 Good morning everybody. How many of you are have in your day job a responsibility for Cyber security or just security or just cyber? Okay, any of those any of this so maybe Cyber you never know you never know is out. This is open source And how many of you don't have any security responsibility in your daily? work All the rest should now raise their hands Something is wrong here. Something is a miss. I have a simple point today is I could stop after the title slide security is everybody's responsibility and If you do security today You must stop being so inwards focused and open up and bring others into security And if you are not doing security today, you need to start doing it because you are not in software if you're not in security If you go and visit somebody in a hospital Who is in charge for? fighting contamination You you wash your hands you disinfect your hands everybody does it You may not own the hospital. You're not the doctor. You're not the nurse You're not the patient, but you are in charge of the security of the hospital meaning keeping viruses away and bacteria and and Many of us here we have happily been developing open source and other piece of software for decades And we're so proud of the millions of installations we have But I I invite you to do like I do and repent and fix this thing because What we built for fun is now used for the most critical parts of society And we can't just keep doing it the way we did We have to build security into all the fun stuff that we kept building over the past several decades So, yes, so that's that's me on the left. I'm CEO of hacker one We we tried to bring open source philosophies into the area of security We call ourselves a hacker powered security company. We have a hundred sixty thousand contributors security researchers ethical hackers white hats have signed up to find flaws in your software to find vulnerabilities That's software bugs, but it's more than software bugs security vulnerabilities can emanate from situations without any bug But when there's a security Vulnerability in the system we will find it. We hacked the Air Force. It took us eight minutes to break in We found 200 vulnerabilities in the Air Force's systems 20 of those were found by Jack cable a 17 year old high school student from Chicago, Illinois these are the hackers that Work with us and for us as volunteers and freelancers to to find the vulnerabilities But we need you to fix them. Somebody also must fix the code there So in in the history of the hacker one company our customers have we have found and our customers have fixed over 65,000 security vulnerabilities to date so that has removed a lot of holes where criminals could have entered Hasn't removed all the holes. There are I don't even know how many Tens of millions hundreds of millions a billion who knows how many Vulnerabilities there are in the joint attack surface of the world But if we deploy a hundred billion lines of code every year new lines of code, there's a lot of security to look after We operate a nonprofit that supports open source projects who can't afford this themselves It's called the internet bug mountain so if you're free to check it out and we publish Vulnerability reports for the whole world so go to activity and read the reports and learn In what ways software can be can have security vulnerabilities Cybersecurity or security or whatever you call it if you don't know it. You just call it cyber It's a hundred billion dollar market today $100 billion is spent on cyber security And in this business we call it or some of us say Cyber security is the new marketing Half of the money is wasted. We just don't know which half We've been buying hardware and software and machines and walls and all kinds of stuff thinking that That technology and products will make us secure But that's not true. It isn't security It doesn't make you any more secure if you buy more hardware if you pile up hardware around your company and you have a perimeter Doesn't make you more secure But yet the world is spending a hundred billion a year trying to get more secure by By doing all these things The the answer is is much more simple and much more boring and unpleasant because this is security Security is when you share you share the defense you share information you work together You can't be secure if just some are secure and others are not You can't have secure software if just some of your software engineers are in charge of security You can't just delegate it or relegate it to a security team if you do that it won't happen It's the same as in the 90s when everybody had a quality manager or quality VP of quality or something and everybody got their ISO Certifications it didn't help it reduced quality in the companies because people felt that quality now was the job of somebody else Not of you some things are so important that you cannot give them to just one team or one group and Security is the discipline. It's doing it every single time If you go and visit your friend in the hospital, you better wash your hands and disinfect them every single time you go in and when you come out And it's not about how many times you did it. It's making sure that you never failed to do it So that's hard for all of us are a little bit sloppy and we would like to be secure but we don't always pay attention to it unfortunately software security only happens when we're very disciplined And I'll go into more details about this Specifically when we say sheared we often talk about cyber