Posts

Showing posts from July, 2024

"Security Is Our Top Priority" is BS

A couple of years ago I was asked to give a conference talk about software security. Well, actually I wasn't really asked, my company bought a sponsorship package with a speaker slot and I replied to the internal email asking for volunteers  🤣  Anyway, while preparing my talk, I realized a couple of important points about security that have not left my mind since: Security is limitless . You can always spend more effort to make things more secure. The same goes for quality, safety, employee happiness, etc. The needs of security are opposed to the needs of a convenient user experience . Improving one typically hurts the other. Now some organizations say "Security is our #1 priority". Really? You want to make something that has no limits your number one priority? I mean security is a good thing, but this seems a bit too simple? In fact, hollow marketing claims like that can make me a bit angry. In this post I'll help you understand what to make of statements like that...

Always Optimize the Feedback Loop

Image
Speed, I am Speed. -- Lightning McQueen Some thoughts about the impact of feedback loops in startups and software. Parts: Intro Framework Observations Take-away Intro Feedback delay is the time between doing something and seeing whether it was successful. If the feedback is slow, we have a "lagging indicator". It becomes hard to link causes and effects, and in consequence it becomes hard to optimize the performance. Fast feedback makes things easy . How quickly the feedback arrives is critical. If it takes milliseconds to seconds, it works at the speed of the brain and enables a state of flow . If it takes decades to centuries, it needs a multi-generational organization like a government or organized religion to run it. Somewhere in the middle is the realm of persons, teams and companies. A framework of feedback time Here's a quick table of feedback times, in three groups, with each roughly an order of magnitude difference. C   is the level where (large) organizations ca...