“Some of the common weaknesses are not at the code level. Over 2/3 are at the code level, but the others are at the architecture and design level.” — Joe Jarzombek
Joe Jarzombek is Directory for Software and Supply Chain Assurance within the Department of Homeland Security’s office of Cybersecurity and Communications. Joe and I sat down for a chat during a recent conference in McLean, Virginia. His premise is that hardware assurance is just as important as software assurance. It was a new concept for me, and an interesting perspective.
“It’s absolutely worth the overhead [of security automation tools] because of the 100s of thousands of lines of code being produced. You can’t do is scalably, in a secure fashion, use you’ve got tools.” — Joe Jarzombek
Listen to the Full Interview: Joe Jarzombek – Security is not just about Software
Highlights from our Talk
00:30 Security automation programs
02:25 Tools for automation
04:30 Hardware counterfeits
07:52 Composability and common weakness patterns
09:12 The viability of “moving left” and empowering developers
10:42 Code analysis within government software
“It’s too painful for people to go back. That’s when security is viewed as an obstruction because they catch it late in the cycle when it’s going to be far too expensive and time consuming to fix that.” — Joe Jarzombek
About Joe Jarzombek
Joe Jarzombek is the Director for Software Assurance within the National Cyber Security Division of the Department of Homeland Security. In this role he leads government interagency efforts with industry, academia, and standards organizations in addressing security needs in work force education and training, more comprehensive diagnostic capabilities, and security-enhanced development and acquisition practices.
Joe served in the U.S. Air Force as a Lieutenant Colonel in program management. After retiring from the Air Force, he worked in the cyber security industry as vice president for product and process engineering. Joe also served in two software-related positions within the Office of the Secretary of Defense prior to accepting his current DHS position.
He is a Project Management Professional (PMP) and a Certified Secure Software Lifecycle Professional (CSSLP) As an active member of Toastmasters International, Joe Jarzombek has served as International Director, and he is currently serving as Region Advisor Marketing.
“You have to know what the tools are capable of doing. You don’t need one tool, you need a tool kit.” — Joe Jarzombek