Preventing Catastrophe(s)

Our season is one of the long tail of e-janitorial services left undone and fostering into being a healthy mature criminal ecosystem designed to democratize crime to the point that the average casual user can run their own turn-key e-crime empire.


Security awareness hype (among others) seems, finally, to be dying.

The goal of getting a six sigma style defect performance out of mere humans who like to click links in email was never practical. What it did accomplish was to sell a lot of expensive training, put some more checkboxes into third party and supply chain compliance lists, and increased relevance in pentests.  The very term ‘pentest’ has become the complete summation of all technology quality programs and has become almost meaningless without context.

Prevent dangerous liability from ever existing by avoiding known issues

People have been talking about software liability for a very long time.

The FTC invited me to give a lunch keynote about OWASP at their Start with Security event at the UW law college and I was delighted to accept.

I gave a talk highlighting the newly updated OWASP Proactive Controls, summarized to a lawyer and semi-tech audience, and summoning as much Dan Geer as I could muster.

To sum up: Fast and adaptable is good. Slow and stagnant is bad.

The easiest way to estimate the health of a technology organization is by how quickly they can deploy code, practice proper code hygiene, and solve known problems.

Have a plan for reacting to crime

Today, even the largest networks and enterprises can be effectively targeted by gangsters as seen this week when the attack on Dyn’s hosted DNS service took out most of AWS East, route 53, and others.

DDoS and encryption ransom and extortion by organized crime is presently a huge problem and needs to be included in an organizations planned incident response playbooks.

Data driven leadership

No one gets promoted for sweeping up or makes a billion from running a tight ship.  People get rich by developing (and subverting) platforms, birthing code poet kittens, and delivering x100 ROI to capital exits, but developers can’t do it by themselves alone.

Assuming they don’t get washed up on the rocks of all their unmitigated tech debt and accepted business risks, the can might be kicked until a payday can be realized.

This is a false choice however; daredevil risks and metaphorical fireballs aren’t required to tame a unicorn.  Six person teams can do the work of two hundred with effective management.  I’ve seen it firsthand.

There are no shortcuts for running a resilient technology organization, but there are people that can help.  It’s not needed to risk it all to win.

In closing

DDoS is a problem because of the lack of will to implement BCP 38 and negligent internet enabled products.

The vacuum caused by technical debt and the lack of a healthy software development lifecycle enables crime, presents catastrophic business risk, and assures low quality delivery.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s