Agile is killing software innovation, says Moxie Marlinspike • The Register
black hat There’s a rot at the heart of modern software development that’s destroying innovation, and infosec legend Moxie Marlinspike believes he knows exactly what’s to blame: Agile development.
Marlinspike opened the second day of Black Hat with a talk that was ostensibly supposed to be a fireside chat with Black Hat founder Jeff Moss, but the Signal founder stole the show with an opening chat laying out a case for reclaiming the “magic” of software development that’s been lost after 20 years. That loss, he argued, was due to stuffing developers into “black box abstraction layers” that strip them of the freedom needed to be innovative.
“Anybody who is managing an engineering organization will have some kind of management philosophy that is in some way downstream of, derivative of, in the zone of, or somehow related to agile,” Marlinspike said.
Instead of allowing developers to operate from the bottom up in a way that lets them combine engineering expertise with the vision to see new capabilities in existing technology, agile teams end up siloed, working separately from each other, and without much visibility into what other teams are doing, he argued.
These black box teams also tend to lack visibility into some of the fundamentals of what makes their own products work, Thistle Technologies founder and CEO Window Snyder added later, during the Black Hat Locknote wrapup session.
Programming students aren’t learning low-level languages, or how to interact with machine code, Snyder said – just high-level languages that make app development smoother, but leave engineers without needed context to understand how their pieces of the puzzle fit into a larger, vastly interconnected whole.
That, as Marlinspike explained in the morning, has left software engineers unable to do more than be derivative.
“The picture that I’m trying to paint here is that we spent the past 20 years onboarding people into software by putting them into black box abstraction layers, and then putting them into organizations composed of black box abstraction layers,” Marlinspike said.
Understanding, Marlinspike asserted, “is the basis for most of the important developments and the history of discovery in software.”
And where can such understanding be found, if not among the “ballooned” ranks of the large engineering organizations? Security researchers – duh.
Infosec pros to the rescue
While software engineering has spent the past few decades struggling to become quicker, more flexible and, by extension, more abstracted, security researchers have been doing the opposite, said Marlinspike.
“Security is the process of looking through abstractions in order to actually understand how things work, what’s beneath them, and sometimes understand them better than the people who built them to begin with,” he argued.
“What I’m trying to say is that without knowing it, I think you, the people in this room, have actually inherited their Earth,” he continued.
There is magic in software development, Marlinspike maintained, saying that understanding how it works is analogous to mastering wizardry in the world of Harry Potter, where the talented can change the world with nothing but knowledge and a wand.
Infosec people, he continued, are akin to Hogwarts students who didn’t actually hate their homework, unlike some main characters we could mention.
“[Security people] are the ones who’ve been sitting in the library, learning the spells, actually understanding how all of this works … like the Harry Potter world, the only thing that you need to make use of this knowledge is a computer,” Marlinspike added. “And it doesn’t even have to be a good one.” ®