>> Maria Varmazis: Satellite security has been in the spotlight, especially in the last year. And as this issue gets more attention paid, there are a number of professional best practices from other industries that the space industry can adapt to more quickly ramp up here. One of those is the concept of working and automating security testing into every stage of the entire software development lifecycle. It's an idea that often gets shortened to DevSecOps. Now, DevSecOps is a proactive approach to software security, where you're baking it in as you go, instead of working out the software and then finding and fixing the vulnerabilities after things have essentially shipped. As software and space systems continue to grow in complexity and maturity, DevSecOps is gaining traction as a best practice. So speaking with me now on the how and why of DevSecOps for Space Systems is Russ Andersson, COO and Co-Founder of RapidFort. Here's our conversation.

>> Russ Andersson: Well, the awareness for security needs for space systems, I'd say, is at an all-time high. It's been heightened by geopolitical tensions, both in Eastern Europe and possibly with China. And the recognition that, as we move to more complex space systems, the software is going to be more complex. And as a result, the challenges in securing it are going to be harder. If we- one looks historically at the space industry, they focused on heritage software, simple software that was well written that had a lot of flat hours and had flown before. And that was actually easy to secure because it tended to use memory-safe languages. The access and interoperability of the software was reduced, and it was essentially the small, safe kernel sitting on essentially a bus in space, which was hard to actually breach, because of the complexity of space missions, that simple software is not going to meet the performance needs. And so, there's this enormous move towards open-source software, which has a lot of significant benefits in performance and functionality and future proofing and all of these wonderful things. It enabled AI, autonomous flight, all of these things, but that comes at the risk of it being a much larger software footprint. And as a result, it's much, much harder to secure. So we're leaving the trusted safe old and we're voyaging into the exciting but unsafe new. And that's one of the recurrent themes we hear from executives in the space industry.

>> Maria Varmazis: When it comes to attack vectors on space systems, what are sort of common ways that attackers are compromising these systems?

>> Russ Andersson: Well, there's two fundamental systems as we all know. There's the ground segment and then there's essentially the on-bus or in-orbit software. And they represent two very different security challenges. So most of the ground segment software is moving to cloud-native or cloud-supported infrastructure. And the security challenges there are similar to what you'd have with securing enterprise cloud infrastructure. So the security programs for the satellite operators are starting to resemble the security programs of large financial services, companies like banks and things like that. And so, there is a clear model for that. There's nothing essentially new that's going on. The satellite industry is just essentially adopting best practices for the ground segment. Orbit or on-bus, essentially, on-device software, market or challenges are very different in the sense that this is something new. There are a lot of- a few aspects on satellite software, which are unique, which create new challenges. And there's a number of subtle things that one needs to do, but it is now possible to start borrowing best practice from the internet of things, the industrial control systems, and the energy space, and those types of things. And so, we're starting to see on satellite starting to adopt a critical energy infrastructure, IoT-type security paradigms, whereas the ground segment is moving much more to traditional enterprise cloud security paradigms.

>> Maria Varmazis: That's interesting that the two are moving in kind of different parallel paths because I think of enterprise and IoT as almost opposite. Maybe that's not true, but that's sort of how I think of them.

>> Russ Andersson: Very astute observation. So when one thinks of that these markets are actually converging, and they're converging because of a couple of fundamental trends. But the biggest trend that we're seeing in IoT, in the IoT space and, indeed, in automobile spaces is that, historically, if you would look at a car, it had sensors all around the car, and all of these had separate compute and separate software. What's happening now is all of the compute and all the software is being centralized in a single place, and the sensors are essentially becoming much more dumb terminals. And because of that centralization of compute, things like containers, Kubernetes, and those sort of cloud-native technologies are starting to appear on IoT devices. So there is going to be a convergence of security challenges as the IoT devices themselves become more powerful, become much more cloud-like, and intelligent as they move towards providing enhanced functions and performance.

>> Maria Varmazis: Okay. So it sounds like for creating a space system, there is a maturity there in building out security from, for lack of a better term, ground up, as you go, as opposed to thinking of it and tacking it on later. So one of the terms that we sometimes use is DevSecOps. Can we talk a little bit about what that means here?

>> Russ Andersson: Sure. So DevSecOps is a software release methodology, which puts security into a traditional DevOps process. And so, what do we mean by DevOps? DevOps is the process of continually releasing software. There's a lot more to it. But fundamentally, the difference between DevOps and the methodologies before it is the idea of deploying small increments to software continuously, whereas, in the past, satellite software was very waterfall in nature. There was essentially one release. You got that version out and then you never updated it for 20 years. And so, there's something of a clash of cultures between DevOps or DevSecOps, which is deploying small incremental changes continuously and the way satellites and, in fact, the aerospace industry historically has worked, which is one and done. And the reason that's needed now is a lot of the vehicles that are essentially being launched are going to be in orbit for a long period of time. And software capabilities are going to improve, and you want to take advantage of those improvements by future-proofing your platform. And so, there is essentially a drive towards DevSecOps because it allows you to harness the performance benefits of the future essentially by making investments now.

>> Maria Varmazis: So if I was creating or working on a space system right now, and this conversation has piqued my interest, but I don't know quite where to start or where to learn it more, what would you suggest?

>> Russ Andersson: Well, that's a good question. I think, architecturally, the big decision that you need to make is are you going to go essentially the DevSecOps cloud-native path, or are you going to continue essentially down a more traditional path. And that's going to essentially be a central decision that's going to take you down two very different journeys. There are pros and cons for either, but the things that you'd look at essentially is what are the capabilities that I need to support. How long do I expect the software to provide those services and things like that? The more complex, the longer life and so forth, the more the benefits for the DevSecOps path will mount. However, if it's a relatively simple mission, staying with the tried and trusted heritage software might be a better path for you.

>> Maria Varmazis: That's a great point. There is no one size fits all. Certainly. Any closing statements or anything you want to mention about RapidFort that relates to all of this? I want to make sure I give you that opportunity.

>> Russ Andersson: Yes. Thank you. So next-generation software provides enormous advantages, but it does come at a security cost, in that the software tends to be bloated. What RapidFort does is it's an automated toolset to discover which code you're actually using, and then we shrink down the software artifact and give you a perfectly customized software artifact just for your mission. So we build a customized software shoe for your own foot. And we typically reduce software and attack surface by about 80%. So that means 80% less patches to apply, 80% less vulnerabilities to defend. And that allows you to build and deliver secure software cheaper and faster and, ideally, rapidly.

>> Maria Varmazis: Excellent. Thank you, Russ. I really appreciate you coming in to speak with us today.

>> Russ Andersson: No, it's been a pleasure. Thank you very much for the opportunity, Maria.