Josh chats with Olle E. Johansson about the Global Vulnerability Intelligence Platform (GVIP). It’s no secret the current vulnerability systems are reaching a breaking point. Olle is one of the few people with a long term vision instead of trying to just fix the short term problems. His GVIP ideas are very good, but it’s a community effort and needs our help. Give it a listen and if it sounds interesting, come help us out!
Episode Links
This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
Episode Transcript
Josh Bressers (00:01) Today, Open Source Securities talking to Olle Johansson an open source activist and founder of the GVIP project. Olle is one of my favorite people in the whole world to talk to. So I’m extremely excited to have you here. Olle, welcome to the show.
Olle E. Johansson (00:15) Thank you, Josh. It’s an honor to be here. I’ve been listening to your shows for a long time. So this is gonna be fun and we have a lot to speak about.
Josh Bressers (00:23) Okay, let’s just start out. Tell us a little bit about yourself and then tell us a little bit about GVIP and we’ll go from there. Cause you’re right. This is a gigantic topic.
Olle E. Johansson (00:36) Well, ⁓ I’ve been working for a long time with open standards, IETF standards, networking, got engaged in open source, the asterisk open source PBX project, Camellia, the open source proxy. After that, I’ve been working with ⁓ embedded development in commercial environments and other places. I learned about something called the EU Cyber Resilience Act a long time ago and…
While reading that and with my experience from asterisk, I imagine that the number of vulnerabilities reported if people follow the letter of the law, that will grow immensely.
Josh Bressers (01:21) Yes.
Olle E. Johansson (01:23) So I started wondering about how this is funded. And in a forum, we had meetings with NVD and CVE, and I realized that there are pretty small groups of people managing the whole world’s flow of vulnerabilities. And they’re all funded by the US government. I thought that was unfair, so I started writing a paper.
and discussing this in various meetings. And people said, well, you know, this is interesting, but it’s working. We have other things to do, move on. And then things started happening. Remember the NVD where things just slowed down to almost nothing. A little bit of trickle got the CPEs added so we could find them with our SBOMs
So we were dancing in the dark. Even if we had proper SBOMs, we couldn’t find the vulnerabilities because there was no one home to mark them up with the product names. And a year later, we suddenly woke up with a message that the CVE program had about 23 hours left of funding, which shook up the whole world.
Josh Bressers (02:42) Yup.
Olle E. Johansson (02:46) And people suddenly remember this old guy in ⁓ Northern Europe up in Stockholm where I live, Solenton outside Stockholm, and contacted me over Easter. So I many crazy meetings and luckily I have a very patient wife. ⁓ So we had many meetings. OWASP called for an emergency board meeting to discuss this and they decided that we need to do something.
Josh Bressers (03:03) Nice.
Olle E. Johansson (03:17) and that turned out to be my little project. So ⁓ we started something called the Global Vulnerability Intelligence Platform Project. It’s a stupid name, but the idea is to figure out how we can handle this growth and a number of databases, including the CVE program, long term. How can we get…
more entities involved in funding and how can we avoid ⁓ developers creating platforms like OWASP dependency track having 200 different APIs and data formats to work with. There needs to be some sort of standardization here. So those are the issues we’re discussing in the global vulnerability information project.
And ⁓ with my background and involvement, I got OpenSSF, OWASP, ⁓ Open Forum Europe, and a few other organizations involved like Eclipse or CVG. We have many discussions with other organizations as well. And I recently got funding from the Sovereign Tech Fund in their Sovereign Tech Resiliency Project.
to create our first conference and a number of webcasts. So that’s where we are.
Josh Bressers (04:44) Nice.
And so the conference is happening right before FOSDEM yes?
Olle E. Johansson (04:50) Yeah, that’s what I wanted. And I got the funding before Christmas. And FOSDEM as you know, is the first weekend of February every year in Brussels. It’s the, I would say, an enormous open source conference. The number of speakers is up to now 1,030. And that’s the speakers. Can you imagine the number of attendees?
Josh Bressers (04:59) Yes.
Wow.