threats being asymmetric in the sense that one single Criminal attacker one single malicious attacker can cause a lot of harm so much harm that you need a hundred people to defend and It's nearly all always like this in crime One bad guy will need a hundred good guys to stop that bad guy and then we say oh, it's an asymmetric threat And there's nothing we can do because they Don't need as many people as we do but there is a cure to this and that's pooled defense Because the number of defenders is far larger than the number of bad guys There are far more white hats in the world than there are black hats And when I said we have a hundred sixty thousand hackers signed up attack one We already have more people signed up with our service than there are black hats in the world So if companies can get together and pull the defense you turn the asymmetry around and suddenly you have ten times the power of the attackers still the every single attack is an asymmetric threat to you but if you share information share the defense share best practices and share the Act of responding to threats then you overcome the asymmetry and you turn it around and the discipline and diligence it unfortunately The devil is in the detail everybody talks about Equifax and it's a very sad story and we could probably note that that company has so many failures and and acts of negligence or sort of emissions in there the way they Handle the security and all of this bad stuff happening just getting worse But think about it. It was one single software vulnerability that led to the data breach in their systems one single vulnerability There's nobody here who has a software system with just one vulnerability all of you have a system with many just your Smartphone or your laptop or your company systems. So this shows that you have to be very diligent and have the Commitment to take care of every single vulnerability because you never know where they might attack Of course you start with the most severe ones and then you end by by fixing the easy ones That's how you keep the risk down, but but there's no way around this So many times in cybersecurity we complain about long passwords or we complain about multi-factor authentication This is taking too much time guys get used to it. It doesn't security doesn't come for free The only thing that goes acts against these threats is the discipline and diligence Remembering long passwords or whatever it is even when somebody invents a method where we don't mean passwords anymore You will be asked to do something else which is burdensome and every day and where you are not allowed to miss it one single time Just like seat belts We were seat belts all the time and it takes just one act of not wearing a seat belt and it's bad It's the same here, and we just have haven't agreed or we have refused to acknowledge that. It's the same with with cyber security And then we have to be so fast because whatever happens the bad guys are fast So you have to be a little bit faster and Jim talked about how can we make this? Cycle spin faster one of the big big problems of software today is that the update cycle is too slow we had Severe vulnerability reported through our service to an online service. That's very very popular among all of you It was reported on Friday afternoon And they fixed it in six hours So they receive a message saying here's something. I think this is severe. They read it within 30 minutes. I said Yes, this is very severe. Let's start working on it They figured out how to fix it in the next few hours. They tested it They rolled out the patch everything done within six hours And the faster you can act the lower your risk for any Incidents and it's all about acting fast and jokingly you don't have to be fast You just have to be faster than your competitors Because criminals are lazy and they go for the low-hanging fruit They go for the companies that have the weakest defense So if you're known to have a strong defense then they are less likely to try of course They will still try but they're a little bit less likely so acting without delay and acting right without delay Of course if a security incident truly happens then rule number one is don't freak out Don't freak out. We just did a red team exercise inside our company where a Few people staged a very bad attack on hacker one and we had so many people freaking out So finally they say, okay We must call our external counsel and report this because this has to be reported to the authorities and at that point We called the exercise office and it it was just a red team exercise this time, but it's good to do I didn't know about it I was I was not aware that we were doing it But but it's a very good way of testing whether you freak out or not when when things really go bad So a response efficiency is key and also being knowing what to do So when you plan for cyber security, you need to plan for what happens when something happens So first is you do all the preventative work. That's a lot of work Then you plan for the moment when an incident really occurs So you need to have that plan ready and then thirdly you need to have an a plan ready for what you do afterwards How do you clean up afterwards? So a lot of work to do after an incident has happened as well And it needs to be security needs to be embedded in everything we do it just has to Airlines security airline safety is now like that airlines are probably the safest way of transportation safer than walking in San Francisco and It is because