Tag Archives: Trusted Technology Forum

Quick Hit Thoughts from RSA Conference 2013

By Joshua Brickman, CA Technologies

I have a great job at CA Technologies, I can’t deny it. Working in CA Technologies Federal Certification Program Office, I have the responsibility of knowing what certifications, accreditations, mandates, etc. are relevant and then helping them get implemented.

One of the responsibilities (and benefits) of my job is getting to go to great conferences like the RSA Security Conference which just wrapped last week. This year I was honored to be selected by the Program Committee to speak twice at the event. Both talks fit well to the Policy and Government track at the show.

First I was on a panel with a distinguished group of senior leaders from both industry and government. The title of the session was, Certification of Products or Accreditation of Organizations: Which to Do? The idea was to discuss the advantages and disadvantages of individual product certifications vs. looking at an entire company or business unit. Since I’ve led CA through many product certifications (certs) and have been involved in accreditation programs as well, my position was to be able to bring real-world industry perspective to the panel. The point I tried to make was that product certs (like Common Criteria – CC) add value, but only for the specific purpose that they are designed for (security functions). We’ve seen CC expanding beyond just security enforcing products and that’s concerning. Product certs are expensive, time consuming and take away from time that could be spent on innovation. We want to do CC when it will be long lasting and add value.

On the idea of accreditation of organizations, I first talked about CMMI and my views on its challenges. I then shifted to the Open Trusted Technology Forum (OTTF), a forum of The Open Group, as I’ve written about before and said that the accreditation program that group is building is more focused than CMMI. OTTF is building something that  – when adopted by industry and THEIR suppliers – will provide assurance that technology is being built the right way (best practices) and will give acquirers confidence that products bought from vendors that have the OTTF mark can be trusted. The overall conclusion of the panel was that accreditation of organizations and certifications of products both had a place, and that it is important that the value was understood by buyers and vendors.

A couple of days later, I presented with Mary Ann Davidson, CSO of Oracle. The main point of the talk was to try and give the industry perspective on mandates, legislation and regulations – which all seemed to be focused on technology providers – to solve the cyber security issues which we see every day. We agreed that sometimes regulations make sense but having a clear problem definition, language and limited scope was the path to success and acceptance. We also encouraged government to get involved with industry via public/private partnerships, like The Open Group Trusted Technology Forum.

Collaboration is the key to fighting the cyber security battle. If you are interested in hearing more about ways to get involved in building a safer and more productive computing environment, feel free to contact me or leave a comment on this blog. Cybersecurity is a complicated issue and there were well over 20,000 security professionals discussing it at RSA Conference. We’d love to hear your views as well.

 This blog post was originally published on the CA Technologies blog.


joshJoshua Brickman, PMP (Project Management Professional), runs CA Technologies Federal Certifications Program. He has led CA through the successful evaluation of sixteen products through the Common Criteria over the last six years (in both the U.S. and Canada). He is also a Steering Committee member on The Open Group consortium focused on Supply Chain Integrity and Security, The Open Group Trusted Technology Forum (OTTF). He also runs CA Technologies Accessibility Program. 

1 Comment

Filed under OTTF

2013 Open Group Predictions, Vol. 2

By The Open Group

Continuing on the theme of predictions, here are a few more, which focus on global IT trends, business architecture, OTTF and Open Group events in 2013.

Global Enterprise Architecture

By Chris Forde, Vice President of Enterprise Architecture and Membership Capabilities

Cloud is no longer a bleeding edge technology – most organizations are already well on their way to deploying cloud technology.  However, Cloud implementations are resurrecting a perennial problem for organizations—integration. Now that Cloud infrastructures are being deployed, organizations are having trouble integrating different systems, especially with systems hosted by third parties outside their organization. What will happen when two, three or four technical delivery systems are hosted on AND off premise? This presents a looming integration problem.

As we see more and more organizations buying into cloud infrastructures, we’ll see an increase in cross-platform integration architectures globally in 2013. The role of the enterprise architect will become more complex. Architectures must not only ensure that systems are integrated properly, but architects also need to figure out a way to integrate outsourced teams and services and determine responsibility across all systems. Additionally, outsourcing and integration will lead to increased focus on security in the coming year, especially in healthcare and financial sectors. When so many people are involved, and responsibility is shared or lost in the process, gaping holes can be left unnoticed. As data is increasingly shared between organizations and current trends escalate, security will also become more and more of a concern. Integration may yield great rewards architecturally, but it also means greater exposure to vulnerabilities outside of your firewall.

Within the Architecture Forum, we will be working on improvements to the TOGAF® standard throughout 2013, as well as an effort to continue to harmonize the TOGAF specification with the ArchiMate® modelling language.  The Forum also expects to publish a whitepaper on application portfolio management in the new year, as well as be involved in the upcoming Cloud Reference Architecture.

In China, The Open Group is progressing well. In 2013, we’ll continue translating The Open Group website, books and whitepapers from English to Chinese. Partnerships and Open CA certification will remain in the forefront of global priorities, as well as enrolling TOGAF trainers throughout Asia Pacific as Open Group members. There are a lot of exciting developments arising, and we will keep you updated as we expand our footprint in China and the rest of Asia.

Open Group Events in 2013

By Patty Donovan, Vice President of Membership and Events

In 2013, the biggest change for us will be our quarterly summit. The focus will shift toward an emphasis on verticals. This new focus will debut at our April event in Sydney where the vertical themes include Mining, Government, and Finance. Additional vertical themes that we plan to cover throughout the year include: Healthcare, Transportation, Retail, just to name a few. We will also continue to increase the number of our popular Livestream sessions as we have seen an extremely positive reaction to them as well as all of our On-Demand sessions – listen to best selling authors and industry leaders who participated as keynote and track speakers throughout the year.

Regarding social media, we made big strides in 2012 and will continue to make this a primary focus of The Open Group. If you haven’t already, please “like” us on Facebook, follow us on Twitter, join the chat on (#ogchat) one of our Security focused Tweet Jams, and join our LinkedIn Group. And if you have the time, we’d love for you to contribute to The Open Group blog.

We’re always open to new suggestions, so if you have a creative idea on how we can improve your membership, Open Group events, webinars, podcasts, please let me know! Also, please be sure to attend the upcoming Open Group Conference in Newport Beach, Calif., which is taking place on January 28-31. The conference will address Big Data.