Olle E. Johansson (05:17) and the number of food trucks that provide waffles and hamburgers to all of these hackers. This is an enormous conference, but we expanded the conference with something called Open Source Week. So in a short time, I added one day to Open Source Week with a focus on vulnerability management. And I got a set of really nice speakers lined up.
Josh Bressers (05:17) it’s, yeah.
Yeah, yeah.
Olle E. Johansson (05:44) and we will try to have more of these summits in different places during the year to work on our requirements and our ideas for the future.
Josh Bressers (05:55) Awesome. Awesome. And this episode will almost certainly come out after, after FOSDEM has happened. So we’ll assume everything went great and no doubt. Well, I’ll, I’ll make sure there’s a link in the show notes too. I’m sure there will be blog posts and write-ups and things of, what came of, of your, your conference. So I’ll make sure we have links to that, but that’s really exciting. And, and I’m, I’m unfortunately not going to be there, but here’s what I think is the important part of this. And I’m sure you’ll agree with me, Olle is like,
Olle E. Johansson (06:04) Yes, absolutely.
Josh Bressers (06:25) When you look historically at the world of vulnerabilities, it has been very like US centric, very focused on like MITRE and NVD. And there has not been a very community aspect of that. And I know a lot of people would disagree with it and say, we have a distributor, we have this community, we have all this and that. But if you look at the, we’ll say community that currently exists around vulnerabilities, it’s often like.
gigantic companies, there’s not a lot of voices from people like open source, you don’t have a lot of foundation input necessarily. And so I think this is huge that you’re bringing a diverse group of people together. It’s a really big deal.
Olle E. Johansson (07:00) Thank you, and I think it’s important. I can compare the situation to, I’m old enough to remember when the US government said that we owned internet because we paid a salary to John Postle and IANA, right? Our response in the internet community was, for better or worse, to build an organization with multiple stakeholders, government, enterprises, non-profit organizations called ICANN.
Josh Bressers (07:14) Yep. Yep.
Olle E. Johansson (07:30) And you can hate it or love it, but it’s better than an alternative, much better. And we had a couple of Swedes managing ICANN for a while, so we’re happy with that. But I think we need to step forward and do something similar here, because the EU, in the ENISA regulation,
provided funding to our European cyber security agency called ENISA to build a European vulnerability database, which I believe is similar to the American KEV ⁓ But it’s very, they haven’t communicated much, they haven’t interacted with the community. So we will see what it ends up being. But.
I strongly believe that if we’re going to expand the number of CVEs last year we had around 50,000, I believe we’re gonna be at several hundred thousand within a few years if we do things right. If we’re gonna handle that, we need diverse funding, we need a global perspective on this.
Josh Bressers (08:43) Yes. Okay. I want to, I want to set that up a little bit first because for anyone listening, if you’re not in the middle of the vulnerability universe, everything Olle just said, you’re probably like, I have no idea what that means. So we have the CVE program, which is run by MITRE in the United States. MITRE is an FFRDC, which is a federal funded development research corporation. forget exactly what FFRDC stands for, but fundamentally MITRE takes money from the U S government. That is how that’s set up.
Like they can’t take money from someone else. remember when CVE was having its funding problems, a bunch of people were like, let’s just pay MITRE. They legally can’t do that. That is not an option here, okay? Now, if you look at CVE today, there are many opinions about the goodness or the badness of it, but I think generally speaking, it is well understood that this is not a program that’s necessarily functioning.
Correctly will say and I’ll use correctly as my very generous description of CVE We had 50,000 vulnerabilities last year, but there is no doubt like Olle mentioned several hundred thousand per year It’s probably at least that if not more and the example I use is if we look at the size of open source Open source has tens of millions of packages hundreds of millions of versions that exist today We are adding like millions of things per year literally
You’re telling me there’s 50,000 vulnerabilities and millions of open source packages. Like absolutely not. That is a completely ridiculous assumption. So this is very, ⁓ you know, what, what it’s like survivor bias, right? Essentially that we’re dealing with here. Now, as part of that, I think there has been a, it has been very hard to create some sort of community like environment where we can have a lot of these discussions. And there’s a bunch of reasons for that. There’s a bunch of history behind that, but fundamentally.
