- First off, for those that don't know you or your work, would you mind telling us a bit about your background?

- You recently published a paper titled "Secure-by-Design at Google" which got a lot of attention. Can you tell us about the paper and some of the key themes it emphasizes?

- In the paper you discuss some of the unique aspects of software that are different from mass-produced physical systems. Such as their dynamic and iterative nature. On one hand you mention how the risk of introducing a new defect over time for a physical system after manufacturing is low, unlike software. I know Google are big proponents of DORA for example, and past papers have shown organizations that are capable of routinely delivering software to production at-scale also have more resilient outcomes, this seems to be both a risk and a benefit of software over physical systems?

- You also discuss the need for Secure Default Configurations. Historically it feels like producers have erred on the side of functionality and usability over secure default configurations, and we have even heard CISA begin using terms like "loosening guides" over hardening guides. Do you feel the two concepts of security and usability at inherently at odds, or need to be?

- One aspect of your paper that really jumped out to me is that "developers are users too". I feel like this is even more pertinent with both the rise of software supply chain attacks and the realization that most defects are introduced by Developers and also they are best positioned to address flaws and vulnerabilities. How critical do you think it is to design systems with this in mind?

- Some may pushback and say it is easy for Google to say advocate this approach of Secure-by-Design due to their incredible expertise and resources, but obviously, and conversely, Google has a scale in terms of challenges that most organizations can't fathom. How does Google balance the two?

- What role do you think leading software suppliers and organizations such as Google have to play when it comes to ensuring a more resilient digital ecosystem for everyone?

- First off, for folks that don't know you, can you tell us a bit about your current role and background?

- On that same note, can you tell the audience a bit about Anduril, the mission of the organization and some of the current initiatives it is working on?

- What are some of the biggest challenges of being a new entrant in a space such as the DoD, which has longstanding system integrators and large prime contractors who have deep relationships, industry expertise/experience and so on?

- I know you're passionate about the ATO process. What are your thoughts on how it stands currently and the impact it has on both new entrants, as well as impacting the ability to get innovative capabilities into the hands of warfighters and mission owners?

- CMMC

- We know your organization is looking to bring innovative commercial technologies into Defense, what are some of the challenges there beyond the ATO aspect?

- Outside of the technical aspect, we know the DoD and Federal space have longstanding challenges with attracting and retaining technical talent. How does that impact your abilities to be effective in this space with your Government peers, and additionally, how does Anduril navigate that when looking to attract modern digital talent to a space like Defense?

- Many are now arguing that cybersecurity is a domain of warfare and we're seeing the use of phrases such as "Software-Defined Warfare" by organizations such as The Atlantic Council. How important do you think modern digital capabilities are to national security and why?

- DevSecOps thoughts

- For those that don't know you or haven't come across you quite yet, can you tell us a bit about your background in tech/cyber and your role with GitHub?

- What exactly is the GitHub Advisory Database and what is the mission of the team there?

- There's been a big focus on vulnerability databases, especially lately with some of the challenges of the NVD. What role do you see among the other vulnerability databases in the ecosystem, including GHAD and how it fits into the ecosystem?

- GitHub has a very unique position, being the most widely used development platform in the world, boasting millions of users. How do you all use that position and the insights from it to help drive vulnerability awareness across the ecosystem?

- There's been a large focus on software supply chain security, including securing OSS. What are your thoughts on these trends and some ways we can combat these risks?

- You're also involved with the CVE program, can you tell us about that?

- We know you collaborate with another group, out of OpenSSF, known as the Vulnerability Disclosure Working Group. What does that group do and what role do you play?

- For those don't know your background or Nucleus Security, can you start by telling us a bit about both?

- You have experience and a background in the Federal environment, and Nucleus recently achieved their FedRAMP authorization, can you tell us a bit about that process?

- When you look at the Federal/Defense/IC VulnMgt landscape, what are some of the biggest problems from your experience and where do you think innovative products and solutions can help?

- Going broader, we have seen a recent uptick in the interest around VulnMgt, and looking to modernize the way we do things. What do you think is driving this recent focus on VulnMgt and what major innovations or disruptions in the space do you see underway?

- What do you feel helps differentiate Nucleus Security from some of the other competitors we see in this space focusing on this problem?

- We're seeing a big push for Secure-by-Design software, which of course deals with driving down vulnerabilities, and repeated classes of vulnerabilities. What's your take on this push and do you see it being effective?

- For those unfamiliar, please tell us a bit about your background, as well as about RAD Security. What do you all focus on and specialize in?

- Your team recently was part of the RSAC Innovation Sandbox. Can you tell us a bit about that experience, and being able to highlight the innovative capabilities of RAD to such a key audience?

- You recently published a comprehensive resource on Kubernetes Security Posture Management (KSPM), what are some of the key items in there folks need to be focusing on?

- The RAD security team emphasizes their fingerprint capability for Kubernetes workloads. Can you unpack that this is and how it differs from say signature based security tools and so on?

- When thinking about software supply chain security, how does Kubernetes fit in, given the current digital landscape and explosive growth of Kubernetes and Containerized workloads?

- You all are big proponents of runtime security, a category that is getting increased attention latest in the security industry. Why do you think runtime is so critical, compared to say some other tools or products that may focus on different aspects of the SDLC or lean into "shifting left" for example?

- You recently presented at Wiz's MisCONfigured at RSA, where you covered some of the most relevant cloud threats and risks, can you touch on what some of those are?

- We know Wiz just announced a massive capital raise and there's been talks about M&A plans for Wiz, I know you help with looking at potential products/firms - what are some key things you look at?

- When you acquire a new product and team, how does it look to ensure there is a smooth integration with the Wiz team and platform?

- There's a bit of debate in the industry around "platforms" and best of breed. How do you/Wiz think about this approach and how do you ensure as you add new products to the platform that you remain a leader in the space?

- We've heard a lot of talk about AI and its implications both for improving security, but also needing to be secured, how do you and Wiz think of AI when it comes to cybersecurity and where do you see the most promise?

- For folks not familiar with it, can you tell us a bit about the report, its intent, and how it came about?

- Some may be asking, what's the big deal, its just software. Can you help explain the pertinent risk we face with increasingly seeing physical systems, infrastructure and society run on software?

- The report makes some key recommendations to fortify the resilience of the Nation's critical infrastructure, can you talk about those a bit?

- It's often discussed how much of the critical infrastructure is privately owned and operated, is that true, and if so, what challenges does that pose?

- Do you see this as something that will be increasingly regulated, and if so, how do we balance regulations with some of the constraints and limitations of the critical infrastructure operators and organizations such as financial, expertise and so on?

- One thing I noticed is the emphasize on industry, board, CEO and executive accountability. We're seeing a similar trend with recent SEC rules for publicly traded companies as well as CISA's Secure-by-Design publication and public comments, about leadership and executives taking more accountability for secure outcomes. Do you feel this is a major gap, and if so, how do we ensure the message doesn't get diminished from leadership across middle management, and staff?