Summary
In this episode, CRob sits down with Sarah Evans, security research technologist at Dell and Lisa Bradley, senior director of product and application security at Dell. They dig into the challenges of implementing secure open software at a complex enterprise.
Sarah sits on the OpenSSF Technical Advisory Council and at Dell’s she has been instrumental in cybersecurity innovation, conducting research within the global CTO R&D organization. Her career spans pivotal roles, including being an enterprise security architect and engaging in Identity and Access Management and IT at prestigious organizations like Wells Fargo and the U.S. Air Force.
Dr. Lisa Bradley is a distinguished cybersecurity expert and visionary leader. She has earned her reputation as a trailblazer in the field of security and vulnerability management. In her current role, she oversees Dell’s Product Security Incident Response Team (PSIRT), Bug Bounty Program, SBOM initiative, Dependency Management, and Security Champion and Training Programs.
Conversation Highlights
- 02:38 How Dell is managing its ingestion and productization of open source software
- 04:54 The complex task of managing open source software for a company the size of Dell
- 06:34 The importance of executive support when implementing security initiatives
- 10:40 Lisa and Sarah answer CRob’s rapid-fire questions
- 12:40 Lisa and Sarah’s advice to aspiring developers and security professionals
- 14:12 Lisa and Sarah’s call to action
Transcript
Sarah Evans soundbite (00:02)
That’s a game-changer when you can go into some of these technical engineering and security conversations and say well, it’s on Dell dot com, and we have a commitment to do this by a certain date and that partnership and that collaborative spirit really increases with that common goal.
CRob (00:20)
I’m CRob and I do security stuff on the internet. And I’m also a community leader within the OpenSSF. And one of the cool things I get to do with the OpenSSF is host What’s in the SOSS? And it’s a podcast where we talk about people within the open source ecosystem. And with us this week, I have two wonderful people that I’m so very pleased to call my friends. They both work at Dell. And so I want to introduce you all to Lisa Bradley and Sarah Evans. Ladies, welcome.
Lisa Bradley (00:49)
Thanks for having us.
CRob (00:50)
Maybe each of you just take a brief couple seconds to introduce like who you are and what you do.
Lisa Bradley (00:55)
Sure, I’ll take a stab first. Lisa Bradley, I’m in the product and application security team. I’m a senior director for Dell Technologies. My focus is vulnerability response or otherwise known as PSIRT in the industry. And I have the Bug Bounding program underneath me and some part of the Security Champion and our Dependency Management platform where we get to protect against open source and making sure that our customers are protected against the open source that we use in our product. And I also have a big part and role in the SBOM initiative for Dell.
Sarah Evans (01:28)
I’m Sarah Evans. I am a security innovation researcher at Dell Technologies. I work in our global CTO research and development team. And I’ve had the opportunity in that role to get involved with OpenSSF, which is a foundation that is helping secure the open source software supply chain. Some of my efforts there are around the technical advisory council. And as a governing board observer and governance committee member, I also participate in the AI/ML working group. So this is a great topic because it brings something I’m passionate about, which is open source software security together with industry leadership that we’re doing within our company to improve our product security vulnerability response by improving our ingestion of open source software. So that’s really exciting.
CRob (02:20)
Dell is a very large OEM supplier of hardware and software solutions and you all use open source within your portfolio. Could maybe you talk a little bit about Dell’s open source journey and kind of maybe give us some insight into how you’re managing your ingestion and productization of open source software.
Sarah Evans (02:38)
I’ve been at Dell for four years. And when I joined the company and I got involved in OpenSSF and understanding our open source software supply chain, one of the things that really became obvious, especially through my work in partnership with Lisa and the security team, has been to kind of know your why, why are we doing this? And so our journey to secure our consumption of open source is really around protecting Dell customers and ensuring that they have a fortified supply chain. One of the quotes that I like is from Thomas Reed, where he says, the chain is only as strong as its weakest link, for if that fails, the chain fails. And so this is kind of the start of our journey and open source is doing the backwards math to understand how we need to secure our ingestion of open source software.
Lisa Bradley (03:26)
And that’s where I come in on the other side, is that when we’ve already released products that have open source in it, my job is to make sure that we are aware of the vulnerabilities in the open source that we’re using, that we inform those product teams and that those product teams go and get that update from that open source and repackage whatever their product is with it and ship that security update out to our customers to deploy those fixes for the open source vulnerabilities.
Sarah Evans (03:55)
And just to add to what Lisa said, why this is so important for our company and our customers is that open source software has an outsized impact on our upstream link in our vulnerability. Open source has an outsized impact on the upstream link to vulnerability response because it’s everywhere. And Sonatype has done a really great research report where they showed that 98% approximately of all code bases contain open source software and it’s vulnerable. 92% contain outdated or vulnerable code. And so if we are able to improve our processes around open source software ingestion and then the associated incident response it really has a big impact on the process as a whole.
