Highlights for Winners Take All

Instead, the system—in America and around the world—has been organized to siphon the gains from innovation upward, such that the fortunes of the world’s billionaires now grow at more than double the pace of everyone else’s, and the top 10 percent of humanity have come to hold 90 percent of the planet’s wealth.
How can there be anything wrong with trying to do good? The answer may be: when the good is an accomplice to even greater, if more invisible, harm.
For when elites assume leadership of social change, they are able to reshape what social change is—above all, to present it as something that should never threaten winners.
The only thing better than controlling money and power is to control the efforts to question the distribution of money and power.
They were supposed to make democracy more vital and effective for ordinary people, but preferably without challenging their fellow winners too much. They were to grow the public’s trust in institutions without digging too far into why the people leading those institutions were mistrusted.
Such an undertaking would be conflictual; it would name names of offending financial institutions; it would pick fights with people who might one day be useful to you.
you might conclude that you should do something to repair the systems that are working to keep Jacobs poor. But if those problems were solved, you wouldn’t have much of a win-win business to grow.
VCs and entrepreneurs are considered by many to be thinkers these days, their commercial utterances treated like ideas, and these ideas are often in the future tense: claims about the next world, forged by adding up the theses of their portfolio companies or extrapolating from their own start-up’s mission statement. That people listened to their ideas gave them a chance to launder their self-interested hopes into more selfless-sounding predictions about the world.
This power gave them great responsibility and exposed them to the possibility of resentment—unless they convinced people that the future they were fighting for would unfold automatically, would be the fruit of forces rather than their choices, of providence rather than power.
If you want to be a thought leader and not dismissed as a critic, your job is to help the public see problems as personal and individual dramas rather than collective and systemic ones.
The money can liberate the top thought leaders from the institutions and colleagues that might otherwise provide some kind of intellectual check on them, while sometimes turning their ideas into advertisements rather than self-contained work.
“Conversation with a Tax Collector About Poetry,” by Vladimir Mayakovsky
Scaling back her critique of the system had allowed her to be wildly popular with MarketWorld elites and more easily digested by the world at large; and so she became famous, which drew the system of sexism into her life as never before and heightened her awareness of it; and its ferocity convinced her not to take on that system but to conclude that it might never change; and this acquiescence made her turn from uprooting sexism to helping women survive it.
For the aspiring thought leader, it is less important to have an undergirding of scholarly research than it is to be your idea—to perform and hawk it relentlessly.
When a thought leader strips politics and perpetrators from a problem, she often gains access to a bigger platform to influence change-makers—but she also adds to the vast pile of stories promoted by MarketWorld that tell us that change is easy, is a win-win, and doesn’t require sacrifice.
The kinds of changes favored by the public in an age of inequality, as reflected from time to time in some electoral platforms, are usually unacceptable to elites. Simple rejection of those types of changes can only invite greater hostility toward the elites. It is more useful for the elites to be seen as favoring change—their kind of change, of course.
It wasn’t as though you had no choice but to compromise. You could easily develop your ideas and promote them through what he labeled “marginal magazines” and “militant conferences.”
The question of building more inclusive economies would be atomized into endless subcategories, until the human reality all but vanished.
What if these winners didn’t know everything? What if those outsiders who weren’t in the room knew a thing or two?
Instead of listening, absorbing, trying to decipher slowly and respectfully the dynamics of the space one had entered, the high-flying, high-priced consultant was expected to jump in and know things.
Consultants first find the “business need,” or the basic problem, based on evaluating the company and its industry. Then they “analyze.” This step requires “framing the problem: defining the boundaries of the problem and breaking it down into its component elements to allow the problem-solving team to come up with an initial hypothesis as to the solution.” This is the insta-certitude at work—hypothesis-making comes early. Then the consultants must “design the analysis” and “gather the data” to prove the hypothesis, and must decide, based on the results, whether their theory of the solution is right. If it is, the next step is “presenting” in a crisp, clear, convincing way that can win over clients understandably wary of fancy outsiders’ big ideas. At last, the solution comes to the “implementation” phase, through “iteration that leads to continual improvement.”