they've embedded it in everything they do you cannot build an airplane or an engine or a wheel or anything a Bolt for a screw any small little piece for an airplane without having it tested and approved and everybody who works there We'll think about safety every day They share everything with competitors and they've embedded safety in everything airlines and air Ports and aircraft do and that's why it is so safe. We just haven't done it in software yet This is a juvenile industry compared to to the airline industry But then there was a time when flying was very dangerous. It is not anymore So if there was a time when software was very dangerous like now there will come a time when it's not dangerous anymore We will figure this out, but it will require embedding it in everything we do So in summary Here are things we must do you are many of you are already doing it some partly preaching to the choir here But we must democratize security we must make cyber security a topic for everybody a small topic for everybody Not a big one There will be experts who will need seesaws and security architects and all these people they're not going away, but they must be Inclusive in what they do they must bring in everybody into that work and everybody must feel a responsibility for it just like we feel responsibility for Hygiene when we go to a hospital or we accept the security checkpoints at the airport all of these things that we do every day without thinking We use seatbelts in cars We do many things now that Originally felt cumbersome and clunky and difficult and now we say yeah, it's a cost of living It's a cost of being a human being so we must democratize it number two Those are not in open source need to learn from open source open source has built an amazing functionality for people to work together and Specifically for people who disagree to work together. That's perhaps the best accomplishment of open source ever. I Have never found two open source people who would agree on anything Yet it works So you build the governance of how to resolve conflict how to vote how to decide which feature to do whether it's quality or Shipment time or what matters and building this ability for conflict resolution is is one of the great accomplishments of open source and then with that goes the transparency you can't do that if you're not transparent you need to share We need to legislate cyber Hygiene. This is a message for Congress and Parliaments in other countries When it's a shared responsibility like this it won't happen if our elected Legislators don't state so in a law and we have no law today that would really Mandate companies to take care of this. It's finally happening. I think I don't know how fast those Those wheels rotate they weren't on Jim's slide. They can take years But it's important that we set the standard that nobody can avoid and nobody can can Stay away from and then with software We need to be able to fix software and if software cannot be patched or fixed then deprecate it Stop living and working with software that isn't designed for this connected world With so much software that was designed before the internet or that assume that no not everybody could connect it today Everything is connected if the software can't handle it if you can't Roll out roll out the patch when you find the security vulnerability then deprecate the whole thing We did that in y2k. We took out all software that couldn't handle modern dates We should do the same with with security and software just take it out. It's expensive. It's painful. It's difficult You will say it's impossible. Yeah, I have heard all of those. It's not true. It is possible the world has to go on and Then as as a message to our educational institutions, don't call it Computer science and software engineering unless there's security in it today. You can graduate in CS Without taking a single course in security You don't have to pay any attention to security and I certainly didn't when I took my degree a long time ago But now we must change that it has to become part of everything we do and when we do all of this The ship will turn. It's a big ship so it turns slowly, but it will turn and we will get to a State that is similar to what we have with airline safety or hospital hygiene or car Automotive safety where today it all works, but it works because we do it together and we jointly take responsibility for it Thank you So I I couldn't agree more Obviously, that's one of the reasons you're here But you know one of the things that is happening this week And I want to encourage people is I think you're so right in that there's not any single solution It is a collective responsibility. I'll give you a couple of examples that are happening this week SPDX is an initiative that we've been working on for a long time at the Linux Foundation in order to understand a software bill of materials This was largely for license compliance But to your point is if you don't know what software you're actually running if you don't have an easy way for an upstream supplier To provide that to their downstream supply chain. How are you going to fix anything? Right? You don't know. No, very true So these are things you see how these things start to interconnect to Martin's point which if we all think of and take responsibility and create this culture of like, hey I've got a different way of trying to solve that same problem. We're all gonna have better outcomes. So I love the perspective Thank you so much. Thank you. Thanks