EP 55 — BlackBerry’s Christine Gadsby on What’s Driving Software Supplier Transparency and Accountability

In this episode of the Future of Application Security, Harshil speaks with Christine Gadsby, VP, Product Security at BlackBerry, a software company specializing in cybersecurity. They discuss the new initiatives driving software transparency, like SBOMs and VEX, and how adoption will not only come from regulations but from companies holding their software suppliers more accountable. They also talk about the need for better telemetry practices and more connected tooling and how security professionals can get involved in industry change and mentorship.

Topics discussed:

• The important role frameworks like NIST 800-218 and CISA’s Secure By Design will play in establishing standards.
• The ways in which SBOMs and VEX are driving software transparency that will keep customers safer.
• How commercial industries will increase their software supplier accountability in response to the rising cost of insecurity.
• How many companies lack knowledge about what’s in the software they sell and the importance of having good telemetry practices.
• Why lack of good tools and the ability to connect tools is a challenge to product security today.
• Advice to security professionals about not letting things like SBOM and VEX get away from you as you prepare for the future of software development.
• How product security professionals can get involved with industry efforts to drive change.

Guest Quotes: 

“Here’s what we need to remember with things like SBOM and VEX. The important things they are trying to achieve is transparency. It isn’t necessarily about all the other things I think that everybody’s trying to make it out to be. It is driving transparency and the future of where we will be, will be, ‘I’m going to know what’s in the things that I procure and everybody’s going to know what’s in the things that I sell.’ That’s what it’s trying to do, because that transparency brings attention to a lot of things, how we secure it, what’s leaving the building as far as what’s going public.” 

“The reality is that we have more regulation in the frying pan that you’re using to cook your chicken dinner than we do in software running critical industries and critical infrastructure.” 

“If I’m paying 3x my cyber insurance this year than I was last year because this data breach happened and this data breach happened — then it’s going to become cost-effective to hold your software suppliers accountable.”

“They’re lacking telemetry. They sell a bunch of software, but they don’t know what’s in it. … Make sure that you have a really accurate list of stuff that’s in all of your widgets.” 

“Be ready for that transparency piece. No matter how you feel or where you are in your stages of grief around transparency, it’s coming.”

Listen to more episodes: 

Listen on Apple 

Listen on Spotify