Need someone to lead product management at your software company? I create software for people that create software and I'm looking for my next opportunity. Check out my resume and get in touch.

This is the blog of Adam Kalsey. Unusual depth and complexity. Rich, full body with a hint of nutty earthiness.

Security & Privacy

Deny everything

Freshness Warning
This blog post is over 21 years old. It's possible that the information you read below isn't current and the links no longer work.

3 Oct 2002

In making the Sanitze plugin specify allowed tags instead of forbidden tags, Brad showed some smart security thinking. When planning security, many developers adopt an "allow, deny" stance. They allow everything except what they see as a threat.

The problem with this approach is that the developer isn’t likely to be able to forsee all threats. As new threats arise, the deny list must constantly grow.

The better approach is the one taken by Brad. Deny everything, and only open up where neccessary. This way, you don’t need to worry about someone inventing a new security hole. You already have everything blocked. The only security problems that concern you are holes in things you have already opened up.

Recently Written

Micromanaging and competence (Jul 2): Providing feedback or instruction can be seen as micromanagement unless you provide context.
My productivity operating system (Jun 24): A framework for super-charging productivity on the things that matter.
Great product managers own the outcomes (May 14): Being a product manager means never having to say, "that's not my job."
Too Big To Fail (Apr 9): When a company piles resources on a new product idea, it doesn't have room to fail. That keeps it from succeeding.
Go small (Apr 4): The strengths of a large organization are the opposite of what makes innovation work. Starting something new requires that you start with a small team.
Start with a Belief (Apr 1): You can't use data to build products unless you start with a hypothesis.
Mastery doesn’t come from perfect planning (Dec 21): In a ceramics class, one group focused on a single perfect dish, while another made many with no quality focus. The result? A lesson in the value of practice over perfection.
The Dark Side of Input Metrics (Nov 27): Using input metrics in the wrong way can cause unexpected behaviors, stifled creativity, and micromanagement.

Older...

What I'm Reading

The 12 Week Year: Get More Done in 12 Weeks than Others Do in 12 Months by Brian P. Moran
Economics in One Lesson: The Shortest and Surest Way to Understand Basic Economics by Henry Hazlitt
Think Faster, Talk Smarter: How to Speak Successfully When You're Put on the Spot by Matt Abrahams
The Secret (Jack Reacher #28) by Lee Child
What Got You Here Won't Get You There: How Successful People Become Even More Successful by Marshall Goldsmith
Writing for Busy Readers: Communicate More Effectively in the Real World by Todd Rogers
Good to Great: Why Some Companies Make the Leap...And Others Don't by Jim Collins
The Art of Action: How Leaders Close the Gaps between Plans, Actions and Results by Stephen Bungay
Blitzscaling: The Lightning-Fast Path to Building Massively Valuable Companies by Reid Hoffman
Lead!: How to Build a High-Performing Team by Dale Carnegie & Associates
Build: An Unorthodox Guide to Making Things Worth Making by Tony Fadell
Beacon 23 by Hugh Howey
Leading Through Inflation: And Recession and Stagflation by Ram Charan
Termination Shock by Neal Stephenson
Trillion Dollar Coach: The Leadership Playbook of Silicon Valley's Bill Campbell by Eric Schmidt
Amp It Up: Leading for Hypergrowth by Raising Expectations, Increasing Urgency, and Elevating Intensity by Frank Slootman
Indistractable: How to Control Your Attention and Choose Your Life by Nir Eyal
Monty Hall, Storytelling, and Planning
Scaling Up is Hard to Do | Chasm Group
Crazy, Unloved but Potentially Transformational – What’s in your Loonshot nursery? - Rita McGrath

Deny everything

Related Reading

Recently Written

What I'm Reading