Business Architecture

By Steve Philp, Marketing Director for Open CA and Open CITS

Business Architecture is still a relatively new discipline, but in 2013 I think it will continue to grow in prominence and visibility from an executive perspective. C-Level decision makers are not just looking at operational efficiency initiatives and cost reduction programs to grow their future revenue streams; they are also looking at market strategy and opportunity analysis.

Business Architects are extremely valuable to an organization when they understand market and technology trends in a particular sector. They can then work with business leaders to develop strategies based on the capabilities and positioning of the company to increase revenue, enhance their market position and improve customer loyalty.

Senior management recognizes that technology also plays a crucial role in how organizations can achieve their business goals. A major role of the Business Architect is to help merge technology with business processes to help facilitate this business transformation.

There are a number of key technology areas for 2013 where Business Architects will be called upon to engage with the business such as Cloud Computing, Big Data and social networking. Therefore, the need to have competent Business Architects is a high priority in both the developed and emerging markets and the demand for Business Architects currently exceeds the supply. There are some training and certification programs available based on a body of knowledge, but how do you establish who is a practicing Business Architect if you are looking to recruit?

The Open Group is trying to address this issue and has incorporated a Business Architecture stream into The Open Group Certified Architect (Open CA) program. There has already been significant interest in this stream from both organizations and practitioners alike. This is because Open CA is a skills- and experience-based program that recognizes, at different levels, those individuals who are actually performing in a Business Architecture role. You must complete a candidate application package and be interviewed by your peers. Achieving certification demonstrates your competency as a Business Architect and therefore will stand you in good stead for both next year and beyond.

You can view the conformance criteria for the Open CA Business Architecture stream at https://www2.opengroup.org/ogsys/catalog/X120.

Trusted Technology

By Sally Long, Director of Consortia Services

The interdependency of all countries on global technology providers and technology providers’ dependencies on component suppliers around the world is more certain than ever before.  The need to work together in a vendor-neutral, country-neutral environment to assure there are standards for securing technology development and supply chain operations will become increasingly apparent in 2013. Securing the global supply chain can not be done in a vacuum, by a few providers or a few governments, it must be achieved by working together with all governments, providers, component suppliers and integrators and it must be done through open standards and accreditation programs that demonstrate conformance to those standards and are available to everyone.

The Open Group’s Trusted Technology Forum is providing that open, vendor and country-neutral environment, where suppliers from all countries and governments from around the world can work together in a trusted collaborative environment, to create a standard and an accreditation program for securing the global supply chain. The Open Trusted Technology Provider Standard (O-TTPS) Snapshot (Draft) was published in March of 2012 and is the basis for our 2013 predictions.

We predict that in 2013:

  • Version 1.0 of the O-TTPS (Standard) will be published.
  • Version 1.0 will be submitted to the ISO PAS process in 2013, and will likely become part of the ISO/IEC 27036 standard, where Part 5 of that ISO standard is already reserved for the O-TTPS work
  • An O-TTPS Accreditation Program – open to all providers, component suppliers, and integrators, will be launched
  • The Forum will continue the trend of increased member participation from governments and suppliers around the world

4 Comments

Filed under Business Architecture, Conference, Enterprise Architecture, O-TTF, OTTF

Viewpoint: Technology Supply Chain Security – Becoming a Trust-Worthy Provider

By Andras Szakal, IBM

Increasingly, the critical systems of the planet — telecommunications, banking, energy and others — depend on and benefit from the intelligence and interconnectedness enabled by existing and emerging technologies. As evidence, one need only look to the increase in enterprise mobile applications and BYOD strategies to support corporate and government employees.

Whether these systems are trusted by the societies they serve depends in part on whether the technologies incorporated into them are fit for the purpose they are intended to serve. Fit for purpose is manifested in two essential ways: first, does the product meet essential functional requirements; and second, has the product or component been produced by trustworthy provider. Of course, the leaders or owners of these systems have to do their part to achieve security and safety (e.g., to install, use and maintain technology appropriately, and to pay attention to people and process aspects such as insider threats). Cybersecurity considerations must be addressed in a sustainable way from the get-go, by design, and across the whole ecosystem — not after the fact, or in just one sector or another, or in reaction to crisis.

In addressing the broader cybersecurity challenge, however, buyers of mission-critical technology naturally seek reassurance as to the quality and integrity of the products they procure. In our view, the fundamentals of the institutional response to that need are similar to those that have worked in prior eras and in other industries — like food.

For example:  Most of us are able to enjoy a meal of stir-fried shrimp and not give a second thought as to whether the shellfish is safe to eat.

Why is that? Because we are the beneficiaries of a system whose workings greatly increase the likelihood — in many parts of the world — that the shellfish served to end consumers is safe and uncontaminated. While tainted technology is not quite the same as tainted foods it’s a useful analogy.

Of course, a very high percentage of the seafood industry is extremely motivated to provide safe and delicious shellfish to the end consumer. So we start with the practical perspective that, much more likely than not in today’s hyper-informed and communicative world, the food supply system will provide reasonably safe and tasty products. Invisible though it may be to most of us, however, this generalized confidence rests on a worldwide system that is built on globally recognized standards and strong public-private collaboration.

This system is necessary because mistakes happen, expectations evolve and — worse — the occasional participant in the food supply chain may take a shortcut in their processing practices. Therefore, some kind of independent oversight and certification has proven useful to assure consumers that what they pay for — their desired size and quality grade and, always, safety — is what they will get. In many countries, close cooperation between industry and government results in industry-led development and implementation of food safety standards.[1]

Government’s role is limited but important. Clearly, government cannot look at and certify every piece of shellfish people buy. So its actions are focused on areas in which it can best contribute: to take action in the event of a reported issue; to help convene industry participants to create and update safety practices; to educate consumers on how to choose and prepare shellfish safely; and to recognize top performers.[2]

Is the system perfect? Of course not. But it works, and supports the most practical and affordable methods of conducting safe and global commerce.