CRob (04:34)
Dell is not a small provider. So this seems like this would be a really big task of trying to understand the scope of everything you’re using within open source and then like the vulnerability management piece. Could maybe the two of you shed a little insight into maybe some of the steps or how you started to implement some type of management of all this software?
Lisa Bradley (04:54)
A lot of it that we started with was SCA type of tools, doing scanning to make sure that we even knew about the inventory that existed because there were products written before the thought of having to do security or even the thought of having to know what your inventory is. So we spend a lot of time building up, making sure that we had the right tooling for our teams to understand that inventory.
Then we started focusing on shifting it left. So while we’re actually building to making sure that we’re scanning and knowing about our inventory throughout the whole process, not just after the fact when that product was available and that release was available. This has allowed us to have a strong inventory, not only of our open source, but our vendor components that we utilize and our internal components that we utilize.
So we’ve been focusing very heavily on making sure that our product teams have an inventory. It’s part of our SDL process. It’s one of the controls that they need to have an inventory. And then what we’ve been focusing on recently is making sure that we integrate that inventory into what I call DMP, which is our dependency management platform. And basically, we ingest the inventory. We could produce a customer-facing SBOM so that we have consistency of the SBOMs that we’re giving our customers and that we could understand the different parts of that inventory, especially in the open source side, so that we could be aware about the vulnerabilities.
It has been a long journey. Tooling support has been key. Making sure that our product teams understand the importance of knowing what they put in their software and keeping up their software. It’s been quite a journey. We’re still on it, especially with some of the new things with SBOM and the new fun twists coming out with some of the regulatory asks. But I feel quite positive of where we’re at and where we’re continuing to go.
Sarah Evans (06:34)
And everything that Lisa just described is a huge effort on behalf of the company. And one of the things that we have found to be very helpful is the strong executive and operational support that security teams receive when they are on this technical journey to help work with engineers to accomplish and achieve all of these goals. The tone from the top has been really important and the executive support that we’ve had here at Dell has really been a very helpful driving force in accomplishing some of these challenging technical security goals in partnership with engineering.
One of the things right now on Dell dot com are our ESG goals, our environmental, social and governance goals that talk about how we are building trust with our customers. And so there is a section that talks about some of those key drivers. One of those is the software bill of materials associated with some of that regulation that Lisa was just talking about. Now by 2025, 100% of all actively sold Dell designed and branded products and offerings will publish a software bill of materials, providing transparency on third party and open source components.
So that’s a game-changer when you can go into some of these technical, engineering and security conversations and say, well, it’s on Dell dot com and we have a commitment to do this by a certain date. And that partnership and that collaborative spirit really increases with that common goal.
CRob (07:58)
Very impressive to hear. Putting another hat on for the moment as security practitioner, I know it’s always a challenge as a internal security person to try to get that executive buy-in and that backing. Can you maybe share a little insight into how you all were able to get that? It sounds like it’s coming right from the very top of your organization. So that sounds amazing.
Lisa Bradley (08:20)
Our CISO is a big strong supporter of pushing the goals. And so a few of us worked together and provided him the suggested goals for the ESG. He took them further up to get them published. I think also one of the things that’s been helping us is we put together a PSoC and within the PSoC, we’re really focused on the security practices and the product portfolio. It has executive leadershi extremely high up. And so bringing forward topics like the executive order and, you know, the EU CRA and other things like that. And what do we see from the industry? What do we see from our customers and what are the right security practices we should be doing?
And so the open source, the inventory, all of that have been brought into that. And then what we’ve done as a security team is we work through that and we worked with the different governance, security governance teams within the different, I’m gonna call them brands just to make it easier or business units, within the company to partner on joint goals together. It’s not that we’re working across just the security team into the team, but then there’s people that are right in the business that are pushing those goals also.
Sarah Evans (09:28)
Yes, and the Product Security Operations Committee gives senior leaders who are responsible for different parts of the company an opportunity to align on, yes, this is a hard problem. They align on timelines. They talk about, you know, this is the right thing to be doing. And then through that alignment, then they are able to go and execute with leadership to their teams. So it’s happening in the engineering teams, in the IT teams, and of course in our security teams. At a company the size of Dell, having that executive leadership alignment is also a really big driving force behind the success.
Lisa Bradley (10:06)
And there’s another layer and then there’s like layers underneath of like who’s gonna drive the different work streams to make it happen and then layers underneath of the people actually doing the work. It all sort of comes together. It is making our job on the security team significantly easier when we can say things like there’s an ESG goal, there’s a regulatory ask and there is a PSoC-approved goal that came up from above. In the past we were always struggling to get that attention in the security space. And now a lot of these things that we put in place are helping get that attention and drive that awareness. And we’re hearing significantly less no’s than we ever used to.
