Tech Debt Burndown Podcast Series 2 E4: Gene Spafford

Show Notes

Recording date: Apr 17, 2023

Download at Apple Podcasts, Google Podcasts, Spotify, iHeartRadio, Spreaker or wherever you get your podcasts.

“They’re statistical models based on language corpuses and the output of these things can be shown in some cases to be stunningly incorrect.” - Gene Spafford

Gene opens with a comment about the “tendency of the industry to jump on hot trends”, and that sets the scene for much of the discussion, which goes on to touch blockchain, and of course ‘AI’.

We touch upon topics where Gene and his co-authors go into more detail in Cybersecurity Myths and Misconceptions such as where liability should be placed to better incetivise the creation of spftware that’s safe, secure and reliable. Though Gene acknowledges that we don’t (yet) even have good metrics for those terms. That leads into some discussion on whether organisations like the Open Source Security Foundation (OpenSSF) can fill some of the gaps.

Before closing we get to some discussion of the European Union Cyber Resiliance Act (CRA) and some of the consequences that might have for open source software.

Gene Spafford

Eugene H. Spafford is a professor of Computer Sciences at Purdue University. He is also the founder and Executive Director Emeritus of the Center for Education and Research in Information Assurance and Security. He has been working in computing as a student, researcher, consultant, and professor for 45 years. Some of his work is at the foundation of current security practice, including intrusion detection, incident response, firewalls, integrity management, and forensic investigation. His most recent work has been in cyber security policy, forensics, and future threats. He has also been a pioneer in education, including starting and heading the oldest degree-granting cybersecurity program.

Dr. Spafford has been recognized with significant honors from various organizations. These include being elected as a Fellow of the American Academy of Arts and Sciences (AAA&S), and the Association for the Advancement of Science (AAAS); a Life Fellow of the ACM, the IEEE, and the (ISC)2; a Life Distinguished Fellow of the ISSA; and a member of the Cyber Security Hall of Fame — the only person to ever hold all these distinctions. In 2012 he was named one of Purdue’s inaugural Morrill Professors — the university’s highest award for the combination of scholarship, teaching, and service. In 2016, he received the State of Indiana’s highest civilian honor by being named as a Sagamore of the Wabash.

Among many other activities, he is vice-chair of ACM Publications Ethics & Plagiarism Committee, is editor-in-chief of the journal Computers & Security, serves on the Board of Directors of the Computing Research Association, and as a member of the National Security Advisory Board for Sandia Laboratories.

More information may be found in the Narrative Bio For Spaf

Gene recently co-authored Cybersecurity Myths and Misconceptions

Chris Swan

Chris is a frequent speaker on topics such as serverless, DevOps, cloud, containers, security, networking and the Internet of Things. He’s also a cloud editor for InfoQ and a contributor to open source projects such as Docker, CoreOS and DXC’s Online DevOps Dojo.

Nick Selby

Nick provides information security, disaster- and cyber incident-readiness assessments at Fuzz Technology, a subsidiary of EPSD, Inc. From 2021 to 2023, Nick served as VP of the Software Assurance Practice at Trail of Bits (where he was the voice and executive producer of its podcast), and from 2019 to 2021 as Chief Security Officer at Paxos Trust Company.

From 2018 to 2020, Nick served as Director of Cyber Intelligence and Investigations at the NYPD Intelligence Bureau, where he helped the department understand how it investigates online, and how Cyber Enabled crime affects New Yorkers.

In 2005 he founded the information security practice at industry analyst firm 451 Research, (now S&P Global Market Intelligence) where he served until 2009 as 451’s Vice President, Research Operations.