Dead Christmas Trees and Security Holes

It’s more than halfway through January and we still have our Christmas tree up in the living room. The tree is dead. It doesn’t look dead, but it is. It has been cut off from its root system, but to all of us, it looks very much alive. It’s bright color and crisp smell deceive us–we are made to believe it is still alive when it is not. This is because trees live on a very different time frame than humans do. They live longer; they die slower. So when you kill one, it takes longer for it to look dead.

Dying, it turns out, has time scale.

Engineering teams die too #

In a sense, engineering teams die much the way that Christmas trees do. Young engineering teams grow fast and change the what they build even faster. As they get bigger, the rate of visible progress slows. Eventually, something happens–a valuable person leaves, someone takes over–and the team becomes stagnant. The team becomes unable to move forward as a cohesive, functioning unit. Essentially, it has died.

Much like Christmas tree, engineering teams can seem very much alive even when they are frozen. Everyone might still be showing up to work, and doing the necessary, day-to-day tasks, but this is only to maintain the appearance of functionality. It is growth and change that marks an engineering team as truly alive and vibrant.

Oftentimes, it’s easy to see this after the fact. I was one of the original users of a text editor (that will remain unnamed). Early on, it was updated a few times a year with valuable and relevant new features. Then after a few years, nothing more came out. It was probably two years before I realized that there was never going to be another interesting update. So, I switched to a different editor. That original editor is still sold in nearly the exact same form. It is the product of a dead tree.

Security Hole Test #

At first glance, it is really hard to tell if a engineering team is healthy and alive–even when it’s your job to do so.

Today, my engineering team and I got notified of a couple of security holes in Looker. We fixed the holes and had a patched release out in about four hours. It was an amazing immune response. It was an event that proved Looker engineering team to be very, very much alive. The team reacted immediately; the problem was identified and our deep facility with the code base allowed it to be solved within hours.

Some teams, can’t do this. Some teams can’t fix their holes. Some teams are dead, even when they don’t look like it. If you want to know if yours is, ask yourself this: How fast can your team fix security holes? I believe the answer will be a pretty accurate indicator of team health.


Now read this

Learning to Program

The Basic programming language is a really nice abstraction for a physical computer. As a language it has the notion of an instruction pointer (line numbers) and a stack pointer (using GOSUB). The entire language description fits on a... Continue →