I would say it has been hostile to dissenting voices is what I would say. And so anytime you had someone saying, there’s something wrong with this, it was very, very hard for that message to get through. And there’s a bunch of people you can find on the internet who’d be happy to rant and complain. Goodness knows I have many podcasts in the backlog where I do the same thing. But I think this is what makes it such a big deal is like we are on the verge of
Olle E. Johansson (10:52) Yeah.
Josh Bressers (11:00) this data becoming more important than ever, thanks to things like the CRA, but we’re also at a point where I think the data is more fragile than ever just due to, you know, global geopolitical pressure and everything else. So, okay. So I feel like that hopefully sets this up correctly.
Olle E. Johansson (11:13) yeah, yeah.
I would like to add a few bullet points here. The CVE program is 25 years old. ⁓ We can discuss it, can love it or hate it, but it’s what we have. But the important thing is that the CVE core, MITRE is funded by the CISA and the US government money. But there are 500…
Josh Bressers (11:20) Please, please do.
Yes.
Olle E. Johansson (11:41) contributing organizations that contribute to the CVE program. And they are around the world, including the European Cybersecurity Agency ENISA But everything from small projects to very large corporations are involved in creating this. The contributing part is really a global, I would say, asset. ⁓
Josh Bressers (11:50) Yep. Yep.
Olle E. Johansson (12:09) But we discussed a lot of this and we have set up a list of requirements which I think are very interesting and you can find them on our website. I’m sure we can provide a link in the show notes. ⁓ But we have a few requirements that this data should be free for all. It should be globally accessible and
There’s a list of things, including technical, but also organizational requirements. And I’m a bit worried about the free for all. ⁓ If a government that owns a database or funds a database, like Japan does, like Europe does and US does, decides that this database should not be reachable from any other part of the world.
⁓ it will hurt us in the open source world because we want to contribute our CVE once and then go back to fix our code and help our users. We can’t contribute the same issue to 10 different databases or contribute to one and it’s not spread worldwide because we have worldwide usage of our code.
Josh Bressers (13:30) Yes, yes. And this is, I mean, it’s kind of a problem today just because I think if we look at a lot of the data sets that exist, I mean, I can tell you as, as you know, a U S citizen dealing with a lot of U S entities, it is very CVE focused here.
And I know there are things in other databases that have not made it into CVE. And a lot of organizations are blind to that. Cause when you try to show certain organizations, especially like in the U S federal, an identifier that’s not a CVE, they’re like, we don’t care. Get rid of that thing. Like, you know, and it’s like, this is, this is real. But a lot of these data sets, right. They pull from CVE, but CVE doesn’t pull from anyone else unless someone like, actually sends the data into CVE specifically.
Olle E. Johansson (14:18) But in addition, there are some very old systems we’re talking about. ⁓ I read an article recently that there are CVEs that are over 10 years old that has been changed recently. And there’s no easy way to find that out or determine it. We need to modernize this so we see ⁓ digitally.
who’s provided what information. Because if we’re going truly global, we won’t only have, I would say, different data, we will have different cultures. And that’s gonna also be an important factor in all of this. So, I may be totally wrong here, but I’m…
with my old head heading directly into digital signatures, being able to trace and also filter out and decide myself who I trust.
Josh Bressers (15:21) Yeah, yeah. mean, that’s, that’s fair. This is actually something I talked to the, the, the, the CIRCL folks from, ⁓ GCVE It’s been, it’s been like a year now, I think, but like they’ve solved some of this where they have the ability to have multiple inputs to like a given vulnerability. And then you can decide like, I trust, you know, Olle I don’t trust Josh and, and it’s trivial to decide. mean, it’s not.
We’ll say straightforward because there’s obviously duplication of data and there’s some difficulty in kind of unwinding it all. But I do like some of the ideas they have. think they’ve definitely cracked some of this.
Olle E. Johansson (15:57) Oh yeah.
I mean, GCVE is a smaller organization, doesn’t have 25 years of legacy, so they can do things right. And they’re gonna speak at our conference at the end of the month.
Josh Bressers (16:03) Yes.
Yes. good, nice.
