CISA

[David Nalley <da...@gnsa.us>]

Hi folks,

I just concluded a call with Jen Easterly (Director of CISA)

We chatted for approximately 50 minutes about open source security and
particularly around Apache.

Going forward we're going to setup quarterly syncs, and I'd like to pull in
one or more of the Marks and potentially others down the road.

I brought up some of the concerns that Phil Steitz (and Danny Angus, on
another list) surfaced about the right kind of help, and concerns about
masses of sudden energy being directed around specific things that weren't
sustainable.

She seemed confused by our "volunteer" base. I pointed out that many, if
not most contributors are employed in tech roles, but that "volunteers" is
part of our internal taxonomy. I called out that we used that because we
don't pay them or direct their efforts. As Sam pointed out else-thread,
"volunteer" does not denote the quality of work. I tried to reinforce that
the ASF was a vendor-neutral place for collaboration.

She asked what help she or her agency could offer us. I told her that I
didn't have any short term requests, but said that I would discuss
with others at the ASF.

The one pointed question she asked was why the log4j vulnerability existed
for so long, and wasn't found earlier. I told her that finding security
vulnerabilities was not quite like experiencing a bug, and that in complex
systems it's often a series of interactions rather than glaring solitary
problems that were easily findable in codebases. I cited a number of other
examples of long-latent security issues.

She also asked about memory safety, and I told her that the ASF as a
corporation doesn't pick technologies or set technical direction, leaving
that instead to the projects. But I also noted that we did have some
efforts happening in those areas, and called out Stefan Eissing's work
around a mod_tls implementation in Rust as an example.

--David