"I am not a fan of obtuse, difficult-to-use, theoretically correct but operationally difficult solutions only considerable because they are mathematically correct," Kaminsky said during his speech. There needs to be people focusing on operational questions to figure out how things really work and come up with practical answers.
"We didn't stop our cities from burning by making fire illegal or heal the ill by making sickness a crime. We actually studied the problems and learned to deliver safety," Kaminsky said in his speech. "If we want to make security better, give people environments that are easy to work with and still secure."
Developers in organizations are fixing bugs in their applications every day, but because they are not releasing the fixes, everyone else encountering the same bug has to fix it themselves. It's common developer practice to search Google or poke around GitHub for code samples to common programming problems.
Right now, there's no way to tell if something is done well or if it's poorly written. The best way to make sure everyone gets the best fixes is to publish the code so that it's available to all.
"Managers, you should be letting your engineers share solutions to many of your internal security problems. You're solving them anyway," Kaminsky said during his speech. "Someday, someone's going to have your problem again."
If that fix is the first result for a Google search, then more people will use the better code rather than a broken hack they found elsewhere.
"There are a million reasons why technology doesn't work outside of security. What matters is, it doesn't work. So the game really is, let's figure out, what really does," Kaminsky told me.
Sign up for CIO Asia eNewsletters.