Olle E. Johansson (16:12) But it seems like the CVE program have listened to a lot of what’s been said recently. They started a consumer working group. ⁓ They have recently added ⁓ package URL specifiers. ⁓ They seem a little bit more interested in listening and having a dialogue. ⁓ We’ll see how many resources they get.
Josh Bressers (16:41) Right.
Olle E. Johansson (16:41) We
heard recently that they have one year more of funding, which we don’t know how big funding or how much, ⁓ if they can handle a doubling of the CVE flow with the funding they recently got approved.
Josh Bressers (16:53) right.
They can’t, look, I think, okay, there’s a lot to unpack here. want to, this is so good. I love this. Okay. I want to start with CVE doing some listening. I would say they’re better than they used to be, but I still don’t think they are listening or moving fast enough to keep up with the change we need to see for the program to actually be successful in the modern age. So I’m glad.
They’re less hostile than they maybe were, but I don’t think it’s enough, is my pessimistic view on that. And hopefully I’m wrong.
Now, the funding aspect still scares the bejesus out of me because this is a black box. In fact, the CVE board, my understanding is, didn’t even know there were funding issues until they got a scary email from last year. That is…
Olle E. Johansson (18:00) I think
we can clarify that the board is not ruling the organization, it’s more an advisory group, I would say.
Josh Bressers (18:05) Yes. A hundred percent. That’s a hundred percent correct.
And the thing that scares me is while we’ve heard rumors from a person who’s not part of CISA or part of MITRE that says, yes, we’re going to get funding. Like that does not fill me with confidence until I see like a check in the bank. I’m still concerned. And you are correct that if they get less funding.
That’s not good either because like I know they get well like $36 million I think per year to run this program, which sounds like a lot, but given the scale of this thing and what actually needs to happen, it’s really not that much money and it probably needs to be a lot more.
Olle E. Johansson (18:49) Yeah, I mean the worst part, I we see the NVD trickle down. We have no communication whatsoever. ⁓ The CNAs have stepped forward and they’re adding a lot of the missing information, not all of them, but many of them. ⁓ But if that would happen, the trickle down slow death to the CVE program, that would be disastrous. Now,
Josh Bressers (19:02) Yes.
Olle E. Johansson (19:15) The market, of course, have reacted. There are many commercial vendors who see an opportunity here. And of course, European companies under these new regulations, they will have to solve their problems. So they’re turning to commercial vendors. And that means a lock-in and a small company and open source project lockout. And we need to make sure that happens. We also see organizations stepping forward with Plan Bs.
Josh Bressers (19:33) Yes.
Olle E. Johansson (19:44) Open Source Security Foundation are working to, ⁓ I would say, manage the OSV database, formerly funded by Google, and expand that. ⁓ They have aspirations of becoming a CNA in the CVE program, but also contribute to other databases. So… ⁓
Josh Bressers (20:10) That one scares me the most, Olle.
⁓
Olle E. Johansson (20:12) There
are things happening and we haven’t seen the details yet of all of this.
Josh Bressers (20:20) Well, from what I’ve read, you probably know more than I do about this, but from what I’ve read, they’re like, Google wants to give OSV to the OpenSSF and they’re going to put $4 million behind it. There is absolutely no way you can run the existing OSV program on $4 million, much less expand.
And so that scares me. I hope they can get more money, but if they can’t like, ⁓ OSV is very useful. And if that goes away, that would be a huge detriment to just like the planet. And for anyone who doesn’t know, OSV is what open source vulnerabilities, I think it stands for. It’s a Google project that has had people mostly collating vulnerability information from other ecosystems and then kind of cleaning it up and republishing it. And it’s, it’s very normalized, very nice data.
Olle E. Johansson (20:48) yes.
Yep.
Hmm
It’s kind of a federation where many different, as you said, many organizations like GitHub and others ⁓ provide data. And it’s a more modern format. The actual OSV data format has been managed by the OpenSSF for quite some time now. So the data format is managed in an open process where you can contribute.
Josh Bressers (21:33) Yes, yes. And it’s
a marvelous format. The thing I’ve always said is you can tell that like, if you look at the CVE JSON format, that was built by a committee. The OSV JSON format, that was built by people who actually are doing the work because it has the things you actually needed it.