Let’s apply this learning to another sphere: information technology. To wit:

  • We need to start with the realization that the overwhelming majority of technology suppliers are motivated to provide securely engineered products and services, and that competitive dynamics reward those who consistently perform well.
  • However, we also need to recognize that there is a gap in time between the corrective effect of the market’s Invisible Hand and the damage that can be done in any given incident. Mistakes will inevitably happen, and there are some bad actors. So some kind of oversight and governmental participation are important, to set the right incentives and expectations.
  • We need to acknowledge that third-party inspection and certification of every significant technology product at the “end of pipe” is not only impractical but also insufficient. It will not achieve trust across a wide variety of infrastructures and industries.  A much more effective approach is to gather the world’s experts and coalesce industry practices around the processes that the experts agree are best suited to produce desired end results.
  • Any proposed oversight or government involvement must not stymie innovation or endanger a provider’s intellectual capital by requiring exposure to 3rd party assessments or require overly burdensome escrow of source code.
  • Given the global and rapid manner in which technologies are invented, produced and sold, a global and agile approach to technology assurance is required to achieve scalable results.  The approach should be based on understood and transparently formulated standards that are, to the maximum extent possible, industry-led and global in their applicability.  Conformance to such standards once would then be recognized by multiple industry’s and geo-political regions.  Propagation of country or industry specific standards will result in economic fragmentation and slow the adoption of industry best practices.

The Open Group Trusted Technology Forum (OTTF)[3] is a promising and complementary effort in this regard. Facilitated by The Open Group, the OTTF is working with governments and industry worldwide to create vendor-neutral open standards and best practices that can be implemented by anyone. Membership continues to grow and includes representation from manufacturers world-wide.

Governments and enterprises alike will benefit from OTTF’s work. Technology purchasers can use the Open Trusted Technology Provider (OTTP) Standard and OTTP Framework best practice recommendations to guide their strategies.  And a wide range of technology vendors can use OTTF approaches to build security and integrity into their end-to-end supply chains. The first version of the OTTPS is focused on mitigating the risk of tainted and counterfeit technology components or products. The OTTF is currently working a program that will accredit technology providers to the OTTP Standard. We expect to begin pilot testing of the program by the end of 2012.

Don’t misunderstand us: Market leaders like IBM have every incentive to engineer security and quality into our products and services. We continually encourage and support others to do the same.

But we realize that trusted technology — like food safety — can only be achieved if we collaborate with others in industry and in government.  That’s why IBM is pleased to be an active member of the Trusted Technology Forum, and looks forward to contributing to its continued success.

A version of this blog post was originally posted by the IBM Institute for Advanced Security.

Andras Szakal is the Chief Architect and a Senior Certified Software IT Architect for IBM’s Federal Software Sales business unit. His responsibilities include developing e-Government software architectures using IBM middleware and managing the IBM federal government software IT architect team. Szakal is a proponent of service oriented and web services based enterprise architectures and participates in open standards and open source product development initiatives within IBM.

 

Comments Off

Filed under OTTF

PODCAST: Industry moves to fill gap for building trusted supply chain technology accreditation

By Dana Gardner, Interabor Solutions

Listen to this recorded podcast here: BriefingsDirect-IT Industry Looks to Open Trusted Technology Forum to Help Secure Supply Chains That Support Technology Products

The following is the transcript of a sponsored podcast panel discussion on how the OTTF is developing an accreditation process for trusted technology, in conjunction with the The Open Group Conference, Austin 2011.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference in Austin, Texas, the week of July 18, 2011.

We’ve assembled a distinguished panel to update us on The Open Group Trusted Technology Forum, also known as the OTTF, and an accreditation process to help technology acquirers and buyers safely conduct global procurement and supply chain commerce. We’ll examine how the security risk for many companies and organizations has only grown, even as these companies form essential partnerships and integral supplier relationships. So, how can all the players in a technology ecosystem gain assurances that the other participants are adhering to best practices and taking the proper precautions?

Here to help us better understand how established standard best practices and an associated accreditation approach can help make supply chains stronger and safer is our panel. We’re here with Dave Lounsbury, the Chief Technical Officer at The Open Group. Welcome back, Dave.

Dave Lounsbury: Hello Dana. How are you?

Gardner: Great. We are also here with Steve Lipner, Senior Director of Security Engineering Strategy in the Trustworthy Computing Security at Microsoft. Welcome back, Steve.

Steve Lipner: Hi, Dana. Glad to be here.

Gardner: We’re here also with Joshua Brickman, Director of the Federal Certification Program Office at CA Technologies. Welcome, Joshua.

Joshua Brickman: Thanks for having me.

Gardner: And, we’re here too with Andras Szakal. He’s the Vice President and CTO of IBM’s Federal Software Group. Welcome back, Andras.

Andras Szakal: Thank you very much, Dana. I appreciate it.

Gardner: Dave, let’s start with you. We’ve heard so much lately about “hacktivism,” break-ins, and people being compromised. These are some very prominent big companies, both public and private. How important is it that we start to engage more with things like the OTTF?

No backup plan

Dave LounsburyLounsbury: Dana, a great quote coming out of this week’s conference was that we have moved the entire world’s economy to being dependent on the Internet, without a backup plan. Anyone who looks at the world economy will see, not only are we dependent on it for exchange of value in many cases, but even information about how our daily lives are run, traffic, health information, and things like that. It’s becoming increasingly vitally important that we understand all the aspects of what it means to have trust in the chain of components that deliver that connectivity to us, not just as technologists, but as people who live in the world.

Gardner: Steve Lipner, your thoughts on how this problem seems to be only getting worse?

Lipner: Well, the attackers are becoming more determined and more visible across the Internet ecosystem. Vendors have stepped up to improve the security of their product offerings, but customers are concerned. A lot of what we’re doing in The Open Group and in the OTTF is about trying to give them additional confidence of what vendors are doing, as well as inform vendors what they should be doing.

Gardner: Joshua Brickman, this is obviously a big topic and a very large and complex area. From your perspective, what is it that the OTTF is good at? What is it focused on? What should we be looking to it for in terms of benefit in this overall security issue?

Brickman: One of the things that I really like about this group is that you have all of the leaders, everybody who is important in this space, working together with one common goal. Today, we had a discussion where one of the things we were thinking about is, whether there’s a 100 percent fail-safe solution to cyber? And there really isn’t. There is just a bar that you can set, and the question is how much do you want to make the attackers spend, before they can get over that bar? What we’re going to try to do is establish that level, and working together, I feel very encouraged that we are getting there, so far.

Gardner: Andras, we are not just trying to set the bar, but we’re also trying to enforce, or at least have clarity into, what other players in an ecosystem are doing. So that accreditation process seems to be essential.

Szakal: We’re going to develop a standard, or are in the process of developing a specification and ultimately an accreditation program, that will validate suppliers and providers against that standard. It’s focused on building trust into a technology provider organization through this accreditation program, facilitated through either one of several different delivery mechanisms that we are working on. We’re looking for this to become a global program, with global partners, as we move forward.

