security really an afterthought that we’re just thinking about kind of at the end.

CHRISTINE 

And I speak internally a lot about breaking up concrete because, you know, when you ship a product and you’re going to try to figure out how to undo a bunch of bad security practices. It’s like breaking up concrete and it’s very expensive. So, I think the NIST SSDF framework as part of the executive order or using them kind of in tandem internally has allowed us to really create framework that allows us to create a stronger SSDL and… and… and again reduce the cost of secure software.

JAKE

Alright, we’re in the home stretch. So, you know, as long as I’ve hidden, you’ve always been a very people driven people-first leader. You’ve had a huge focus on communication… over communication. If… if you think about it now, with the rapid moves, the virtual working, all the craziness that’s been going on in the world. What tips do you have for security teams that are trying to still figure out how to work closely with our development teams and any faults to share there?

CHRISTINE

Yeah, boy, that’s a tough one. You know, one of the benefits that we had as a virtual team before was that we were really prepared for this but I’ve gotten a lot of questions over time for, you know, how was the security lead? Or do you make sure that you’re following your release cycles? Because engineering teams over here trying to, you know, generate, you know, product releases to generate revenue? And you’re over here, trying to make sure that they don’t get out the gate, you know, with all the security baselines being met. So that, you know, it is difficult, it is very difficult but however we have standardized check points in place where we are continuing to meet as teams. You know, no matter what the day of the week is, we didn’t stop doing that stuff. We never stopped doing that stuff. And again, you know, if… if those engineering leaders, if you’ve if you’re focusing on building that relationship before, and those engineering leaders view you as… as a… as a resource and view you as a consultant, it as a consultant, pardon me to how they’re going to ship that secure software. They’re going to lean on you and make sure that you’re part of that conversation no matter what time of day it is, no matter what location. So, we have regular check points Jake, where we don’t miss them. They’re you know, engineering knows what to expect from us. And that goes again to that pre planning of the program and getting those templates in place. And, you know, having those check points if they know what to expect from you and they know where you are in the process, you know, it’s you’re not a speed bump any more than you become, you know, “I couldn’t do business without you partner”, which is always the goal for me. And my organization is, you know, I want our product teams to want us to be part of the process. And they do. So again, I think it goes back to how do you build the relationship with your product organization? How do you get them to learn to trust you as a trusted adviser? That’s always the goal from my teams to be trusted advisers and never to be speed bumps. So, you know, if you… if you lead with that first, it, just if you become part of the… the products, you become the product release cycle and not just another team telling them, you know, they… they can’t do something. So, I think that the relationship and the communication is just, it’s just key.

JAKE

You know, it’s… it’s been strange with the lack of in person security conferences. In fact, I just booked a flight to go out to Black Bat and it feels weird doing it. But… do you think, you know, these lack of security conferences, in person conferences have impacted the industry and… and so they can impact that security research involving disclosure from you?

CHRISTINE

Yeah, great question, man. You know, I think we’ve thought at first we, I remember when we were first kind of it seems like. But when we refer sort of working from home and everybody was stopping, we got together as a team and we thought, well, this is gonna do the vulnerability disclosure and research like what will the load and velocity and our to, you know, what will that look like? You know, we were sort of dreaming on. Would it slow down? Would it get, you know, would it be more? We’re finding a couple of we’re… we’re finding some interesting things. One, we found that attackers have a lot more time on their hands. So we have not been, you know, without things to research, we have not been without things to look at. So we haven’t found a slow down at all. In fact, we found that I think attackers are getting more creative. So that’s that. It is definitely I saw that with you Jake, the… the lack of in-person security conference. This is going to be hard because I think we do a lot of development as leaders by kind of those one-off conversations that we have in person sitting down after we’ve given a talk or, you know, we can sit down and have a cup of coffee or whatever and just catch up. But that has definitely impacted that. I feel like executives are how we talk to each other. But I’ve also found kind of the opposite in that I’ve had a lot more people reaching out to me just over email or giving me a call. There’s been a lot more. I think forced communication for, you know, certain executives that, you know, really feel empowered to work together to actually just pick up the phone and call instead of waiting for that conference where, you know, you’re gonna run into that person which, you know, we do that too. So I’m looking just like you. I’m looking forward to getting back into kind of conference tracks and hallway talks and things like that. I think as an industry for us, we’re… we’re dependent on that. So I’m looking forward to that very much so.

