So I have a ton of thoughts on the CISA Secure by Design and Secure by
Default push that is ongoing, as I am sure many of you do. And the first
thought is: This is not a bad way to go about business as a government
agency in general. I think it's easy to ignore how fast the USG has changed
its business practices, showing an agility that few large organizations can
match. In particular using Secure By Design as a case example.
1. Massive outreach to garner feedback (including at defcon, but also
via email, etc.)
2. Multiple rounds of editing of proposals
3. Actual people you could call and talk to about the proposal, with
their faces and positions listed right in the papers and blogs and lawfare
podcasts. If you were in DC today you could probably hit one of them up for
drinks or lunch or whatever.
4. Interaction across multiple stakeholder groups, including
internationally
5. The "right people" involved - and you can tell their backgrounds from
what they are annoyed about during their podcasts and other presentations.
(i.e. Bob Lord is very annoyed about XSS and obsessed with car safety,
which I'll dig into later). But also Jack Cable, Lauren Zabierek and Grant
Dasher are all worth listening to.
6. Clear executive support
So that's all good stuff. I thought I would post it as its own note because
it's rare to spend a moment to look at the government process, and not see
literally sausage being made. :)
-dave
So I wrote a little draft essay on Secure By Default and opened it for
comment. I think one thing that we maybe forget in our community is that
some of the more fundamental basises of what we do never make it up to
policy-world. Langsec being the primary example. But also there's a huge
body of work in TAOSSA, Shellcoders, every offensive conference talk, etc.
that never gets put into context anywhere but in our clique.
Obviously feel free to just comment in-thread if you prefer, even if you
work at CISA:
https://mastodon.social/@dave_aitel/111779922142416342
Thanks,
Dave