Gardner: It seems as if almost anyone is a potential target, and when someone decides to target you, you do seem to suffer. We’ve seen things with Booz Allen, RSA, and consumer organizations like Sony. Is this something that almost everyone needs to be more focused on? Are we at the point now where there is no such thing as turning back, Dave Lounsbury?

Global effort

Lounsbury: I think there is, and we have talked about this before. Any electronic or information system now is really built on components and software that are delivered from all around the globe. We have software that’s developed in one continent, hardware that’s developed in another, integrated in a third, and used globally. So, we really do need to have the kinds of global standards and engagement that Andras has referred to, so that there is that one bar for all to clear in order to be considered as a provider of trusted components.

Gardner: As we’ve seen, there is a weak link in any chain, and the hackers or the cyber criminals or the state sponsored organizations will look for those weak links. That’s really where we need to focus.

Lounsbury: I would agree with that. In fact, some of the other outcomes of this week’s conference have been the change in these attacks, from just nuisance attacks, to ones that are focused on monetization of cyber crimes and exfiltration of data. So the spectrum of threats is increasing a lot. More sophisticated attackers are looking for narrower and narrower attack vectors each time. So we really do need to look across the spectrum of how this IT technology gets produced in order to address it.

Gardner: Steve Lipner, it certainly seems that the technology supply chain is essential. If there is weakness there, then it’s difficult for the people who deploy those technologies to cover their bases. It seems that focusing on the technology providers, the ecosystems that support them, is a really necessary first step to taking this to a larger, either public or private, buyer side value.

Lipner: The tagline we have used for The Open Group TTF is “Build with Integrity, Buy with Confidence.” We certainly understand that customers want to have confidence in the hardware and software of the IT products that they buy. We believe that it’s up to the suppliers, working together with other members of the IT community, to identify best practices and then articulate them, so that organizations up and down the supply chain will know what they ought to be doing to ensure that customer confidence.

Gardner: Let’s take a step back and get a little bit of a sense of where this process that you are all involved with is. I know you’re all on working groups and in other ways involved in moving this forward, but it’s been about six months now since The OTTF was developed initially, and there was a white paper to explain that. Perhaps, one of you will volunteer to give us sort of a state of affairs where things are,. Then, we’d also like to hear an update about what’s been going on here in Austin. Anyone?

Szakal: Well, as the chair, I have the responsibility of keeping track of our milestones, so I’ll take that one. A, we completed the white paper earlier this year, in the first quarter. The white paper was visionary in nature, and it was obviously designed to help our constituents understand the goals of the OTTF. However, in order to actually make this a normative specification and design a program, around which you would have conformance and be able to measure suppliers’ conformity to that specification, we have to develop a specification with normative language.

First draft

We’re finishing that up as we speak and we are going to have a first draft here within the next month. We’re looking to have that entire specification go through company review in the fourth quarter of this year.

Simultaneously, we’ll be working on the accreditation policy and conformance criteria and evidence requirements necessary to actually have an accreditation program, while continuing to liaise with other evaluation schemes that are interested in partnering with us. In a global international environment, that’s very important, because there exist more than one of these regimes that we will have to exist, coexist, and partner with. Over the next year, we’ll have completed the accreditation program and have begun testing of the process, probably having to make some adjustments along the way. We’re looking at sometime within the first half of 2012 for having a completed program to begin ramping up.

Gardner: Is there an update on the public sector’s, or in the U.S., the federal government’s, role in this? Are they active? Are they leading? How would you characterize the public role or where you would like to see that go?

Szakal: The Forum itself continues to liaise with the government and all of our constituents. As you know, we have several government members that are part of the TTF and they are just as important as any of the other members. We continue to provide update to many of the governments that we are working with globally to ensure they understand the goals of the OTTF and how they can provide value synergistically with what we are doing, as we would to them.

Gardner: I’ll throw this back out to the panel? How about the activities this week at the conference? What have been the progress or insights that you can point to from that?

Brickman: We’ve been meeting for the first couple of days and we have made tremendous progress on wrapping up our framework and getting it ready for the first review. We’ve also been meeting with several government officials. I can’t say who they are, but what’s been good about it is that they’re very positive on the work that we’re doing, they support what we are doing and want to continue this discussion. It’s very much a partnership, and we do feel like it’s not just an industry-led project, where we have participation from folks who could very much be the consumers of this initiative.

Gardner: Clearly, there are a lot of stakeholders around the world, across both the public and private domains. Dave Lounsbury, what’s possible? What would we gain if this is done correctly? How would we tangibly look to improvements? I know that’s hard with security. It’s hard to point out what doesn’t happen, which is usually the result of proper planning, but how would you characterize the value of doing this all correctly say a year or two from now?

Awareness of security

Lounsbury: One of the trends we’ll see is that people are increasingly going to be making decisions about what technology to produce and who to partner with, based on more awareness of security.

A very clear possible outcome is that there will be a set of simple guidelines and ones that can be implemented by a broad spectrum of vendors, where a consumer can look and say, “These folks have followed good practices. They have baked secure engineering, secure design, and secure supply chain processes into their thing, and therefore I am more comfortable in dealing with them as a partner.”

Of course, what the means is that, not only do you end up with more confidence in your supply chain and the components for getting to that supply chain, but also it takes a little bit of work off your plate. You don’t have to invest as much in evaluating your vendors, because you can use commonly available and widely understood sort of best practices.

From the vendor perspective, it’s helpful because we’re already seeing places where a company, like a financial services company, will go to a vendor and say, “We need to evaluate you. Here’s our checklist.” Of course, the vendor would have to deal with many different checklists in order to close the business, and this will give them some common starting point.

Of course, everybody is going to customize and build on top of what that minimum bar is, depending on what kind of business they’re in. But at least it gives everybody a common starting point, a common reference point, some common vocabulary for how they are going to talk about how they do those assessments and make those purchasing decisions.

Gardner: Steve Lipner, do you think that this is going to find its way into a lot of RFPs, beginning a sales process, looking to have a major checkbox around these issues? Is that sort of how you see this unfolding?

Lipner: If we achieve the sort of success that we are aiming for and anticipating, you’ll see requirements for the OTTF, not only in RFPs, but also potentially in government policy documents around the world, basically aiming to increase the trust of broad collections of products that countries and companies use.

