LASCON 2011: October 27, 2011

• Talk title:Keynote: Why Does Bad Software Happen To Good People?
• Matt Tesauro (@matt_tesauro)

Matt Tesauro was the project lead for the LiveCD OWASP Project and is on the OWASP board. He gave the LASCON keynote address, video shown below:

LASCON 2010 - Matt Tesauro - Keynote from Josh Sokol on Vimeo.

Here are my notes/tweets from the presentation:

• The historical perspective of OWASP and application security:
  1. Software is everywhere (Ex: new Barbie dolls)
  2. Software has lots of problems:
     • Example: Air France 447 in 2009 (Brazil to Paris, disappeared). We spent 2 years searching for black box before finally finding it
     • Jaguar recalls 18K cars, over cruise control software not turning off ("I suppose I'd rather die in a Jaguar than Toyota Prius")
  3. OWASP creates visibility: "allows us to break the cycle of find, hide, blame" between appsec community, vendors and users
     • Jeff William's vision of ideal: "create equivalent of the nutrition label on foods," but for software
• "Goal: fail often in order to succeed sooner" vs. "worshipping at the alter of success"
  • "I have not failed. I just found 10K ways that won't work" --Thomas Edison, on lightbulb invention
  • Alan Mulally, Ford in 2006: asked stat reports (red/yellow/green); all execs reported green, despite losing billions
  • Citing Productive vs. Unproductive Failures: Amy C. Edmondson: Harvard Business Review
• Edmondson: noted that people more candid/willing to criticize rough prototypes vs. high quality prototype
  • (Opposite of last minute user-acceptance test, right before production deploy. Haha.)
• Lessons from Failure: Deepwater Horizon Oilrig, Fukushima Nuclear Plant; what can we learn?
  • Lesson: growth isn't linear or smooth; not like balloon; more like sea urchin: don't know what vectors will hit
  • When that sea urchin has broken spine, tech to fix the problem is not likely to be mature: relies on improvisition
• Improvisation at Fukushima/Deepwater was costly, resulted in widespread damage; b/c tech pushed so far to edge
  1. 'Even if things seem safe/secure day in/out, disasters will happen." (blowout preventer, partial meltdown)
  2. Develop some broadly applic technology for mitigation before needed (e.g., API disappears, load balancers crash)
• (Anti-pattern: freak out at XSS risk, then deploy WAF: "wrong thinking; you have it backwards")
• Universal force: "self-regulate or accept government regulation" (citing PCI DSS precedent)
  • Safety case regulation requires relatively long term relationships (to gain mastery, expertise, relationships)
  • (Interesting that average PCI DSS assessment crammed into 4 days: how much mastery can be gained in 4 days?)
• "How not to react: Patrick Webster & Australian retirement fund:" found security flaw in site: incr ID in URL by 1
  • Upon reporting security flaw, polic showed up at his house, confiscated all computers, lawyers demanding $$ to fix
  • End result: "press went wild, and tons of 'pro-bono' testers started 'tested' and posting"
• Way to do this right: Bug Bounties + common sense: e.g., Google, Mozilla
• Questions: at design time, is there talk of future testing?
• Questions: does system allow for testing w/o Herculean effort. (Nice)
• "Don't buy fail": use procurement process to block fail: OWASP Legal Project, OWASP ASVS
• "Why OWASP Will Win: We have an awesome community"
  • Study by econs at MIT, Univ of Chicago, Carnegie Mellon: econ rewards lead to worse performance
  • Why? Knowledge workers want autonomy, mastery, purpose. (This is Dan Pink's work. cc @timgrahl)
  • Dan Pink's book called "Drive: The Surprising Truth Of What Motivates Us"
  • #lascon: @matt_tesauro awesome call to action: "want autonomy, master and purpose? Work with OWASP". Nice,.