The protocols and those who employed them did have a lot to offer the world of social problems: rigor, logic, data, an ability to make decisions swiftly. As they spread into the work of battling disease or reforming education, they could do a great deal of good and allow people’s money and time to go further than they could have without it. But there was always a price, and part of that price was that problems reformatted according to the protocols were recast in the light of a winner’s gaze. After all, the definition of a problem is done by the problem-solver and crowds out other ways of seeing it.
Inspire the rich to do more good, but never, ever tell them to do less harm; inspire them to give back, but never, ever tell them to take less; inspire them to join the solution, but never, ever accuse them of being part of the problem.
Leave us alone in the competitive marketplace, and we will tend to you after the winnings are won. The money will be spent more wisely on you than it would be by you. You will have your chance to enjoy our wealth, in the way we think you should enjoy it.
Generosity entitles the winners to exemption from questions like these.
King had argued that the circumstances of economic injustice, when examined, had something to do with the people in power, and that true generosity might mean restrained taking, not just the belated shedding of some of what had been taken.
There Bill Clinton would stand beside you and read your commitment to the room and praise you. This moment would become, among the doing-well-by-doing-good set, the coveted capstone to a career: People who were influential and/or rich but relatively unknown would bask in the celebrity-like glow.
Then there was a flurry of business-speak: “In order to reach the world that we want by 2030, collaboration and co-design are key.”
When private actors move into the solution of public problems, it becomes less and less of the public’s business.
The “they” were the rootless cosmopolitans’ less-rarefied fellow citizens, who in one place after another were gravitating to nationalism, demagogy, and resentful exclusion—and rejecting some of the elites’ most cherished beliefs: borderlessness, market cures for all diseases, inevitable technological progress, benign technocratic stewardship.
It is a way of doing good that allows them to ignore the fact that their democracies aren’t working well. Or, even more simply, it allows them to avoid the duty they might otherwise feel to interact with their fellow citizens across divides, to learn about the problems facing their own communities, which might implicate them, their choices, and their privileges—as opposed to universal challenges like climate change or the woes of faraway places like Rwandan coffee plantations.
“Probably people who get together in these congregations don’t think of what they’re doing as politics,” Rodrik said. “But of course it’s politics. It’s just a politics that has a different locus and has a different view of who matters and how you can change things, and has a different theory of change and who the agents of change are.”
But the same elite help, backed by the same noble intentions, can instead “disrupt” democracy when it “replaces the public sphere with all manner of private initiatives for special public purposes.” These latter works don’t simply do what government cannot do. They “crowd out the public sector, further reducing both its legitimacy and its efficacy, and replace civic goals with narrower concerns about efficiency and markets.”
The seasoned and astute private world-changer seeks to alter “the public conversation about which social issues matter, sets an agenda for how they matter, and specifies who is the preferred provider of services to address these issues without any engagement with the deliberative processes of civil society.”
“So it’s not just the right thing to do,” Verveer said. “It’s the business-smart thing to do.” This was the highest praise a cause could receive.
The only problem-solving approach that worked in the modern world, according to Clinton, was one that made the people an afterthought, to be helped but not truly heard.
One’s American plutocrat friends didn’t necessarily have a problem with more energetic government in Africa. But they preferred win-win solutions in their own backyard, where energetic government sounded like it could end up being expensive.
Economistic reasoning dominates our age, and we may be tempted to focus on the first half of each of the above sentences—a marginal contribution you can see and touch—and to ignore the second half, involving a vaguer thing called complicity.
Her claim, rather, is that citizens of a democracy are collectively responsible for what their society foreseeably and persistently allows; that they have a special duty toward those it systematically fails; and that this burden falls most heavily on those most amply rewarded by the same, ultimately arbitrary set of arrangements.
To live in a society without laws and shared institutions that applied equally to all would be, Cordelli says, to live “dependent on the arbitrary will of another. It would be like a form of servitude.”
She says you are worth nothing without society because there can be no hedge fund managers, nor violinists, nor technology entrepreneurs, in the absence of a civilizational infrastructure that we take for granted.
Then there is the fact that absent a political system of shared institutions, anyone could dominate anyone. Every person with anything precious to protect would be at constant risk of plunder by everybody else.