Gardner: Joshua Brickman, I have to imagine that this is a living type of an activity that you never really finish. There’s always something new to be done, a type of threat that’s evolving that needs to be reacted to. Would the TTF over time take on a larger role? Do you see it expanding into larger set of requirements, even as it adjusts to the contemporary landscape?

Brickman: That’s possible. I think that we are going to try to get something achievable out there in a timeframe that’s useful and see what sticks. One of the things that will happen is that as companies start to go out and test this, as with any other standard, the 1.0 standard will evolve to something that will become more germane, and as Steve said, will hopefully be adopted worldwide.

Agile and useful

It’s absolutely possible. It could grow. I don’t think anybody wants it to become a behemoth. We want it to be agile, useful, and certainly something readable and achievable for companies that are not multinational billion dollar companies, but also companies that are just out there trying to sell their piece of the pie into the space. That’s ultimately the goal of all of us, to make sure that this is a reasonable achievement.

Lounsbury: Dana, I’d like to expand on what Joshua just said. This is another thing that has come out of our meetings this week. We’ve heard a number of times that governments, of course, feel the need to protect their infrastructure and their economies, but also have a realization that because of the rapid evolution of technology and the rapid evolution of security threats that it’s hard for them to keep up. It’s not really the right vehicle.

There really is a strong preference. The U.S. strategy on this is to let industry take the lead. One of the reasons for that is the fact that industry can evolve, in fact must evolve, at the pace of the commercial marketplace. Otherwise, they wouldn’t be in business.

So, we really do want to get that first stake in the ground and get this working, as Joshua said. But there is some expectation that, over time, the industry will drive the evolution of security practices and security policies, like the ones OTTF is developing at the pace of commercial market, so that governments won’t have to do that kind of regulation which may not keep up.

Gardner: Andras, any thoughts from your perspective on this ability to keep up in terms of market forces? How do you see the dynamic nature of this being able to be proactive instead of reactive?

Szakal: One of our goals is to ensure that the viability of the specification itself, the best practices, are updated periodically. We’re talking about potentially yearly. And to include new techniques and the application of potentially new technologies to ensure that providers are implementing the best practices for development engineering, secure engineering, and supply chain integrity. It’s going to be very important for us to continue to evolve these best practices over a period of time and not allow them to fall into a state of static disrepair.

I’m very enthusiastic, because many of the members are very much in agreement that this is something that needs to be happening in order to actually raise the bar on the industry, as we move forward, and help the entire industry adopt the practices and then move forward in our journey to secure our critical infrastructure.

Gardner: Given that this has the potential of being a fairly rapidly evolving standard that may start really appearing in RFPs and be impactful for real world business success, how should enterprises get involved from the buy side? How should suppliers get involved from the sell side, given that this is seemingly a market driven, private enterprise driven activity?

I’ll throw this out to the crowd. What’s the responsibility from the buyers and the sellers to keep this active and to keep themselves up-to-date?

Lounsbury: Let me take the first stab at this. The reason we’ve been able to make the progress we have is that we’ve got the expertise in security from all of these major corporations and government agencies participating in the TTF. The best way to maintain that currency and maintain that drive is for people who have a problem, if you’re on the buy side or expertise from either side, to come in and participate.

Hands-on awareness

You have got the hands-on awareness of the market, and bringing that in and adding that knowledge of what is needed to the specification and helping move its evolution along is absolutely the best thing to do.

That’s our steady state, and of course the way to get started on that is to go and look at the materials. The white paper is out there. I expect we will be doing snapshots of early versions of this that would be available, so people can take a look at those. Or, come to an Open Group Conference and learn about what we are doing.

Gardner: Anyone else have a reaction to that? I’m curious. Given that we are looking to the private sector and market forces to be the drivers of this, will they also be the drivers in terms of enforcement? Is this voluntary? One would hope that market forces reward those who seek accreditation and demonstrate adhesion to the standard, and that those who don’t would suffer. Or is there a potential for more teeth and more enforcement? Again, I’ll throw this out to the panel at large.

Szakal: As vendors, we’d would like to see minimal regulation and that’s simply the nature of the beast. In order for us to conduct our business and lower the cost of market entry, I think that’s important.

I think it’s important that we provide leadership within the industry to ensure that we’re following the best practices to ensure the integrity of the products that we provide. It’s through that industry leadership that we will avoid potential damaging regulations across different regional environments.

We certainly wouldn’t want to see different regulations pop-up in different places globally. It makes for very messy technology insertion opportunity for us. We’re hoping that by actually getting engaged and providing some self-regulation, we won’t see additional government or international regulation.

Lipner: One of the things that my experience has taught me is that customers are very aware these days of security, product integrity, and the importance of suppliers paying attention to those issues. Having a robust program like the TTF and the certifications that it envisions will give customers confidence, and they will pay attention to that. That will change their behavior in the market even without formal regulations.

Gardner: Joshua Brickman, any thoughts on the self-regulation benefits? If that doesn’t work, is it self-correcting? Is there a natural approach that if this doesn’t work at first, that a couple of highly publicized incidents and corporations that suffer for not regulating themselves properly, would ride that ship, so to speak?

Brickman: First of all, industry setting the standard is an idea that has been thrown around a while, and I think that it’s great to see us finally doing it in this area, because we know our stuff the best.

But as far as an incident indicating that it’s not working, I don’t think so. We’re going to try to set up a standard, whereby we’re providing public information about what our products do and what we do as far as best practices. At the end of the day the acquiring agency, or whatever, is going to have to make decisions, and they’re going to make intelligent decisions, based upon looking at folks that choose to go through this and folks that choose not to go through it.

It will continue

The bad news that continues to come out is going to continue to happen. The only thing that they’ll be able to do is to look to the companies that are the experts in this to try to help them with that, and they are going to get some of that with the companies that go through these evaluations. There’s no question about it.

At the end of the day, this accreditation program is going to shake out the products and companies that really do follow best practices for secure engineering and supply chain best practices.

Gardner: What should we expect next? As we heard, there has been a lot of activity here in Austin at the conference. We’ve got that white paper. We’re working towards more mature definitions and approaching certification and accreditation types of activities. What’s next? What milestone should we look to? Andras, this is for you.

Szakal: Around November, we’re going to be going through company review of the specification and we’ll be publishing that in the fourth quarter.

We’ll also be liaising with our government and international partners during that time and we’ll also be looking forward to several upcoming conferences within The Open Group where we conduct those activities. We’re going to solicit some of our partners to be speaking during those events on our behalf.

