ACCU 22 blog 2: a trip report

view from bristol city centre marriott

ACCU was my first conference for a long time and I threw myself into the conference experience, enjoying talks on all sorts of topics. The event was a bit more dynamic in planning than many conferences because people kept pulling out with COVID (and so other people kept stepping up and offering talks to fill the gaps). This meant there were more short talks than I think had originally been planned. There were also more general talks, which suited me fine. Here are the things I’m taking away from those sessions attended:

Day 1 highlights

  • Guy Davidson’s keynote on growing better programmers: Lots of good insight into how to be more friendly and humane in code reviews and how to mentor junior staff.
  • Seb Rose on behaviour driven development (BDD) and how to write good scenarios, talked about how we break down programming tasks as part of the development process, and how we communicate ideas. He introduced a handy acronym for this. BRIEF: scenarios should be Business readable, use Real data, be Intention revealing, be Essential, be Focused (and be brief). I think this applies to all systems communication to be honest – use shared language, sensible examples, right level of detail, don’t waste each others time.
  • Charles Weir & Lucy Hunt ran an online session on different ways to discover technical security requirements. I was a bit late to this one as I went to the wrong online system, but the general idea was to investigate a couple of different card games for information security. I might have to pick up some of the games and look into this for teaching.

Day 2 highlights

  • Jutta Eckstein looked at how the Agile principles of development can be sustainable. This was workshop where we considered of each of the agile principles with regard to the triple bottom line of sustainable development: environmental, social and economic sustainability. Some of the agile principles (e.g. “simplicity: maximising the amount of work not done”) fit really well with sustainable goals. Others not so much.
  • Dom Davies talked about remote vs distributed working based upon many years in distributed teams – starting with global teams in the late 90s. He suggested that the key is to deal with everyone as if they’re distributed, even if you’re sitting next to each other. This makes a lot of sense to me. The hybrid experience is a strange one.
  • Matthew Dodkins talked about designing systems that would run for a long time without maintenance – specifically, bat and dolphin detectors which could run for a year in a rainforest or underwater. This talk covered a lot of detail about planning, testing, and concepts like sentinel functions (things which spot when something stops happening). Always think about what happens next.

Day 3 highlights

  • Patricia Aas’s keynote was one of my favourite sessions of the conference. She looked at some “classic” vulnerabilities (heap manipulation, format string vulnerabilities etc.) and showed how they related to modern security issues. This is a talk I will watch again, and that I will heavily recommend to my first year infosec students.
Format string vulnerability in the wild…
  • Next up was a talk after my own heart: Andy Balaam spoke about “vim for fun”. I have been a user of vim for about 25 years now (whoops) so have a fairly good understanding of how it works, however, it’s always good to visit a session where you know. This time I picked up new movement commands: } and { to go forwards or backward to the next empty line.
  • Kate Gregory’s talk was another strong contender for favourite presentation. It was about abstraction, which is a pretty big topic. Increasing abstraction localises complexity, which reduces the cognitive load; quite often, you can work out abstractions from the code without actually understanding the domain much at all. Useful rules of thumb:
    magic numbers-> named constant gives type and semantics
    groups of variables -> struct or class
    variables can be grouped by similar names (empdate, empname, empfirstname… are we looking at an employee class here?) or by “load bearing white space“. I love the concept of load bearing white space. So often we stick extra lines in code to break stuff up visually – but not conceptually. why not make that break explicit and part of the abstraction?
    It was really interesting to see a talk which looked at this from the perspective of code, rather than problem analysis – Kate described being brought in as a consultant to fix legacy systems with tens of thousands of lines, and thinking about how we can abstract from code to tidier code (rather than from a problem to code) was very interesting. One on my “will watch again” list.

Day 4 highlights

  • Gail Ollis and Ian Reid spoke on the tension between information security professionals (and security policies) and developers – often security is seen as a bolt-on by developers, and fundamental by security professionals. This is going to be a difficult circle to square, but they’ve been doing some interesting work around interviews with both communities. A good analogy came up – infosec professionals are like goalies: their aim is a clean sheet; developers are like strikers: their aim is to score goals. Success in one case is defined by absence of failure, which is going to lead to different risk-taking behaviour.
  • Titus Winters delivered the final keynote of the event on how we measure the cost of tradeoffs in the software engineering workflow. How to you measure the cost of a mistake or the value of preventing a defect? The earlier you detect, the lower the cost in terms of time (developers etc.). Titus is dealing with very large systems and teams, with static analysis, IDE, code review, CI, fuzzing, canary releases etc. etc. so the ability to manage and measure this stuff is something he’s got some very interesting thoughts on. Particularly liked:

    ‘It’s programming if “clever” is a compliment, it’s software engineering if “clever” is a criticism’

Other intriguing things and references from the conference:

This website

This paper from google about gender/age/race effects in code review:

This video from pyconline AU

Leave a Reply

Your email address will not be published. Required fields are marked *