So you’ve found a security issue in an open source project – or maybe just a weird problem that you think might be a security problem. What should you do next?| jacobian.org
In part 1 of this series, I briefly covered quantitative risk measuring – assigning a numeric value to risk, like “$3,500”, rather than a qualitative label like “medium” – only to quickly recommend against trying it. In this final sidebar, I want to come back to this topic. I’ll spend a bit more time explaining what I see as the pros and cons of quantitative risk measurement – why you might or might not want to use numeric values over more simple risk matrixes.| jacobian.org
When you look at a likelihood/impact risk matrix, you might notice that “medium” appears twice – once as high-likelihood/low-impact, and once as low-likelihood/high-impact. These two “mediums” aren’t at all the same!| jacobian.org
In the real world, accidents happen when a series of small missteps align to create severe consequences. This is something we call the “Swiss Cheese Model”: imagining a systems failure as a set of “holes” in our layers of defense that all line up to create a series accident.| jacobian.org
Risk is usually defined as the product of two factors: Likelihood and Impact. However, some disciplines include a third factor: Exposure. What’s that about, and when is it useful?| jacobian.org
So you’ve identified a risk — now what do you do about it? Here’s a simple framework to help frame discussions about risk mitigation. It’s intentionally very simple, a basic starting point. I’ll present a more complex framework later in this series, but I want to lay more of a foundation before I get there, so we’ll start here.| jacobian.org
If you — as an individual or a group — are re-assessing your digital security posture in light of the US election results, I’m available to help. I’m offering free digital security check-ups to anyone who feels like they need it now.| jacobian.org
What would the Django Software Foundation look like if we had 4x our current budget?| jacobian.org
There have been massive developments in AI in the last decade, and they’re changing what’s possible with software. There’s also been a huge amount of misunderstanding, hype, and outright bullshit. I believe that the advances in AI are real, will continue, and have promising applications in the public sector. But I also believe that there are clear “right” and “wrong” ways to apply AI to public sector problems.| jacobian.org
I’ve been through close to a dozen reorgs. This article contains the advice I wish I’d been given earlier in my career when I didn’t yet have that experience. Reorgs are disruptive, and nobody really tells you what to do in the wake of one. It’s easy to feel adrift, scared for your future, and uncertain about how to behave. Some of that fear is warranted: your job security probably goes down in the months following a reorg. But confusion and chaos aren’t necessarily signs that the r...| jacobian.org
Something missing from this series on estimation, until now, has been a discussion of how to “break down” a project into a well-defined task list. I’d not previously written about this because, to me, it’s largely intuitive. But it isn’t for everyone, so this post fills the gap, and explains in detail how I break down projects into a task list.| jacobian.org