Olle E. Johansson (21:52) Yep, I mean there’s also a balance between sitting down in a conference room and solving problems by committee or having involved people fixing stuff that needs to be fixed and that they need in their code. The output is very different. I’ve been involved for quite some time in Cyclone DX and…
Josh Bressers (22:05) Yep, yep.
Olle E. Johansson (22:12) That’s really driven by people who need stuff, ⁓ fix stuff, and it’s very agile as a project. Can be confusing sometimes if you, like me, have lived in the world of IETF where getting simple things done can take several years nowadays.
Josh Bressers (22:28) Yeah.
But, on the other side, as someone downstream from CycloneDX it can be very frustrating. That’s like, you haven’t even finished making the last set of changes and they’re already publishing a new set of changes. And it’s like, please slow down. I can’t keep up with you. So.
Olle E. Johansson (22:46) Well, now
you have the ECMA standardization process, which ⁓ there will be community releases from the Cyclone DX project, but then there will be ECMA. And now we’re actually in ECMA, ⁓ Cyclone DX will be elevating our standards to ISO standards. So Cyclone DX will during 2026 be an ISO standard as well.
Josh Bressers (22:50) Yes, yes.
cool!
that’s awesome. Yeah. And that should help bring sanity.
Olle E. Johansson (23:15) And just to scare
you, have Cyclone DX2-0 coming, which will be a huge change.
Josh Bressers (23:23) Yeah.
Yeah. I expect, I expect nothing less. mean, look at SPDX3 was a massive change as well. I have no doubt. Cyclone DX2 will be just as massive, probably more, but okay. Okay. So I wanna, I wanna bring us back to our topic and I wanna talk about like GVIP kind of at the end of this now and what, like, what is happening? Why, why you think it’s going to work?
Olle E. Johansson (23:38) Yep.
Josh Bressers (23:51) And also what can we do to get involved? Because obviously GVIP is a community project, right? This is not like sit there and see what happens, like come and help.
Olle E. Johansson (24:01) Yes, absolutely. ⁓ What I see is going to happen now when I have the funding to work with this is that ⁓ on the top level we will have GVIP summits. ⁓ We will have a series of webinars with some persons who have been involved for a long time in this trying to build a core knowledge base and a set, refine our set of requirements.
In addition, we will have open community meetings where we actually roll up our sleeves and start working on requirements, trying to find out if we have organizations that fulfill our requirements or if we actually need to get funding to build something new. Personally, I currently believe we have to start something new.
probably with a better name than GVIP but we’ll fidget that out later on. Yes? Okay, we’ll stick with that. But ⁓ we will involve the community and I think…
Josh Bressers (24:58) No, Oli names only get worse. Like, GVIP is a pretty good name. I’d stick with that one.
Olle E. Johansson (25:12) From listening to lot of people in a lot of discussions in various conferences I’ve been and talked about this. I’ve been on tour all fall around Europe and been involved in remotely in other conferences as well. ⁓ I think we have to start working on the technical side as well. I was hoping we could postpone that for a while but…
⁓ Seeing the recent developments, ⁓ I think we have to start working on that as well. ⁓ So we’ll start with a lot of interesting work groups and meetings where you can contribute. We have a GitHub repository already and we’re gonna reactivate that.
Josh Bressers (25:41) Yeah.
Olle E. Johansson (25:59) And one of the requirements we have is transparency. So we’re gonna be very transparent in what we’re doing as we move along. ⁓ One way to join is to follow us on various social media. We have most activity right now on LinkedIn, but we’re gonna be on, of course, Mastodon as well. We also have a mailing list called cve at owasp.org
you subscribe to and we’ll have discussions and you’ll get updates and invitations to meetings and other things through all of these channels.
Josh Bressers (26:39) And I’ll make sure there’s links to all this stuff in the show notes. So if anyone’s interested, by all means, go check out the links. Or you can get in touch with me or Olle. We’re on LinkedIn. Are you on Mastodon? I can’t remember. I think you are. You are, okay, okay. Yeah, I mean, I’m tech.
Olle E. Johansson (26:43) Great.