“When it comes to effecting change in a way that makes them feel good—when it comes to building a business, lobbying for certain things, effectively helping some people through philanthropy, then they are agents,” Cordelli said. “They powerfully and intentionally can exercise change.” However, she went on, “When it comes to paying more taxes, when it comes to trying to advocate for more just institutions, when it comes to actually trying to prevent injustices that are systemic or trying to advocate for less inequality and more redistribution, then they’re paralyzed. There is nothing they can do.

Will Larson (whose new book is lying on my desk at work) writes a welcome long view on the technology career, something we will increasingly need to think about and come to terms with.

https://lethain.com/forty-year-career/

Highlights for My Struggle

As your perspective of the world increases not only is the pain it inflicts on you less but also its meaning. Understanding the world requires you to take a certain distance from it. Things that are too small to see with the naked eye, such as molecules and atoms, we magnify. Things that are too large, such as cloud formations, river deltas, constellations, we reduce. At length we bring it within the scope of our senses and we stabilize it with fixer. When it has been fixed we call it knowledge. Throughout our childhood and teenage years, we strive to attain the correct distance to objects and phenomena. We read, we learn, we experience, we make adjustments. Then one day we reach the point where all the necessary distances have been set, all the necessary systems have been put in place. That is when time begins to pick up speed. It no longer meets any obstacles, everything is set, time races through our lives, the days pass by in a flash and before we know what is happening we are forty, fifty, sixty . . .
I do not want anyone to get close to me, I do not want anyone to see me, and this is the way things have developed: no one gets close and no one sees me.
They even squeeze out the most recent past: ask me what I did three days ago and I can’t remember.
Here I have to find other goals and come to terms with them. The art of living is what I am talking about.
I have always had a great need for solitude. I require huge swathes of loneliness and when I do not have it, which has been the case for the last five years, my frustration can sometimes become almost panicked, or aggressive.
When Vanja was around eight months old she began to have violent outbursts, like fits at times, and for a while it was impossible to reach her, she just screamed and screamed. All we could do was hold her until it had subsided. It is not easy to say what caused it, but it often occurred when she had had a great many impressions to absorb, such as when we had driven to her grandmother’s in the country outside Stockholm, when she had spent too much time with other children, or we had been in town all day. Then, inconsolable and completely beside herself, she could scream at the top of her voice. Sensitivity and strength of will are not a simple combination.
Perhaps even, at certain moments, joy. And isn’t that enough? Isn’t it enough? Yes, if joy had been the goal it would have been enough. But joy is not my goal, never has been, what good is joy to me? The family is not my goal either. If it had been, and I could have devoted all my energy to it, we would have had a fantastic time, of that I am sure.
I know I can change all this, I know we too can become that kind of family, but then I would have to want it and in which case life would have to revolve around nothing else. And that is not what I want. I do everything I have to do for the family; that is my duty. The only thing I have learned from life is to endure it, never to question it, and to burn up the longing generated by this in writing.
That does not mean I do not love them, because I do, with all my heart, it simply means that the meaning they produce is not sufficient to fulfill a whole life.
She had a liberating, gentle smile that I admired and found endlessly appealing, both because it did not embrace me or others like me, it belonged to the very essence of her being, to which only she herself and her friends had recourse, and also because her top lip was slightly twisted.
We were utterly hopeless, completely out of our depth, there was not a snowball’s chance in hell of anything coming of this, we wouldn’t even be good enough to perform at a school party, but although this was the reality we never experienced it as such. On the contrary, this was what gave our lives meaning.
But my pleasure was partly due to my father always perking up for such events. He became more friendly towards me, took me into his confidence, so to speak, and regarded me as someone to be considered, but this was not the most important thing, for this friendliness he showed to his son was merely one aspect of a greater magnanimity that infused him on such occasions: he became charming, witty, knowledgeable, and entertaining, which in a way justified the fact that I had such mixed emotions about him and was so preoccupied with them.
I was not exactly invulnerable, my weaknesses were there for all to see and exploit, and the fact that they didn’t, because they didn’t have enough insight to be able to see them, was surely not my problem.
They had been drinking before I arrived, and although he was kindness itself, it was threatening nonetheless; not directly, of course, because, sitting there, I didn’t fear him, but indirectly because I could no longer read him. It was as if all the knowledge I had acquired about him through my childhood, and which enabled me to prepare for any eventuality, was, in one fell swoop, invalid. So what was valid?
