Just as agile software development rapidly iterates on evolving user stories, agile security must rapidly iterate on an evolving threat environment as technology plays an increasingly important role in society. In order to protect against ever-changing vulnerabilities, we must rethink how we approach securing complex government systems.
Traditionally, a three-year cycle involving voluminous documentation resulted in a static snapshot of systems under review to justify an official Authority to Operate (ATO). There was no real-time monitoring, or even verification that systems matched the documentation, other than random spot checks conducted by the authorizing official. To resolve this disconnect, the Department of Homeland Security (DHS) has issued a mandate for Continuous Diagnostics and Monitoring (CDM). But since the channels used for communications are proprietary as are the Windows systems they monitor, the ability to monitor new technologies - like the latest version of Red Hat GNU/Linux, lag behind.
This talk argues that -- well vetted -- open source software packages have a decided advantage over thoroughly analyzed and statically configured closed source solutions, and makes a case for open sourcing the Department of Homeland Security's Continuous Monitoring processes.