I’m Master Don, I’m BlueSky, and I’m oej at
Infosec Exchange.
Josh Bressers (26:59) I
will make sure I have a link to that. Yes, I do remember that now that you say that. Anyway, okay, like that’s cool. I like that. So I guess here is kind of my question to bring us home. This is a lot of work. This is a ridiculous amount of work. Like I have at least three dead open attempts at doing something similar to this behind me in that.
various projects to create like open vulnerability data and things like that. I think if you look, there’s what was it? The OSVDB died a terrible death because no one, no one wanted to contribute. So tell me why it’s different this time, Olle. Like, like give me the optimism I need to get involved and stay involved in this project.
Olle E. Johansson (27:48) I think that we’re starting not with building a new database, because that may not be the answer to all this, but by looking at building a federation system and talking about the governance. How do we want to play within a global vulnerability system?
I think that’s really important to set the agenda. And I’m a stubborn old Swedish man. And what else can we do with long dark winters? Come on.
Josh Bressers (28:26) Okay, that’s fair. Okay. So I will say, I think you’re right that putting focus on the governance aspect of this is hugely important. everyone, including myself, that I think has tried to do a lot of this stuff in the past, has started with the technical issues. And I think as I now am an old man as well, technical problems are easy. People problems are hard. That is like the one lesson I’ve learned in the
Olle E. Johansson (28:54) Yes.
Josh Bressers (28:55) many, many years I’ve been involved in open source and many other things is we can solve technical problems very easily. And I think this is fundamentally not a technical problem. It’s easy to look at all of the problems CVE has today and be like, we could fix it with, you know, using a blockchain or signatures or whatever. Those aren’t the problems. The problems are fundamentally governance and people problems. So yeah, that is…
Olle E. Johansson (29:07) Hmm
Exactly. And
in this case, getting all the stakeholders in the same room. Currently in the GVIP project, we have the open source community. We have some kind of general agreement, maybe not on all details, but on the overall details. And we need more stakeholders. We need industry, we need government, we need military. So…
that’s gonna be part of my work during this spring to bring in a few of those. And I’ve already been in contact with some of them. And it takes time for them to digest the problem, to see the whole cycle that we’re making society more secure by fixing vulnerabilities. to fix vulnerabilities, we need to be aware of them. And it’s a whole chain that I need to explain in a…
very simple way so they kind of understand the risks here. After they do that they become engaged.
Josh Bressers (30:26) Yeah. Yeah. And that’s a huge part of it. So we should also clarify at the beginning of this, Olle gave us some kind of history of some of the problems we have. And I want to stress how few people understand this. So, you know, this is one of the things I do for the day job is I deal with vulnerabilities. We, know, an Anchore we have a tool called Grype That’s a vulnerability scanner. It’s an open source vulnerability scanner. Do you know how many commercial companies are like, sure. You can publish our data on the internet for free. So anyone can download it.
Olle E. Johansson (30:47) Yes.
Josh Bressers (30:56) The answer is zero, right? Like no commercial company is gonna let you do that. So we’re in a weird place. So we’re trying to construct data as best as we can by cobbling it together from multiple sources. like there are so many organizations that have no idea what has happened to vulnerability data where like NVD basically fell apart.
I think what less than half of the the CVEs last year were enriched by NVD yet at the same time we have like in the US we have government regulations saying you have to use NVD data to for severity and CPEs and things and it’s like it doesn’t exist like what do we do now and it is also difficult I think because I think there there there are people who will tell you it’s everything’s fine we’re fixing it and like
Olle E. Johansson (31:27) Except
Josh Bressers (31:43) Everything is not fine. Everything has not been fine for years at this point.
Olle E. Johansson (31:45) No.
No, and you can start with all the talk about software bill of materials. You have to create software bill of materials to see the components you’re running in your IT infrastructure or in the products you sell. And you take the software bill of materials and you make sure that all the components doesn’t have vulnerabilities. Sounds great, it’s a good story. Very simple, right?
Josh Bressers (32:12) my goodness.