I could remember all the places I had been, all the rooms I had been in. Just not what happened there.
You know too little and it doesn’t exist. You know too much and it doesn’t exist. Writing is drawing the essence of what we know out of the shadows. That is what writing is about. Not what happens there, not what actions are played out there, but the there itself.
What I ought to do was affirm what existed, affirm the state of things as they are, in other words, revel in the world outside instead of searching for a way out, for in that way I would undoubtedly have a better life, but I couldn’t do it, I couldn’t, something had congealed inside me, a conviction was rooted inside me, and although it was essentialist, that is, outmoded and, furthermore, romantic, I could not get past it, for the simple reason that it had not only been thought but also experienced, in these sudden states of clearsightedness that everyone must know, where for a few seconds you catch sight of another world from the one you were in only a moment earlier, where the world seems to step forward and show itself for a brief glimpse before reverting and leaving everything as before . . .
The box of Kleenex was a sign that here weeping and death had undergone inflation.
The zone that had come into existence when we first left the undertaker’s, and that seemed to make everything around me dead, or meaningless, had grown in size and strength.
We laughed, Tonje ran inside for her camera, and when she came out she put one arm around me and took a photo with the other hand outstretched. We were two children.
The fact that he could be more malicious to me than anyone else changed nothing, it was part and parcel of it, and in the context we lived, the hatred I felt for him was no more than a brook is to an ocean, a lamp to the night.
The sole difference, which is the difference between a child’s reality and an adult’s, was that they were no longer laden with meaning.
I didn’t care anymore anyway. But there had been days when I had cared, days when I had been on the outside and had suffered. Now I was only on the outside.
My father was an idiot, I wanted nothing to do with him, and it cost me nothing to keep well away from him. It wasn’t a question of keeping away from something, it was a question of the something not existing; nothing about him touched me.

Highlights for How not to hate your husband after kids

Fisher says there is brain evidence that when women are under stress (say, a new baby has colic), they are inclined to “tend and befriend” (become more empathetic and social), while men under stress are apt to withdraw.
A study of heterosexual couples led by Shiri Cohen, a couples therapist and psychology instructor at Harvard Medical School, revealed that women reported feeling much happier when their male partners understood that they were angry or upset. “This research bore out what I see every day with couples,” Cohen tells me. “When the man can register his wife’s negative feelings, and communicate that on some level, the wife feels better, because she knows that ‘Oh, he gets how I’m feeling.’” She points out that, conversely, men do not derive the same satisfaction in knowing that their wives are upset. “Research shows that men tend to retreat from what feels like conflict to them, because they tend to physiologically get much more negatively aroused,” she said, “so conflict feels way more intense for them.”
so women have better memory and social cognition skills, making them better equipped for multitasking and creating solutions that can work within a group.
Brené Brown calls this tendency to project a motive onto someone without actually knowing the facts “the story I’m making up.”
No surprise there—but the mind-boiling part is that men’s stress levels fell if they kicked back with some sort of leisure activity—but only if their wives kept busy doing household tasks at the same time
meanwhile, found that married couples’ wounds actually healed more slowly when they had hostile arguments compared with so-called low-hostile couples. The stress from a fallout, they discovered, drove up blood levels of hormones that interfere with the delivery of proteins called cytokines, which aid the immune system during injuries.
“Tom, what you’re not getting, and this is true for most men I see, is that it is in your interest to move beyond your knee-jerk selfishness and entitlement and to take good care of your wife, so she isn’t such a raving lunatic all the time.”
“But the idea that you can haul off and be abusive to your partner and somehow get a pass, that you can’t control it, or whatever you tell yourself to rationalize it, is nuts. Also, your whole ‘angry victim’ role is going to get worse. You are extremely comfortable with your self-righteous indignation.”
We construct a plan for his phone to issue a spate of reminders before all school pickups.
A week later, Tom’s crisis negotiation skills are required yet again. It is a school morning, and he is sleeping in after a late night of binge-watching a Swedish crime series. I am up at 6 a.m. with our daughter, making her breakfast and lunch, supervising her homework, ordering a replacement water bottle after she somehow lost hers at school, filling out a form for a class trip, and baking carrot muffins for Tom.
