Today we sit down with John Cofrancesco from Fortress Information Security to get insights on the issues with the supply chain and the federal government.
When it comes to federal technology, it is well known that bringing in chunks of software can introduce vulnerabilities. The real issue is not recognizing the code flaws, the issue is finding time in a hectic schedule to be able to remediate these problems.
For example, CISA has something called the Vulnerability Exploitability Exchange that lists known software vulnerabilities. Companies like Sonatype offer surveys where they identify thousands of lines of code with structural flaws.
One of the vulnerabilities (the Log4J) is well known. Rezilion announced it had scanned 90,000 servers that still had this problem.
So, having a list of vulnerabilities is not the issue. The concern is cleaning up the federal code in an effective manner.
John Cofrancesco’s company is well known for its work in critical infrastructure. Although the phrase “infrastructure” implies hardware, from his perspective, it is all a software concern. During the interview, John Cofrancesco describes ways that risk can be managed effectively.
During the interview, he talks about open source, automation, and sharing vulnerability concerns with a wider audience. John suggests that many of the weaknesses in code have originated in open source. As far as automation is concerned, overburdened federal information professionals have limited amount of time. This indicates success at patching systems would be impossible without automating some aspects.
Fortress Information Security is active in making threat information available to the federal community. It has a Security Exchange that allows for collaboration in handling software development risks.
If you enjoyed this podcast, you may want to listen to episode #7 Clean Code for Federal Projects