The Product Security Imperative: Lessons from CISA
Jack Cable
BSidesSF 2025 — Here Be Dragons · Day 2 · Main
Jack Cable, who spent two years at CISA leading the Secure by Design initiative before delivering this talk, made the case that the software industry is still building products riddled with decades-old, preventable vulnerability classes — and that addressing them requires shifting liability from end users onto technology manufacturers. His talk reviewed the year-one results of CISA's Secure by Design pledge, the case for legal reform to protect security researchers, and the specific threat that AI-assisted coding poses to product security in the near term. ---
AI review
Jack Cable spent two years inside CISA watching the Secure by Design initiative get built and is now free to say what the institutional messaging couldn't. The Android memory safety longitudinal data, the KEV class analysis, and the AI-assisted coding risk argument are all specific and grounded. This is what post-government candor looks like.