My frequent co-conspirator, Ryan Petrich, and I submitted a response to the U.S. government’s Request for Information on Open-Source Software Security: Areas of Long-Term Focus and Prioritization (ONCD-2023-0002). This moment in spacetime is a critical juncture in software, not just open-source software (OSS), and we feel privileged to submit our recommendations for the requesting agencies – ONCD, CISA, NSF, DARPA, and OMB – to consider as they traverse these challenges.

It is admittedly exhaustive since we wanted to offer our expertise across as many problems and areas of focus as were relevant. Our response begins by describing multiple “Gordian Knots” we believe will offer the requesting agencies alternative perspectives on the problem at hand. The rest of the response is structured with recommendations in the areas and subareas where our expertise is relevant, in the same order as presented in the RFI. Additionally, we identify and recommend multiple new subareas of focus for prioritization, including isolation, modular design, automation (CI/CD), resilience stress testing, and others; many of these are suffused with the spirit of Gordian Knots.

We are publishing our response in the spirit of transparency; you can read it at the following link:

Note that we are submitting as Shortridge Sensemaking LLC. The views expressed in our response are not necessarily the views of our employers or any of their affiliates. The information contained herein is not intended to provide, and should not be relied upon for, investment advice (which we would hope is obvious).

Enjoy this post? You might like my book, Security Chaos Engineering: Sustaining Resilience in Software and Systems, available at Amazon, Bookshop, and other major retailers online.