“Men often do best if they know exactly what to do.” Do not use moralistic or shaming language, he continues, which only brings on defensiveness.
Tell your spouse that changing his behavior will directly benefit him because you will be happier and more relaxed.
I’ve learned to be protective of my time, just as my husband is.
“Both boys and girls learn that mothers have needs, too, which is also very important if they have children of their own,”
Those drained respondents negotiated their responsibilities anew every day, starting from scratch—as Tom and I had been doing. This cracked system trapped the participants in an exhausting cycle of “requests and avoidance of these requests.” Conversely, spouses who knew exactly what to do around the house didn’t spend as much time negotiating responsibilities and didn’t tend to monitor and criticize each other. Not surprisingly, “their daily lives seemed to flow more smoothly.”
“So my question to you is, if he waits that long, what does it cost you, other than your obsessive need to not have it pile up? What’s it actually costing you?”
Please, snorts couples therapist Esther Perel. “One important intervention for my clients who are mothers that overmanage—who are overwrought not by difficult life circumstances but by the culture of perfection that has captured parenthood—is that I tell them to go away for the weekend,” she says. I admit to her that I am that over-managing mother. “Then go away alone, go with your friends, go away with someone you haven’t seen in ages!” she says.
The Gottmans categorize couples as masters and disasters. Masters look purposefully for things they can appreciate and respect about their partner; disasters monitor their mates for what they are doing wrong so they can criticize them. Intent on being a relationship master, I order a stack of their books.
This means voicing what the Gottmans call the “three As”: affection, appreciation, and admiration.
When Tom is reading the paper, for example, he occasionally comments, “Hmm, that’s interesting.” This is a “bid,” a sometimes-subtle appeal for attention. If I reply, “Oh, what are you reading?” this response is what Gottman calls “turning toward” my partner—I have given him the encouragement he’s seeking. If I ignore his bid, I am “turning away” from Tom.
My friend Jenny, mother of two, tells her husband that saying “thank you” is the ultimate cheap buy-in. “The average mom does a hell of a lot,” she says. “And unlike at work or school, at home, rarely is anyone saying, ‘Good job.’
Of course, I am still “household manager,” constantly reminding Tom to do fundamental things such as feed the kid breakfast—but he does it.
Sometimes he even says, “Need a hand?”
Oh, that must feel bad. I can see why you feel like that. What can I say or do right now to make you feel better? It’s calculated, but who cares?
One girl mentioned that every morning when she left for school, her father would say, “You go, tiger—you go get them.”
Father-initiated playdates are fairly rare, but they’re important, particularly for daughters.
Research shows that doing chores makes children thrive in countless ways, and is a proven predictor of success,
She found that having children take an active role in the household, starting at age three or four, directly influenced their ability to become well-adjusted young adults.
Those who began chores at three or four were more likely to have solid relationships with their families and friends, to be self-sufficient, and to achieve academic and early professional success.
three-quarters of the garages they studied were so crammed with junk, the homeowners couldn’t store cars
He laughs and says he understands. He explains that he isn’t suggesting that women should pump up the male ego—rather, that the need to feel appreciated is universal. Who among us does not love praise and kindness?
ad for Ariel India, a Procter & Gamble laundry detergent brand
When she was unhappy about making the lengthy commute to her daughter Jennifer’s preschool, her husband, then the chief executive of Microsoft, said he would drive Jennifer two days a week.
If a fight is brewing, start with “I” statements.
Say “Thank you,” and say it often.
All of those gestures—and I’m aware they were mostly gestures—took a total of a few hours, but she was thrilled, it deepened their relationship, and the goodwill he received from me lasted for weeks.
Especially, I would add here, if you can find a therapist who yells at your husband, “Stop with your entitled attitude, get off your ass, and help her out!”
The FBI’s methods of paraphrasing and emotion labeling are remarkably effective.

Highlights for Agile Application Security

Don’t wait for the perfect time, tool or training course to get started. Just do something.
Lean as a methodology prioritises the principle cycle of “Build” → “Measure” → “Learn”.
Many security professionals have a hard time adapting their existing practices to a world where requirements can change every few weeks, or where they are never written down at all. Where design and risk management decisions are made by the team just in time, instead of being planned out and directed from top down. And where manual testing and compliance checking cannot possibly keep up with the speed of delivery.
