So I wrote a little draft essay on Secure By Default and opened it for comment. I think one thing that we maybe forget in our community is that some of the more fundamental basises of what we do never make it up to policy-world. Langsec being the primary example. But also there's a huge body of work in TAOSSA, Shellcoders, every offensive conference talk, etc. that never gets put into context anywhere but in our clique.
Obviously feel free to just comment in-thread if you prefer, even if you work at CISA:
Thanks,
DaveĀ