Olle E. Johansson (32:12) And there’s
so many parts missing in this and that’s why we are working in OWASP, in ORCVG and OpenSSF to kind of repair and fix this toolchain to make the SBOMs operational again. Then you can start asking questions about what’s an SBOM but that’s a topic for another session I guess.
Josh Bressers (32:34) It’s fine. The CRA is going to tell us what it is. It’ll be all good. ⁓ Okay. So let’s, let’s end on that. Let’s end on the CRA note. And I think this is the other thing that fills me with optimism, Olle, is historically, if you look at things like vulnerabilities and even, even SBOMs kind of fall into this bucket is it is easy to, for people to say, I care about vulnerability. I care about SBOMs. I care about code security. I care about all these things, but
If there’s no like financial incentive, it’s the first thing that gets cut down the road, right? And this, the CRA, yeah.
Olle E. Johansson (33:06) yeah, and you have seen that. I have seen that
as a consultant in many projects. I even had a project manager who discovered how to delete registered issues in Jira to get rid of my security reports. That’s how bad it is. if you read the CRA, they say that the cost of all this cybercrime for society is way too high.
Josh Bressers (33:22) Epic. Epic.
Olle E. Johansson (33:32) And the open market hasn’t worked. The manufacturers have no incentive to build secure products or protect the users. Guess what? The legislators move in and give us the requirements. And they say very clearly in the text that manufacturers and product marketing managers need to focus on security now instead of new features. Will that happen?
I think every small step towards more security for the user is good. I don’t believe that everything will happen by December next year, but ⁓ we will see an attitude change in the industry. ⁓ I strongly believe that and I hope that. But they need the tooling, they need all these tool chains to work.
Josh Bressers (34:17) Yes.
Olle E. Johansson (34:22) And as the base layer for protecting all of us, we need a global, free, accessible, and with global identifiers vulnerability system.
Josh Bressers (34:34) Yes, a hundred percent. And this is what gives me hope actually, is because it’s easy to ignore people like us screaming about this off in the corner. And it’s like, whatever nerds get back in your hole. But it’s very different when you have regulators saying you have to actually do these things. And I’m hopeful that other organizations like, know, know, insurance companies and things like that also start to pay attention now that you have regulators, you know, setting some of these standards and saying this is the way it has to be. So.
Olle E. Johansson (34:39) yeah.
No.
Josh Bressers (35:04) I have hope, Olle, and I put a lot of hope in you, man. Like, here we go, right? This is it.
Olle E. Johansson (35:11) The only way we can move forward is working together. So I invite everyone of you that listens to join us in this. ⁓ We need more resources, we need more people, ⁓ we need more people thinking about this and working together to create solutions.
Josh Bressers (35:29) 100%. Yes. Yes. And I’ll of course have links in the show notes. Please, please come help. Olle is a lovely person to talk to. You can hang out in a meeting and have a chat. And I think this is great. And I want to also commend you, Olle, because when we look at a lot of the vulnerability work happening right now, most of it is very short-term. And I know that’s for good reason, because like we’re just in the middle of a lot of chaos. And you are the only person I know of that has taken a long-term view on this topic.
Olle E. Johansson (35:50) Okay.
Josh Bressers (35:58) And I’m very grateful for that and I’m very thankful you’ve done it because I think it is incredibly important work.
Olle E. Johansson (36:05) Thank you. I believe so too. So let’s get this moving.
Josh Bressers (36:09) Indeed,
indeed. And we’ll, we’ll have you back in a couple of months and hopefully, hopefully we have amazing stories to tell about all the work that got done. Right. Well, and that is another thing too. We have to temper our expectations. Like this is once this boat starts to move, I think it’ll go quickly, but it’s going to take a lot of effort to get it to move. Like this is we’re moving an aircraft carrier here, I think.
Olle E. Johansson (36:32) Absolutely, and if we’re building a new organization, that organization needs to be trusted, and trust is something you earn, and that will take a long time to move all the pieces together to convince databases to integrate with our systems, with our identifiers, other things. ⁓ But ⁓ I think it’s needed for the security of the internet and the users.
Josh Bressers (36:41) Yes. Yes.
100%. All right, Olle, it has been a pleasure as always. Until next time, my friend.
Olle E. Johansson (37:05) Thank you, the same.