JAKE

So, for someone that has been watching this and they’re working at a company and they’re struggling with too much work as it is, too many vulnerabilities. And now you’re telling them all about this process and templates and maturity and all these things to do. And they’re thinking well, I don’t, I’m not Blackberry. I don’t have the resources to do that. What do you say to them of how they could, where they should really start with getting… getting know, assessing the program together and getting started with that risk-based vuln management program? How do you get someone moving in a positive direction?

CHRISTINE

Great question. So, Jake, go back, you know, you hit it spot on when we started talking today, go back to that Black Hat talk, that original one. I can’t believe how spot on we actually work with that model. You know, really that’s where you start. It is, you know, I’ll be honest and say, yes, it’s a journey but you have to start somewhere. And honestly if the one thing you takeaway today from… from watching this is, you know, not starting anywhere, should not ever be an option. You have to tackle it. It’s not gonna go away. Open Source Software is not going anywhere, Open Source Software vulnerability, you know, load and velocities, not gonna go away and it’s not gonna get any easier to start today. Go watch that talk, pick the bottom of that pyramid, start that maturity journey and… and start reaching out to people, you know. I’m always open to questions. I talked to a lot of people you can always just, you know, I’m on LinkedIn, you can shoot me a note, happy to chat. You know, you’ve gotta just start asking the right questions. You’ve got to start looking at, you know, vendor partners such as yourself. You’ve got to start talking to, you know, again people like Jake, you’ve got to start reaching out to… to people like Jake for advice because it’s not gonna go away. And I… I… I think for a lot of years, Jake, we… we, you and I even watched a lot of companies kind of put their heads in the sand and say, you know, okay, well, I’ve got to worry about my front door. And now we’re seeing supply chain attacks, you know, where, you know, attackers are using an opportunity to bypass 99 percent of an organization’s security investment to get into the supply chain. That should be a huge wakeup call to everybody. I mean, every company has to think about the fact that all that security investment if they get in through your supply chain, you know, they can bypass all of that. That’s a huge wakeup call. So, you know, I, my advice is to go back and watch that Black Hat talk and remember that we were, this was, you know, years ago. And here we are. So to start. But the… the… the foundation and the principles of that talk are still the same. You still have to start right at the very beginning and I think that talk is just key. We walked through every single step of how to create, you know, an Open Source Maturity Model for yourself and I, even if you’re a one one man, one woman show, you can still watch that talk and still do those, you know, those. One man, one woman show types of things I get a lot of really small companies to reach out to me about. “Okay. I’m two people. What do I do? Right there is a lot of things you can do just as a one or two person show. So again key is to start somewhere and just not to ignore it.

JAKE

So that brings us to the end. And the last question that I have for you is what’s the next thing? What… What else is on your mind? Five years later? Anything where we can say, remember what we said on that The Right Security show? We called it.

CHRISTINE

I know. Okay, you know what to make of it. I am going to just, I’m going to take a pause on SBOM because I really think SBOM is going to trigger the need for the product security mindset. I want to focus on SBOM because it is so big. I feel as far as bigger than anything that you and I have talked about are you and I have tried to work through, I think it’s going to catch so many companies off guard that I’m gonna… I’m gonna pull out my get out of jail free card right now and just say, I’m gonna hang on a SBOM for a while and make sure that we’re prepared for it, you know, make sure that we can, you know, be an industry leader and help, you know, other companies prepare for it because the supply chain, the software supply chain that’s my prediction, that… that is going to become the priority. So, I think we just need to hang out right here where we are. I’m not going to be making any more future predictions just because I think I… I have, you know, there’s a lot of work in our industry ahead of us. So we’ll hang there.

JAKE

Yeah, perfect. Thank you, Christine, Vice President of Product Security at Blackberry. I highly recommend… recommend you watch a previous talks, reviewer work. She’s published such amazing things. And like she said, reach out to her directly. She’s super open and willing to help. Any questions. Yeah, I definitely recommend reaching out to her. Thank you so much for your time. It was a pleasure as always.

CHRISTINE

Thanks Jake.

Our products
The Platform
Risk Based Intelligence
Learn more
VulnDB
Vulnerability Intelligence
Learn more
Cyber Risk Analytics
Threat Intelligence
Learn more
YourCISO
Risk Management
Learn more