Need someone to lead product management at your software company? I create software for people that create software and I'm looking for my next opportunity. Check out my resume and get in touch.

Deny everything

Freshness Warning
This blog post is over 21 years old. It's possible that the information you read below isn't current and the links no longer work.

In making the Sanitze plugin specify allowed tags instead of forbidden tags, Brad showed some smart security thinking. When planning security, many developers adopt an "allow, deny" stance. They allow everything except what they see as a threat.

The problem with this approach is that the developer isn’t likely to be able to forsee all threats. As new threats arise, the deny list must constantly grow.

The better approach is the one taken by Brad. Deny everything, and only open up where neccessary. This way, you don’t need to worry about someone inventing a new security hole. You already have everything blocked. The only security problems that concern you are holes in things you have already opened up.

Recently Written

Mastery doesn’t come from perfect planning (Dec 21)
In a ceramics class, one group focused on a single perfect dish, while another made many with no quality focus. The result? A lesson in the value of practice over perfection.
The Dark Side of Input Metrics (Nov 27)
Using input metrics in the wrong way can cause unexpected behaviors, stifled creativity, and micromanagement.
Reframe How You Think About Users of your Internal Platform (Nov 13)
Changing from "Customers" to "Partners" will give you a better perspective on internal product development.
Measuring Feature success (Oct 17)
You're building features to solve problems. If you don't know what success looks like, how did you decide on that feature at all?
How I use OKRs (Oct 13)
A description of how I use OKRs to guide a team, written so I can send to future teams.
Build the whole product (Oct 6)
Your code is only part of the product
Input metrics lead to outcomes (Sep 1)
An easy to understand example of using input metrics to track progress toward an outcome.
Lagging Outcomes (Aug 22)
Long-term things often end up off a team's goals because they can't see how to define measurable outcomes for them. Here's how to solve that.

Older...

What I'm Reading

Contact

Adam Kalsey

+1 916 600 2497

Resume

Public Key

© 1999-2024 Adam Kalsey.