As we move into 2012, we’ll be working on the accreditation program, specifically the conformance criteria and the accreditation policy, and liaising again with some of our international partners on this particular issue. Hopefully we will, if all things go well and according to plan, come out of 2012 with a viable program.

Gardner: Dave Lounsbury, any further thoughts about next steps, what people should be looking for, or even where they should go for more information?

Lounsbury: Andras has covered it well. Of course, you can always learn more by going to www.opengroup.org and looking on our website for information about the OTTF. You can find drafts of all the documents that have been made public so far, and there will be our white paper and, of course, more information about how to become involved.

Gardner: Very good. We’ve been getting an update about The Open Group Trusted Technology Forum, OTTF, and seeing how this can have a major impact from a private sector perspective and perhaps head off issues about lack of trust and lack of clarity in a complex evolving technology ecosystem environment.

I’d like to thank our guests. We’ve been joined by Dave Lounsbury, Chief Technical Officer at The Open Group. Thank you, sir.

Lounsbury: Thank you, Dana.

Gardner: Steve Lipner, the Senior Director of Security Engineering Strategy in the Trustworthy

Computing Security Group at Microsoft. Thank you, Steve.

Lipner: Thanks, Dana.

Gardner: Joshua Brickman, who is the Director of the Federal Certification Program Office in CA Technologies, has also joined us. Thank you.

Brickman: I enjoyed it very much.

Gardner: And Andras Szakal, Vice President and CTO of IBM’s Federal Software Group. Thank you, sir.

Szakal: It’s my pleasure. Thank you very much, Dana.

Gardner: This discussion has come to you as a sponsored podcast in conjunction with The Open Group Conference in Austin, Texas. We are here the week of July 18, 2011. I want to thank our listeners as well. This is Dana Gardner, Principal Analyst at Interarbor Solutions. Don’t forget to come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com.

Copyright The Open Group 2011. All rights reserved.

Dana Gardner is the Principal Analyst at Interarbor Solutions, which identifies and interprets the trends in Services-Oriented Architecture (SOA) and enterprise software infrastructure markets. Interarbor Solutions creates in-depth Web content and distributes it via BriefingsDirect™ blogs, podcasts and video-podcasts to support conversational education about SOA, software infrastructure, Enterprise 2.0, and application development and deployment strategies.

3 Comments

Filed under Cybersecurity, Supply chain risk

Government Outreach for Global Supply Chain Integrity (OTTF)

By Sally Long, The Open Group

On May 10th in London, a select group of technology, government and Cybersecurity leaders and supply chain strategists met for a lunchtime briefing and discussion during The Open Group Conference. The message that came across loud and clear by all who participated was that fostering honest and open dialogue between government and industry is critical to securing the global supply chain; and that the only way we will do this effectively is by working together to assure coordination and adoption among current and emerging approaches.

This industry/government roundtable event was the fourth in a series of planned events for government outreach. In December and January, members of The Open Group Trusted Technology Forum (OTTF) met with Howard Schmidt, US Cybersecurity Coordinator for the Obama Administration, and with US House and Senate Committees and the Department of Commerce. In March, there were some inroads made into the Japanese government, and in April we held a session with government officials in India. Coming up are more briefings and discussions planned for Europe, Canada, China and Brazil.

The event in London brought together representatives from Atsec, Boeing, CA Technologies, Capgemini, CESG, Chatham House, Cisco, Fraunhofer SIT, Fujitsu, Hewlett-Packard, IBM, IDA, Kingdee Software, Microsoft, MITRE, NASA, Oracle, Real IRM, SAIC, SAP, and the UK Government. These, along with thought leaders from Chatham House, discussed global supply-chain challenges and a potential solution through The Open Group Trusted Technology Provider Framework (O-TTPF). Other existing approaches were highlighted by CESG as effective in some areas, though those areas were not directly focused on supply-chain best practices.

The beauty of the O-TTPF, a set of best practices for engineering and secure development methods and supply chain integrity, is that the Framework and guidelines are being developed by industry — architects, developers, manufacturers and supply chain experts, with input from government(s) — for industry. The fact that these best practices will be open, international, publically available and translated where appropriate, will allow all providers to understand what they need to do to “Build with Integrity” – so that customers can “Buy with Confidence”.

This is critically important because as we all know, a chain is only as strong as its weakest link. Even though a large system vendor may follow the O-TTPF best practices, those vendors often rely on sub-component suppliers of software and hardware from around the world, and in order to maintain the integrity of their supply-chain their sub-suppliers need to understand what it means to be trustworthy as well.

One of the OTTF’s objectives is to develop an accreditation program, which will help customers, in government and industry, identify secure technology providers and products in the global supply chain. Governments and large enterprises that base their purchasing decisions on trusted technology providers who have developed their products using the best practices identified by the O-TTPF will be able to rely on a more comprehensive approach to risk management and product assurance when selecting COTS technology products.

One of the major messages at the Roundtable event was that the OTTF is not just about major industry providers. It’s about opening the doors to all providers and all customers, and it’s about reaching out to all governments to assure the O-TTPF best practice requirements are aligned with their acquisition requirements — so that there is true global recognition and demand for Trusted Technology Providers who conform to the O-TTPF Best Practices.

The OTTF members believe it is critical to reach out to governments around the world, to foster industry-government dialogue about government acquisition requirements for trusted technology and trusted technology providers, so they can enable the global recognition required for a truly secure global supply chain. Any government or government agency representative interested in working together to provide a trusted global supply chain can contact the OTTF global outreach and acquisition team through ottf-interest@opengroup.org.

The Forum operates under The Open Group, an international vendor- and technology-neutral consortium well known for providing an open and collaborative environment for such work. We are seeking additional participants from global government and commercial entities. If you are interested in learning more about the Forum please feel free to contact me, Sally Long, OTTF Forum Director, at s.long@opengroup.org.

Sally Long, Director of Consortia Services at The Open Group, has been managing customer-vendor forums and collaborative development projects for the past nineteen years. She was the Release Engineering Section Manager for all collaborative, multi-vendor, development projects (OSF/1, DME, DCE, and Motif) at The Open Software Foundation (OSF), in Cambridge Massachusetts.  Following the merger of OSF and X/Open under The Open Group, Sally served as the Program Director for multiple Forums within The Open Group including: The Distributed Computing Environment (DCE) Forum, The Enterprise Management Forum, The Quality of Service (QoS) Task Force, The Real-time and Embedded Systems Forum and most recently the Open Group Trusted Technology Forum. Sally has also been instrumental in business development and program definition for certification programs developed and operated by The Open Group for the North American State and Provincial Lotteries Association (NASPL) and for the Near Field Communication (NFC) Forum. Sally has a Bachelor of Science degree in Electrical Engineering from Northeastern University in Boston, Massachusetts, and a Bachelor of Science degree in Occupational Therapy from The Ohio State University.