Agile practitioners argue that while this rule is broadly speaking true, catching a defect later is more expensive than catching one earlier, the solution is not to attempt the impossible task of catching all defects earlier, but instead to focus on reducing the cost of fixing defects by making change safer and easier.
instead you need to be thinking about secure service design, trust modeling, and secure architecture patterns.
The design team should have access to security training or security expertise to ensure that the service they are designing enables security through the user experience.
Security teams should be providing tooling, processes and guidance that helps product managers, architects and developers follow good security practice while designing a new system.
Security checks that happen at this stage need to be automatable, reliable, repeatable and understandable in order for a team to adopt them.
The security team should do everything that they can to ensure that the easiest way to build something inside the organisation is the safe and secure way, by providing teams with secure headers, hardened run-time configuration recipes and playbooks, and vetted third party libraries and images that are free from vulnerabilities which teams can grab and use right away.
When security stops being the team that says no, and becomes the team that enables reliable code to ship, then that’s true agile security.
Truly agile security teams measure themselves on what they can enable to happen, rather than the security issues they have blocked from going out of the door.
or they could be taken care of by training the team in secure coding so that they know know how to do things properly from the start.
Another way to include security in requirements is through attacker stories or misuse cases (instead of use cases). In these stories the team spends some time thinking through how a feature could be misused by an attacker or by another malicious – or even a careless – user.
We’ve had experience in at least one company where the attack trees are stored electronically in a wiki, and all of the controls are linked to the digital story cards, so the status of each story is recorded in a live view. This shows the security team the current state of the threat tree, any planned work that might affect it, and allows compliance officers to trace back from a work order to find out why it was requested and when it was completed.
this kind of interlinking is very valuable for high performing and fast moving teams to give them situational awareness to help in making decisions.
As we’ve seen throughout this book, the speed of agile development creates new security risks and problems. But this speed and efficiency can also offer an important edge against attackers, a way to close vulnerability windows much faster.
Security should be about enabling the organisation to carry out its goals in the most safe and secure manner possible. This means that an effective risk management process should be about enabling people in the organisation to take appropriate risks in an informed manner. The key here being informed: risk management is not all about avoidance but the mindful understanding, reduction, sharing and acceptance of risk as appropriate.
But with an agile team continuously changing the system in response to new information, the context in which a risk is accepted can change dramatically in a fairly short time.
Common change control practices, such as specified by ITIL or COBIT, are designed to deal with waterfall projects that push large change sets a handful of times per year, and cannot possibly keep up with Continuous Delivery or Continuous Deployment approaches.
This means that unlike in some more traditional software engineering shops, Agile teams may resist or avoid review boards, design authorities and other control mechanisms imposed from outside if they believe that these outside forces will get in the way of delivery. This is a problem for security professionals who are used to working with architecture review boards and other central authorities to set guiding principles and rules to ensure the security of all systems.
In a traditional software development lifecycle, risk assessment is done based on the system requirements and design specifications and models created up front. A risk analyst uses those documents to identify the risks that will reside in the system, and puts together a plan to monitor and mitigate these risks. Then audits are done to ensure that the system built matches the documented design specifications and that the risk management plan is still valid.
Nation state attack teams looking to steal data or IP, or conducting reconnaissance or sabotage for cyber warfare (for a vast majority of situations these will be well outside of your threat model and would not be something you would likely be able to discover or prevent).
There are different sources of information about threats to help you understand threat actors and the risks that they pose to your organization. While this is an area of the security industry that is widely considered to be over-hyped and to have not returned on the promises of value that have been made (See Threaty Threats boxout), it can still have a place in your security program.
Some platforms for reporting, detecting, collecting and aggregating threat intelligence include: Open Threat Exchange (https://www.alienvault.com/open-threat-exchange) Open TPX (https://www.opentpx.org/) Passive Total (https://www.passivetotal.org/) Critical Stack (https://intel.criticalstack.com/) Facebook’s Threat Exchange (https://www.facebook.com/threatexchange)
Does a change fundamentally change the architecture or alter a tryst boundary? These types of changes should trigger a risk review (in design or code or both) and possibly some kind of compliance checks.
Quick and dirty threat modelling done often is much better than no threat modelling at all.