CRob (10:40)
It’s really amazing to hear about the progress that you’ve made with your security programs and just how you’ve embraced a lot of kind of open source ideals and your integration with open source within your organization. So let’s move on to the rapid-fire section of the talk here. First question to both of you: spicy or mild food?
Lisa Bradley (11:01)
Spicy, I’m from Buffalo.
Sarah Evans (11:04)
Mild. (Laughter)
CRob (11:06)
Next question. Open or closed source?
Lisa Bradley (11:09)
Open.
Sarah Evans (11:10)
open.
CRob (11:11)
Yeah, alright, right answer. Next question. This was predominantly focused at Lisa. Trigonometry or calculus?
Lisa Bradley (11:18)
Calculus. That was easy! I didn’t have to blink! (Laughter)
CRob (11:22)
Alright, next question to both of you, bourbon or Scotch?
Lisa Bradley (11:26)
Tequila. (Laughter)
Sarah Evans (11:27)
Bourbon.
CRob (11:28)
Fair, fair. And then because I know that Lisa was a developer back in her way past: tabs or spaces?
Lisa Bradley (11:34)
That’s a hard one. Tabs!.
CRob (11:37)
And, Sarah, did you ever get the opportunity to do development in your past?
Sarah Evans (11:40)
No, I haven’t.
CRob (11:42)
You’re exempt from the tabs versus spaces debate.
Sarah Evans (11:46)
Actually, because I didn’t do development in my past, I had some real imposter syndrome about getting involved in open source software and the security of it. But I leaned in and I have been able to overcome that. So especially with support from colleagues such as yourself, CRob.
CRob (12:04)
And that’s what I honestly love about the open source ecosystem is that allows people to contribute their best selves. How are they best see fit? Some people rate code. Some people help provide that translation from like regulatory speak or InfoSec speak to the development community. So yeah, I appreciate these different perspectives. So as we wind down here, a couple of questions for you. What advice might you two ladies be able to share with people that are new to the ecosystem? Someone that wants to get into open source development or cyber security.
Lisa Bradley (12:40)
One of the things that Sarah just sort of pointed out is that you don’t have to always be a technical person. There’s always passion and drive and there’s a lot of information out there that you could look at to learn. So don’t be afraid to learn and jump in. We all need all the help that we could get right now, I think. Making sure that we continue to fight the good fight is important. So don’t be afraid to jump in.
Sarah Evans (13:04)
And on the flip side of that, I had a dollar for every time that I worked with a software developer who prefaced any conversation with me by saying, well, I’m not a security person, I would probably be on an island in Fiji right now. Security is one of these topics that you have been exposed to without even realizing it. And so you can definitely always build from what you know and launch into how what you know ties into security. I did a recent talk at Open Source Summit with my colleague Jay White, and we posited that being in security is sometimes like a driver’s license. There’s people of all occupations and careers and lifestyles sitting behind the wheel on the highway when we’re sitting in rush hour traffic. But we all have these common driver’s license and rules of the road that we follow. And so understanding security principles is something that everyone and anyone can learn and that software developers, including open source software developers are in a perfect position to bring into their knowledge suite.
CRob (14:06)
And then finally, either of you have a call to action you want to share with our audience to help inspire them?
Lisa Bradley (14:12)
One of the things that is top of mind is AI and how do you utilize AI now to be better at the job that you do in security and be safer and the better protect your customers. And the other thing that comes to mind is you should always be thinking of your customers. They are always the most important things to protect. And so have that viewpoint when you’re coding, when you’re developing, how long you’re taking the fixed vulnerabilities knowing about vulnerabilities, knowing about what you’re consuming in the first place, trusting what you consume — all of that sort of all comes into play. And just think about the customer viewpoint when you’re doing all that job.
Sarah Evans (14:49)
And I would encourage and call any open source developer, every open source developer, that as you’re innovating with an emerging technology, to think about the lessons learned from the prior decades and bring those forward with you into the place where there’s a lot of unknowns. So as Lisa pointed out, AI is a space in which we’re really leaning in around the innovation. But those software development and security lessons and system security lessons that we’ve learned the past decade still very much apply going forward. Even though we still have a lot of unknowns that we haven’t figured out, I call to action all open source software innovation developers to continue leveraging security fundamentals. And if there is an opportunity to innovate to incorporate those more easily and smoothly, lets figure out how to do that.
CRob (15:42)
Ladies, I really appreciate you both showing up today on What’s in the SOSS? And I think keep up the amazing work of your program at Dell and please keep being amazing contributors to our open source ecosystem. And that’s a wrap. Thanks folks.
Announcer (15:57)
Thank you for listening to What’s in the SOSS? An OpenSSF podcast. Be sure to subscribe to our series of conversations on Spotify, Apple, Amazon or wherever you get your podcasts. And to keep up to date on the Open Source Security Foundation community, join us online at OpenSSF dot org slash get involved. We’ll talk to you next time on What’s in the SOSS?