About Gene Kim

I've been researching high-performing technology organizations since 1999. I'm the multiple award-winning CTO, Tripwire founder, co-author of The DevOps Handbook, The Phoenix Project, and Visible Ops. I'm an DevOps Researcher, Theory of Constraints Jonah, a certified IS auditor and a rabid UX fan.

I am passionate about IT operations, security and compliance, and how IT organizations successfully transform from "good to great."

SEARCH BLOG
« All my new posts are on my other blog | Main | Talk Notes: A Statistical Journey through the Web Application Security Landscape: Jeremiah Grossman: LASCON 2011 »
Thursday
Jan262012

Talk Notes: "Why Does Bad Software Happen To Good People?", Matt Tesauro: LASCON Keynote

LASCON 2011: October 27, 2011

Matt Tesauro was the project lead for the LiveCD OWASP Project and is on the OWASP board. He gave the LASCON keynote address, video shown below:


 

LASCON 2010 - Matt Tesauro - Keynote from Josh Sokol on Vimeo.

 

Here are my notes/tweets from the presentation:

  • The historical perspective of OWASP and application security:
    1. Software is everywhere (Ex: new Barbie dolls)
    2. Software has lots of problems:
      • Example: Air France 447 in 2009 (Brazil to Paris, disappeared). We spent 2 years searching for black box before finally finding it
      • Jaguar recalls 18K cars, over cruise control software not turning off ("I suppose I'd rather die in a Jaguar than Toyota Prius")
    3. OWASP creates visibility: "allows us to break the cycle of find, hide, blame" between appsec community, vendors and users
      • Jeff William's vision of ideal: "create equivalent of the nutrition label on foods," but for software
  • "Goal: fail often in order to succeed sooner" vs. "worshipping at the alter of success"
    • "I have not failed. I just found 10K ways that won't work" --Thomas Edison, on lightbulb invention
    • Alan Mulally, Ford in 2006: asked stat reports (red/yellow/green); all execs reported green, despite losing billions
    • Citing Productive vs. Unproductive Failures: Amy C. Edmondson: Harvard Business Review
  • Edmondson: noted that people more candid/willing to criticize rough prototypes vs. high quality prototype
    • (Opposite of last minute user-acceptance test, right before production deploy. Haha.)
  • Lessons from Failure: Deepwater Horizon Oilrig, Fukushima Nuclear Plant; what can we learn?
    • Lesson: growth isn't linear or smooth; not like balloon; more like sea urchin: don't know what vectors will hit
    • When that sea urchin has broken spine, tech to fix the problem is not likely to be mature: relies on improvisition
  • Improvisation at Fukushima/Deepwater was costly, resulted in widespread damage; b/c tech pushed so far to edge
    1. 'Even if things seem safe/secure day in/out, disasters will happen." (blowout preventer, partial meltdown)
    2. Develop some broadly applic technology for mitigation before needed (e.g., API disappears, load balancers crash)
  • (Anti-pattern: freak out at XSS risk, then deploy WAF: "wrong thinking; you have it backwards")
  • Universal force: "self-regulate or accept government regulation" (citing PCI DSS precedent)
    • Safety case regulation requires relatively long term relationships (to gain mastery, expertise, relationships)
    • (Interesting that average PCI DSS assessment crammed into 4 days: how much mastery can be gained in 4 days?)
  • "How not to react: Patrick Webster & Australian retirement fund:" found security flaw in site: incr ID in URL by 1
    • Upon reporting security flaw, polic showed up at his house, confiscated all computers, lawyers demanding $$ to fix
    • End result: "press went wild, and tons of 'pro-bono' testers started 'tested' and posting"
  • Way to do this right: Bug Bounties + common sense: e.g., Google, Mozilla
  • Questions: at design time, is there talk of future testing?
  • Questions: does system allow for testing w/o Herculean effort. (Nice)
  • "Don't buy fail": use procurement process to block fail: OWASP Legal Project, OWASP ASVS
  • "Why OWASP Will Win: We have an awesome community"
    • Study by econs at MIT, Univ of Chicago, Carnegie Mellon: econ rewards lead to worse performance
    • Why? Knowledge workers want autonomy, mastery, purpose. (This is Dan Pink's work. cc @timgrahl)
    • Dan Pink's book called "Drive: The Surprising Truth Of What Motivates Us"
    • #lascon: @matt_tesauro awesome call to action: "want autonomy, master and purpose? Work with OWASP". Nice,.

References (7)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Response: Online Casino
    Talk Notes: "Why Does Bad Software Happen To Good People?", Matt Tesauro: LASCON Keynote - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Response: to
    What's up, just wanted to tell you, I enjoyed this article. It was inspiring. Keep on posting!
  • Response
    Response: jGKCbGeY
    Talk Notes: "Why Does Bad Software Happen To Good People?", Matt Tesauro: LASCON Keynote - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Response: website
    Talk Notes: "Why Does Bad Software Happen To Good People?", Matt Tesauro: LASCON Keynote - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
  • Response
    Talk Notes: "Why Does Bad Software Happen To Good People?", Matt Tesauro: LASCON Keynote - RealGeneKim Blog - Home page of RealGeneKim (Gene Kim): Tripwire founder and CTO, Visible Ops co-author, and more...
  • Response
    Response: storify.com
    Similarly, as the control intervals in a control area are used up, a control area will be split into two new control areas, each new control area receiving roughly half the control intervals.

Reader Comments (1)

Great article points we can all relate to keep up the great work

May 22, 2013 | Unregistered CommenterTerry Mardi
Comments for this entry have been disabled. Additional comments may not be added to this entry at this time.