Making Open Work
May 8–9, 2017: Training & Tutorials
May 10–11, 2017: Conference
Austin, TX

Rebuilding a plane in flight: Refactors under pressure

Susan Sons (Center for Applied Cybersecurity Research, Indiana University)
1:30pm5:00pm Tuesday, May 9, 2017
Location: Meeting Room 12
Level: Advanced
Average rating: ****.
(4.70, 10 ratings)

Who is this presentation for?

  • Architects (systems, security, or software), project managers, senior systems administrators, senior software engineers, and CISOs

Prerequisite knowledge

  • Significant experience digging into the technical and architectural guts of nontrivial-complexity systems and dealing with resourcing challenges of the same

What you'll learn

  • Gain a toolkit of skills and strategies for managing complicated, high-stakes systems and software refactors


At some point, every engineer or project manager will have to take on a disaster. In these situations, it is easy to go into firefighting mode, trying to keep each new emergency at bay, instead of taking a systematic approach to fixing the underlying problems. This is why disgusting, brittle tangles of hundreds of thousands of lines of insecure spaghetti code stay in place so long. It is why you are inheriting a network of vulnerable SCADA components that the last four people were too afraid to fix.

Attempting to untangle a disaster that cannot be taken out of service is terrifying. Eventually, it must be done, but often no one wants to take responsibility for the project until it is almost too late. However, there is method to the madness. Susan Sons shares a high-level approach to safely refactoring software and other complex systems while supporting production deployments that may themselves be complex and varied, drawing from her experience refactoring life-critical software and cyber-physical systems (ICS/SCADA). While these methods were forged working on some critical systems and software, they apply just as well to a web application hairball or a DevOps nightmare.

Topics include:

  • Project management concerns: Resourcing, outside communication, and staging changes
  • Technical and architectural strategy: Supporting toolchains, triage, systems architecture, and refactor strategies
  • Balancing response to immediate security and stability concerns against long-term vulnerability reduction and maintainability
Photo of Susan Sons

Susan Sons

Center for Applied Cybersecurity Research, Indiana University

Susan Sons is a hacker, author, and miscreant based in Bloomington, Indiana. In her working life, she aids NSF- and DHS-funded projects in establishing and maintaining sound information security practices. In her off hours, Susan codes, writes, and leads ICEI, the Internet Civil Engineering Institute, a nonprofit that supports the open source software infrastructure upon which the internet and computing in general depend. When not rescuing software projects, Susan lifts weights, practices martial arts, and gives her time as a volunteer search and rescue worker.