Each time that you come back again to look at the design and how it has been changed, you’ll have a new focus, new information and more experience, which means that you may ask new questions and find problems that you didn’t see before.
Because the attack surface is continuously changing, you need to do threat modeling on a continuous basis. Threat modeling has to be done a lightweight, incremental and iterative way.
People (including attackers) are like water when it comes to protective controls that get in their way. They will work around them and come up with pragamtic solutions to get themselves moving again.
You can’t secure what you don’t understand Bruce Schneier
A clean architecture with well-defined interfaces and a minimal feature set is not the same as a simplistic and incomplete design that focuses only on implementing features quickly, without dealing with data safety and confidentiality, or providing defense against run-time failures and attacks.
In many environments, enforcing code reviews upfront is the only way to ensure that reviews get done at all: it can be difficult to convince developers to make code changes after they have already checked code in and moved on to another piece of work.
Probably the best reference for a security code review checklist is OWASP’s ASVS project.
Acceptance tests may also be done manually, in demos with the customer, especially where the tests are expensive or inconvenient to automate.
The advantages to an agile development team of being able to self-provision development and test environments like this are obvious. They get control over how their environments are set up and when it gets done. They don’t have to wait days or weeks to hear back from ops.
Before adding security testing into your pipeline, make sure that the pipeline is set up correctly, and that the team is using it correctly and consistently. all changes are checked into the code repository team members check in frequently automated tests run consistently and quickly when tests fail, the team stops and fix problems imemdiately before making more changes
But instead of treating pen testing as a gate, think of it more as a validation and a valuable learning experience for the entire team.
OpenSCAP (https://www.open-scap.org/) scans specific Linux platforms and other software against hardening policies based on PCI DSS, STIG, and USGCB and helps with automatically correcting any deficiencies that are found. Lynis (https://cisofy.com/lynis/) is an open source scanner for Linux and Unix systems that will check configurations against CIS, NIST and NSA hardening specs, as well as vendor-supplied guidelines and general best practices.
One of the best examples is Dev-Sec (https://github.com/dev-sec), a set of open source hardening templates originally created at Deutsche Telekom, and now maintained by contributors from many organizations.
Security Monkey (https://github.com/Netflix/security_monkey) automatically checks for insecure policies, and records the history of policy changes
Conformity Monkey (https://github.com/Netflix/SimianArmy/wiki/Conformity-Home) automatically checks configuration of a run-time instance against pre-defined rules and alerts the owner (and security team) of any violations
build chains can become highly customized and fragile over time.
6.5 train the development team in secure coding at least annually, and provide them with secure coding guidelines.
Many of the ideas about automating compliance in this chapter are based on the DevOps Audit Defense Toolkit, a free, community-built process framework written by compliance and IT governance experts James DeLuccia IV, Jeff Gallimore, Gene Kim, and Byron Miller.
Reviewers follow checklists to ensure that all code meets the team’s standards and guidelines, and to watch out for unsafe coding practices. Management periodically audits to make sure that reviews are done consistently, and that engineers aren’t rubber stamping each other’s work.
While ITIL change management is designed to deal with infrequent, high-risk “big bang” changes, most changes by Agile and DevOps teams are small and low-risk, and can flow under the bar. They can be treated as standard or routine changes that have been preapproved by management, and that don’t require a heavyweight change review meeting.
Auditors like this a lot. Look at all of the clear, documented hand offs and reviews and approvals, all of the double checks and opportunities to catch mistakes and malfeasance. But look at all the unnecessary delays and overhead costs, and the many chances for misunderstandings and miscommunication. This is why almost nobody builds and delivers systems this way any more.
For teams, compliance should – and has to – build on top of the team’s commitment to doing things right and delivering working software. Teams that are already working towards zero defect tolerance, and teams that are following good technical practices including Continuous Integration should be more successful in meeting compliance.
‘Effective security teams should measure themselves by what they enable, not by what they block’
Lazy security teams default to No as it is a get out of jail free card for any future negative impact that may come from the project they opposed. Ineffective security teams want the risk profile of a company to stay the same so that they do not have to make hard choices between security and innovation.
A security team who can default to openness and only restrict as the exception will do a far better job at spreading knowledge about what they do, and most importantly, why they are doing it.