1 Comment

Filed under Cybersecurity, Supply chain risk

A First Step in Securing the Global Technology Supply Chain: Introducing The Open Group Trusted Technology Provider Framework Whitepaper

By Andras Szakal, IBM

Nearly two months ago, we announced the formation of The Open Group Trusted Technology Forum (OTTF), a global standards initiative among technology companies, customers, government and supplier organizations to create and promote guidelines for manufacturing, sourcing, and integrating trusted, secure technologies. The OTTF’s purpose is to shape global procurement strategies and best practices to help reduce threats and vulnerabilities in the global supply chain. I’m proud to say that we have just completed our first deliverable towards achieving our goal: The Open Trusted Technology Provider Framework (O-TTPF) whitepaper.

The framework outlines industry best practices that contribute to the secure and trusted development, manufacture, delivery and ongoing operation of commercial software and hardware products. Even though the OTTF has only recently been announced to the public, the framework and the work that led to this whitepaper have been in development for more than a year: first as a project of the Acquisition Cybersecurity Initiative, a collaborative effort facilitated by The Open Group between government and industry verticals under the sponsorship of the U.S. Department of Defense (OUSD (AT&L)/DDR&E). The framework is intended to benefit technology buyers and providers across all industries and across the globe concerned with secure development practices and supply chain management.

More than 15 member organizations joined efforts to form the OTTF as a proactive response to the changing cybersecurity threat landscape, which has forced governments and larger enterprises to take a more comprehensive view of risk management and product assurance. Current members of the OTTF include Atsec, Boeing, Carnegie Mellon SEI, CA Technologies, Cisco Systems, EMC, Hewlett-Packard, IBM, IDA, Kingdee, Microsoft, MITRE, NASA, Oracle, and the U.S. Department of Defense (OUSD(AT&L)/DDR&E), with the Forum operating under the stewardship and guidance of The Open Group.

Over the past year, OTTF member organizations have been hard at work collaborating, sharing and identifying secure engineering and supply chain integrity best practices that currently exist.  These best practices have been compiled from a number of sources throughout the industry including cues taken from industry associations, coalitions, traditional standards bodies and through existing vendor practices. OTTF member representatives have also shared best practices from within their own organizations.

From there, the OTTF created a common set of best practices distilled into categories and eventually categorized into the O-TTPF whitepaper. All this was done with a goal of ensuring that the practices are practical, outcome-based, aren’t unnecessarily prescriptive and don’t favor any particular vendor.

The Framework

The diagram below outlines the structure of the framework divided into categories that outline a hierarchy of how the OTTF arrived at the best practices it created.

Trusted Technology Provider Categories

Best practices were grouped by category because the types of technology development, manufacturing or integration activities conducted by a supplier are usually tailored to suit the type of product being produced, whether it is hardware, firmware, or software-based. Categories may also be aligned by manufacturing or development phase so that, for example, a supplier can implement a Secure Engineering/Development Method if necessary.

Provider categories outlined in the framework include:

  • Product Engineering/Development Method
  • Secure Engineering/Development Method
  • Supply Chain Integrity Method
  • Product Evaluation Method

Establishing Conformance and Determining Accreditation

In order for the best practices set forth in the O-TTPF to have a long-lasting effect on securing product development and the supply chain, the OTTF will define an accreditation process. Without an accreditation process, there can be no assurance that a practitioner has implemented practices according to the approved framework.

After the framework is formally adopted as a specification, The Open Group will establish conformance criteria and design an accreditation program for the O-TTPF. The Open Group currently manages multiple industry certification and accreditation programs, operating some independently and some in conjunction with third party validation labs. The Open Group is uniquely positioned to provide the foundation for creating standards and accreditation programs. Since trusted technology providers could be either software or hardware vendors, conformance will be applicable to each technology supplier based on the appropriate product architecture.

At this point, the OTTF envisions a multi-tiered accreditation scheme, which would allow for many levels of accreditation including enterprise-wide accreditations or a specific division. An accreditation program of this nature could provide alternative routes to claim conformity to the O-TTPF.

Over the long-term, the OTTF is expected to evolve the framework to make sure its industry best practices continue to ensure the integrity of the global supply chain. Since the O-TTPF is a framework, the authors fully expect that it will evolve to help augment existing manufacturing processes rather than replace existing organizational practices or policies.

There is much left to do, but we’re already well on the way to ensuring the technology supply chain stays safe and secure. If you’re interested in shaping the Trusted Technology Provider Framework best practices and accreditation program, please join us in the OTTF.

Download the O-TTPF, or visit read the OTTPF in full here.

Andras Szakal is an IBM Distinguished Engineer and Director of IBM’s Federal Software Architecture team. Andras is an Open Group Distinguished Certified IT Architect, IBM Certified SOA Solution Designer and a Certified Secure Software Lifecycle Professional (CSSLP). His responsibilities include developing e-Government software architectures using IBM middleware and leading the IBM U.S. Federal Software IT Architect Team. His team is responsible for designing solutions to enable smarter government by applying innovative approaches to secure service based computing and mission critical systems. He holds undergraduate degrees in Biology and Computer Science and a Masters Degree in Computer Science from James Madison University. Andras has been a driving force behind IBM’s adoption of federal government IT standards as a member of the IBM Software Group Government Standards Strategy Team and the IBM Corporate Security Executive Board focused on secure development and cybersecurity. Andras represents the IBM Software Group on the Board of Directors of The Open Group and currently holds the Chair of the IT Architect Profession Certification Standard (ITAC). More recently he was appointed chair of The Open Trusted Technology Forum.

4 Comments

Filed under Cybersecurity, Supply chain risk

The Trusted Technology Forum: Best practices for securing the global technology supply chain

By Mary Ann Davidson, Oracle

Hello, I am Mary Ann Davidson. I am the Chief Security Officer for Oracle and I want to talk about The Open Group Trusted Technology Provider Frameworkhardware (O-TTPF). What, you may ask, is that? The Trusted Technology Forum (OTTF) is an effort within The Open Group to develop a body of practices related to software and hardware manufacturing — the O-TTPF — that will address procurers’ supply chain risk management concerns.

