People’s stories are my favorite. I love hearing people’s life stories and learning more about them, and why they tick. Hearing John Keane speak on the recent Reimagining Cyber podcast, “A discussion with the Software Angel of Death, John Keane” was no exception. Keane has made such an impact in the cybersecurity industry. With nearly five decades of experience (and counting), his dry wit, unique trajectory (he seems to have done it all, from cybersecurity to teaching English), and earning a reputation for being the Software Angel of Death, Keane’s story and legacy are one you won’t want to miss.

The Software Angel of Death

Keane’s moniker, the Software Angel of Death, was earned while working for the government on a project. After reviewing initial security scans that were atrocious, he candidly said, “I think you should return the software to the vendor and tell the vendor to do it over and to do it right for a change.” 

Two days later, as he is walking into an event where the software vendor (of the software he just destroyed) he heard the program executive officer say, “There he is, the Software Angel of Death.” The nickname has followed him ever since. 

Securing the Supply Chain with Contract Language

Keane has been working on software assurance oriented contracting language that could impact the standardized contract language required in President Biden’s Executive Order on Improving the Nation’s Cybersecurity. In 2016, he worked with developers, not cybersecurity professionals, to develop the language to determine what could be accomplished by complying with the rules. One of his rules is to fully comply with the OWASP Top 10, MITRE Top 25, NIST Top 25, or SANS Top 25. Those that don’t comply, must justify their actions.

Additionally, he notes that it’s important to teach people how and why something should be done, and how spending an extra 15 minutes coding something correctly will mitigate issues in the future.

The Executive Order and the Importance of Words

President Biden’s executive order tightens cybersecurity requirements for government entities and organizations that work with them. The challenge comes in when you think, “Well, what does the word ‘weakness’ really mean?” Keane leans on the ISO glossary, though it isn’t perfect, defines weakness as “a weakness of an asset or group of assets that can be exploited by one or more threats.” A threat is defined as “something that can exploit a vulnerability.” 

Clearly defining technical terms is important for those that work in the IT industry but also for those that aren’t. For example, if a company supplies a product to the Department of Defense (DoD), they may not understand all of the technical or industry-specific jargon in the executive order.

“If you're asking people to support an idea of better cybersecurity, and they're not IT private practitioners, they're not IT professionals, we have to do something of cleaning up our terminology, and also our acronyms as well,” Keane says. 

Language should be clear, simple, and easily understandable.  

How do you think definitions should change in our industry? Drop it in the comments below. 

You can find the latest episode of Reimagining Cyber on Soundcloud, Apple, Stitcher, Spotify, and Google Play. Give it a listen, and let me know what you think. Log in or register to comment below. 

CyberRes is a Micro Focus line of business focused on helping companies protect, detect, and evolve their security framework and helping organizations become more cyber resilient. To learn more, visit CyberRes.com.