Earlier this week I had the opportunity to attend and speak at the BSides Edmonton 2024 event. This is a local event that’s been running for a few years and oddly I’ve only been able to make it every second year, usually due to conflicts in my schedule. This year I had reached out earlier to see when the CFP was opening to find out it had already closed and I missed the opportunity to submit. Again, due to my schedule I opted not to attend.
A few weeks before the event, however, a speaker had dropped out and a slot was open. Interestingly, an old co-worker and friend (hey CRob!) was on an OpenSSF working group call with one of the organizers and I suppose they were lamenting the loss of a speaker when CRob told them that he knew someone local, so they reached out to see if I could pinch-hit and all of a sudden I was not only attenting BSides but also speaking. Which was awesome because I’ve never spoken about security locally. Well, technically not true… about a decade ago I did present to a group of home schoolers about online security and safety (but that’s not really the same thing).
Anyhow, because of the time crunch I decided I was going to speak on the Evolution of risk-management in software, the same talk I gave at Red Hat Summit earlier this year. Easy enough. However, when I ran through it on the Thursday before I was speaking (last Tuesday) I realized this wasn’t the right talk for the crowd at BSides, so I spent the weekend reworking it. My focus was on the content, so the talk title was only nominally adjusted, to the Evolution of risk acceptance in open source software. That name probably needs to change but it’ll suffice for now.
The talk focused on the implicit acceptance of risk in proprietary software (you accept the risk of what you don’t see or know about) versus the need for an explicit acceptance of risk in open source software (accept the risk of what you can see and know about). We dug into some numbers of vulnerabilities in open versus proprietary, obviously using Red Hat as the example of an open source vendor and a well-known and unnamed proprietary vendor as the contrast.
The room was pretty full and the audience was very engaged. I was really happy with the outcome of the talk and spent an hour afterwards answering questions and talking with people about the content. Some interesting questions about risk management and how does one get executive management to transfer risk decisions to those closer to the work (i.e. how to get the people who know the technology to accept risk instead of executives looking at things from a purely compliance perspective), what open source scanners are best for scanning for vulnerabilities and the challenges with scanners in general, and just general good risk acceptance and open source topics.
Of course I had someone come up asking about why Red Hat’s kernels are so old and how they would like to see us update more often so they could obtain the performance benefits of newer kernels to reduce their AWS consumption costs. Sigh. I mean, I get it but there are tradeoffs between security, stability and performance. I think for their usecase they could go ahead and use an upstream kernel if they wanted to. Most Red Hat customers prefer a stable, predictable kernel that, sure, might be a little long in the tooth but that’s what most enterprise users who want long-life stability desire.
Anyways, the adverserial grilling aside, it was a great talk and a good experience. The talk will be posted to the BSides Edmonton YouTube channel but unfortunately not until the end of October or November. So those folks who’ve asked to see it will have to wait.
Or, if you’re attending SOSS Fusion 2024 next month you can listen to it in-person! I’ll be tweaking it a bit more before then so it’ll change some, but probably not too much.
I also learned from the Tuesday morning keynote that Canada is doing some pretty neat stuff at the federal level with respect to security. The Canadian Centre for Cyber Security was a complete unknown to me before this week, and they do a lot with open source including their Assemblyline malware analysis platform, their Howler tool for analyzing alerts from different applications, and quite a bit more (check out the Cyber Centre Canada on GitHub. There’s a ton of open source available there.
I had no idea that this was happening in my own backyard! I think this is pretty awesome actually and I’m really looking forward to digging into it a bit more to see what the Cyber Centre is doing for Canadians.
I also learned that they really believe in regulatory compliance framework reciprocity, a topic I discussed recently on Forbes so that was really exciting to hear. They do a lot of work with NIST, particularly around FIPS validation and testing. It was also interesting to see their point of view on not just creating tools in open source but also leveraging open source and how they see that, sure, there’s some risk but the benefits it affords, including transparency, make it easier to manage (something I talk about often and was definitely discussed in the talk I gave). They also talked a bit about AI and Quantum Computing which I found very interesting as well. Very much looking forward to watching that keynote again when it’s posted.
All in all, a great event to attend. Hats off to the BSides volunteers and organizers who put it on! Thanks to the sponsors who helped make it possible (had a few good chats with them as well), and then of course to the other speakers who gave talks or led workshops. I believe there were around 500 people in attendance which is pretty amazing.