That’s a mouthful, isn’t it? Putting it in layman’s terms, if you are an entity purchasing hardware and software for mission-critical systems, you want to know that your supplier has reasonable practices as to how they build and maintain their products that addresses specific (and I would argue narrow, more on which below) supply chain risks. The supplier ought to be doing “reasonable and prudent” practices to mitigate those risks and to be able to tell their buyers, “here is what I did.” Better industry practices related to supply chain risks with more transparency to buyers are both, in general, good things.

Real-world solutions

One of the things I particularly appreciate is that the O-TTPF is being developed by, among others, actual builders of software and hardware. So many of the “supply chain risk frameworks” I’ve seen to date appear to have been developed by people who have no actual software development and/or hardware manufacturing expertise. I think we all know that even well-intended and smart people without direct subject matter experience who want to “solve a problem” will often not solve the right problem, or will mandate remedies that may be ineffective, expensive and lack the always-needed dose of “real world pragmatism.”  In my opinion, an ounce of “pragmatic and implementable” beats a pound of “in a perfect world with perfect information and unlimited resources” any day of the week.

I know this from my own program management office in software assurance. When my team develops good ideas to improve software, we always vet them by our security leads in development, to try to achieve consensus and buy-in in some key areas:

  • Are our ideas good?
  • Can they be implemented?  Specifically, is our proposal the best way to solve the stated problem?
  • Given the differences in development organizations and differences in technology, is there a body of good practices that development can draw from rather than require a single practice for everyone?

That last point is a key one. There is almost never a single “best practice” that everybody on the planet should adhere in almost any area of life. The reality is that there are often a number of ways to get to a positive outcome, and the nature of business – particularly, the competitiveness and innovation that enables business – depends on flexibility.  The OTTF is outcomes-focused and “body of practice” oriented, because there is no single best way to build hardware and software and there is no single, monolithic supply chain risk management practice that will work for everybody or is appropriate for everybody.

BakingIt’s perhaps a stretch, but consider baking a pie. There is – last time I checked – no International Organization for Standardization (ISO) standard for how to bake a cherry pie (and God forbid there ever is one). Some people cream butter and sugar together before adding flour. Other people dump everything in a food processor. (I buy pre-made piecrusts and skip this step.) Some people add a little liqueur to the cherries for a kick, other people just open a can of cherries and dump it in the piecrust. There are no standards organization smack downs over two-crust vs. one-crust pies, and whether to use a crumble on the top or a pastry crust to constitute a “standards-compliant cherry pie.” Pie consumers want to know that the baker used reasonable ingredients – piecrust and cherries – that none of the ingredients were bad and that the baker didn’t allow any errant flies to wander into the dough or the filling. But the buyer should not be specifying exactly how the baker makes the pie or exactly how they keep flies out of the pie (or they can bake it themselves). The only thing that prescribing a single “best” way to bake a cherry pie will lead to is a chronic shortage of really good cherry pies and a glut of tasteless and mediocre ones.

Building on standards

Another positive aspect of the O-TTPF is that it is intended to build upon and incorporate existing standards – such as the international Common Criteria – rather than replace them. Incorporating and referring to existing standards is important because supply chain risk is not the same thing as software assurance — though they are related. For example, many companies evaluate ­one or more products, but not all products they produce. Therefore, even to the extent their CC evaluations incorporate a validation of the “security of the software development environment,” it is related to a product, and not necessarily to the overall corporate development environment. More importantly, one of the best things about the Common Criteria is that it is an existing ISO standard (ISO/IEC 15408:2005) and, thanks to the Common Criteria recognition arrangement (CCRA), a vendor can do a single evaluation accepted in many countries. Having to reevaluate the same product in multiple locations – or having to do a “supply chain certification” that covers the same sorts of areas that the CC covers – would be wasteful and expensive. The O-TTPF builds on but does not replace existing standards.

Another positive: The focus I see on “solving the right problems.” Too many supply chain risk discussions fail to define “supply chain risk” and in particular define every possible concern with a product as a supply chain risk. (If I buy a car that turns out to be a lemon, is it a supply chain risk problem? Or just a “lemon?”) For example, consider a system integrator who took a bunch of components and glued them together without delivering the resultant system in a locked down configuration. The weak configuration is not, per se, a supply chain risk; though arguably it is poor security practice and I’d also say it’s a weak software assurance practice. With regard to OTTF, we defined “supply chain attack” as (paraphrased) an attempt to deliberately subvert the manufacturing process rather than exploiting defects that happened to be in the product. Every product has defects, some are security defects, and some of those are caused by coding errors. That’s a lot different – and profoundly different — from someone putting a back door in code. The former is a software assurance problem and the second is a supply chain attack.

Why does this matter? Because supply chain risk – real supply chain risk, not every single concern either a vendor or a customer could have aboutManufacturing a product – needs focus to be able to address the concern. As has been said about priorities, if everything is priority number one, then nothing is.  In particular, if everything is “a supply chain risk,” then we can’t focus our efforts, and hone in on a reasonable, achievable, practical and implementable set  – “set” meaning “multiple avenues that lead to positive outcomes” – of practices that can lead to better supply chain practices for all, and a higher degree of confidence among purchasers.

Consider the nature of the challenges that OTTF is trying to address, and the nature of the challenges our industry faces, I am pleased that Oracle is participating in the OTTF. I look forward to working with peers – and consumers of technology – to help improve everyone’s supply chain risk management practices and the confidence of consumers of our technologies.

Mary Ann DavidsonMary Ann Davidson is the Chief Security Officer at Oracle Corporation, responsible for Oracle product security, as well as security evaluations, assessments and incident handling. She had been named one of Information Security’s top five “Women of Vision,” is a Fed100 award recipient from Federal Computer Week and was recently named to the Information Systems Security Association Hall of Fame. She has testified on the issue of cybersecurity multiple times to the US Congress. Ms. Davidson has a B.S.M.E. from the University of Virginia and a M.B.A. from the Wharton School of the University of Pennsylvania. She has also served as a commissioned officer in the U.S. Navy Civil Engineer Corps. She is active in The Open Group Trusted Technology Forum and writes a blog at Oracle.

6 Comments

Filed under Cybersecurity, Supply chain risk