Talk Notes: "Why Does Bad Software Happen To Good People?", Matt Tesauro: LASCON Keynote
LASCON 2011: October 27, 2011
- Talk title:Keynote: Why Does Bad Software Happen To Good People?
- Matt Tesauro (@matt_tesauro)
Matt Tesauro was the project lead for the LiveCD OWASP Project and is on the OWASP board. He gave the LASCON keynote address, video shown below:
LASCON 2010 - Matt Tesauro - Keynote from Josh Sokol on Vimeo.
Here are my notes/tweets from the presentation:
- The historical perspective of OWASP and application security:
- Software is everywhere (Ex: new Barbie dolls)
- Software has lots of problems:
- Example: Air France 447 in 2009 (Brazil to Paris, disappeared). We spent 2 years searching for black box before finally finding it
- Jaguar recalls 18K cars, over cruise control software not turning off ("I suppose I'd rather die in a Jaguar than Toyota Prius")
- OWASP creates visibility: "allows us to break the cycle of find, hide, blame" between appsec community, vendors and users
- Jeff William's vision of ideal: "create equivalent of the nutrition label on foods," but for software
- "Goal: fail often in order to succeed sooner" vs. "worshipping at the alter of success"
- "I have not failed. I just found 10K ways that won't work" --Thomas Edison, on lightbulb invention
- Alan Mulally, Ford in 2006: asked stat reports (red/yellow/green); all execs reported green, despite losing billions
- Citing Productive vs. Unproductive Failures: Amy C. Edmondson: Harvard Business Review
- Edmondson: noted that people more candid/willing to criticize rough prototypes vs. high quality prototype
- (Opposite of last minute user-acceptance test, right before production deploy. Haha.)
- Lessons from Failure: Deepwater Horizon Oilrig, Fukushima Nuclear Plant; what can we learn?
- Lesson: growth isn't linear or smooth; not like balloon; more like sea urchin: don't know what vectors will hit
- When that sea urchin has broken spine, tech to fix the problem is not likely to be mature: relies on improvisition
- Improvisation at Fukushima/Deepwater was costly, resulted in widespread damage; b/c tech pushed so far to edge
- 'Even if things seem safe/secure day in/out, disasters will happen." (blowout preventer, partial meltdown)
- Develop some broadly applic technology for mitigation before needed (e.g., API disappears, load balancers crash)
- (Anti-pattern: freak out at XSS risk, then deploy WAF: "wrong thinking; you have it backwards")
- Universal force: "self-regulate or accept government regulation" (citing PCI DSS precedent)
- Safety case regulation requires relatively long term relationships (to gain mastery, expertise, relationships)
- (Interesting that average PCI DSS assessment crammed into 4 days: how much mastery can be gained in 4 days?)
- "How not to react: Patrick Webster & Australian retirement fund:" found security flaw in site: incr ID in URL by 1
- Upon reporting security flaw, polic showed up at his house, confiscated all computers, lawyers demanding $$ to fix
- End result: "press went wild, and tons of 'pro-bono' testers started 'tested' and posting"
- Way to do this right: Bug Bounties + common sense: e.g., Google, Mozilla
- Questions: at design time, is there talk of future testing?
- Questions: does system allow for testing w/o Herculean effort. (Nice)
- "Don't buy fail": use procurement process to block fail: OWASP Legal Project, OWASP ASVS
- "Why OWASP Will Win: We have an awesome community"
- Study by econs at MIT, Univ of Chicago, Carnegie Mellon: econ rewards lead to worse performance
- Why? Knowledge workers want autonomy, mastery, purpose. (This is Dan Pink's work. cc @timgrahl)
- Dan Pink's book called "Drive: The Surprising Truth Of What Motivates Us"
- #lascon: @matt_tesauro awesome call to action: "want autonomy, master and purpose? Work with OWASP". Nice,.
Reader Comments (1)
Great article points we can all relate to keep up the great work