Need someone to lead product management at your software company? I build high-craft software and the teams that build it. I'm looking for my next opportunity. Check out my resume and get in touch.

This is the blog of Adam Kalsey. Unusual depth and complexity. Rich, full body with a hint of nutty earthiness.

Security & Privacy

Deny everything

Freshness Warning
This blog post is over 22 years old. It's possible that the information you read below isn't current and the links no longer work.

3 Oct 2002

In making the Sanitze plugin specify allowed tags instead of forbidden tags, Brad showed some smart security thinking. When planning security, many developers adopt an "allow, deny" stance. They allow everything except what they see as a threat.

The problem with this approach is that the developer isn’t likely to be able to forsee all threats. As new threats arise, the deny list must constantly grow.

The better approach is the one taken by Brad. Deny everything, and only open up where neccessary. This way, you don’t need to worry about someone inventing a new security hole. You already have everything blocked. The only security problems that concern you are holes in things you have already opened up.

Recently Written

Think Systems, not Symptoms: Dec 15: Piecemeal process creation frustrates teams and slows work. Stop patching problems and start solving systems. Adopting a systems thinking approach helps you design processes that are efficient, aligned with goals, and truly add value.
Your Policies Aren’t Your Culture: Dec 13: Policies guide behavior, but culture is the lived norms and values of your team. Policies reflect culture -- they don’t define it. Netflix’s parental leave shift didn’t change its culture of freedom and responsibility. It clarified how to live it.
Lighten Your Process Burden: Dec 7: Everyone hates oppressive processes, but somehow we keep managing to create them.
Product Add-Ons Are An Expansion Myth: Dec 1: Add-ons can enhance your product’s appeal but won’t drive significant market growth. To expand your customer base, focus on developing standalone products.
Protecting your Product Soul when the Same Product meets New People.: Nov 23: Expand into new markets while preserving your product’s core value. Discover how to adapt and grow without losing your product’s soul.
Building the Next Big Thing: A Framework for Your Second Product: Nov 19: You need a first product sooner than you think. Here's a framework for helping you identify a winner.
A Framework for Scaling product teams: Oct 9: The people, processes, and systems that make up a product organization change radically as you go through the stages of a company. This framework will guide that scaling.
My Networked Webcam Setup: Sep 25: A writeup of my network-powered conference call camera setup.

Older...

What I'm Reading

His Startup Is Now Worth $62 Billion. It Gave Away Its First Product Free. at wsj.com
How to Turn a Competitor's Strength into a Weakness at aprildunford.substack.com
“Founder Mode” and the Art of Mythmaking at charity.wtf
Clever Hans, Plato, and Large Language Models at aalokbhattacharya.substack.com
Bringing Elon to a knife fight at eatingpolicy.com
Netflix’s Extraordinary Parental Leave Was Part of Its Culture. That’s Over. at wsj.com
The secret tricks hidden inside restaurant menus at bbc.com
Storing times for human events at simonwillison.net
Tesla’s Big Bet: Cameras over LiDAR for Self Driving Cars at viksnewsletter.com
The Advantage: Why Organizational Health Trumps Everything Else In Business by Patrick Lencioni
Stories Sell: Storyworthy Strategies to Grow Your Business and Brand by Matthew Dicks
Soft matter mechanics of baseball’s Rubbing Mud | PNAS at pnas.org
bureaucracy at dhruvmethi.substack.com
Think Faster, Talk Smarter: How to Speak Successfully When You're Put on the Spot by Matt Abrahams
Build: An Unorthodox Guide to Making Things Worth Making by Tony Fadell
Beacon 23 by Hugh Howey
Why GitHub Actually Won at blog.gitbutler.com
Only the Paranoid Survive by Andrew S. Grove
Why UX Fails: The Critical Importance of Staying Focused on Your Primary Customer at medium.com
The Antidote to "Manager Mode" is Actual Management at edbatista.com
Founder Mode at paulgraham.com

Deny everything

Related Reading

Recently Written

What I'm Reading