2023-10-22 Sunday - Today's Meditation: A course plotted - is not the journey

 

[Image by Dorothe (aka Darkmoon_Art) from Pixabay.com]

Today's mediation:

A course plotted on a nautical chart - is not the journey.

Information on a map may be superseded by real-world events - or the map may be based on faulty information. Also, you must always consider that your instruments *may* be reporting incorrect data.

During the preparation for a long voyage, some years ago, I studied the historical voyages of others who had sailed the same areas into which I intended to go.

I studied the currents, the underwater geography, the weather patterns.

I made careful notes of areas of possible refuge and safety in which I might seek shelter from gales that might arise during various segments of my planned voyage.

I recorded the GPS coordinates of areas that were reported by other sailors to have good holding, in which to anchor.

After an exhausting passage of some days, I sought refuge in a wide bay - along a desolate section of the Baja coast, for a good night's rest.

As I navigated to the GPS coordinates recorded from another's previous voyage logs, I became concerned that the recommended location seemed to be in some potentially dangerously shallow water - as the swell of the ocean entered the bay and wrapped around and surged toward the area reported to be safe.

From a distance, the swells were a concern, but were not alarming.

As I drew closer - my apprehension and alarm skyrocketed.

I was entering an area that was clearly very dangerous. As the depth became more shallow, the swells grew in height - and became very large breaking waves.

I immediately swung the wheel 180-degrees and headed toward the middle of the bay, and somewhat deeper water - and dropped my anchor - where I had a peaceful night's rest.

The lessons to be learned:

- A voyage plan is just a plan. You must be agile and adaptable.

- The same goes for business plans, product plans, and project plans.

- From the Rules of Meeks: Rule #1 applies, always.

- If you are doing something that isn't working - don't be rigid in your thinking - be willing to embrace the pivot.

- There are always signs - you must be open to reading them.

- Awareness and adaptability are more powerful than blind optimism.

- Stubborn denial and refusal to accept new information - and insistence on maintaining a course - can result in disaster.

2023-10-20 Friday - Podcast Idea Experimentation

[image by Tumisu from Pixabay.com]

Episode #2 of the proof-of-concept for a podcast idea completed today.

That episode was not recorded, so will never be broadcast.

Getting the style sorted, finding our rhythm.

Like musicians, we are jamming in the studio - discovering how we can riff and play some tunes. This is practicing - before the performance.

Finding where strengths complement, and exploring our ways of collaborating.

The topics & content covered today, nearly broadcast quality.

As an experiment, after two iterations, I think this might just have legs...

We even have a preliminary name picked for the show...

[image by Tumisu from Pixabay.com]

2023-10-16 Monday - API Security Educational Resources

YouTube: API Security By Design
https://www.youtube.com/watch?v=acXpD1tRmCQ
 Frank Kilcommins (Principal API Technical Evangelist, SmartBear) and José Haro Peralta (API consultant, author, and founder) [see the link below to José's  2023 book]

00:00 Intro
03:11 Why API Security matters
04:48 What is API Security
06:22: OWASP Top API 10 Risks
07:04 Broken Object Level Authorization
08:43 Broken Authentication
10:12 Broken Object Property Level Authorization
12:20 Unrestricted Resource Consumption
14:10 Broken Function Level Authorization
16:44 Unrestricted Access to Sensitive Business Flows
19:48 Server-side Request Forgery
22:26 Security Misconfiguration
24:28 Improper Inventory Management
27:11 Unsafe Consumption of APIs
30:08 Authentication vs Authorization
31:03 OAuth Overview
32:24 Authorization Code Flow
34:28 PKCE Flow
35:40 Client Credentials Flow
36:36 Refresh Token Flow
38:35 OpenID Connect
41:00 JSON Web Tokens (JWTs)
44:45 Security-by-design Overview
46:45 Vulnerable API design overview
47:26 Leaking objects
51:34 Integer Identifiers
53:22 Exposing server-side properties in user input
55:07 Flexible schemas with unknown properties
57:37 Summary and Q&A

Suggested Books:

API Security in Action (2020)
https://www.amazon.com/API-Security-Action-Neil-Madden/dp/1617296023/

Microservices Security in Action: Design secure network and API endpoint security for Microservices applications, with examples using Java, Kubernetes, and Istio 1st Edition (2020)
https://www.amazon.com/Microservices-Security-Action-Prabath-Siriwardena/dp/1617295957/

Advanced API Security: OAuth 2.0 and Beyond 2nd ed. Edition (2019)
https://www.amazon.com/Advanced-API-Security-Definitive-Guide/dp/1484220498/

Microservice APIs: Using Python, Flask, FastAPI, OpenAPI and more (2023)
https://www.amazon.com/Microservice-APIs-Jose-Haro-Peralta/dp/1617298417/

OAuth 2 in Action First Edition (2017)
https://www.amazon.com/OAuth-2-Action-Justin-Richer/dp/161729327X/

Secure By Design First Edition (2019)
https://www.amazon.com/Secure-Design-Daniel-Deogun/dp/1617294357

Defending APIs against Cyber Attack: Learn the secrets of defense techniques to build secure application programming interfaces (2024)
https://www.amazon.com/Defending-APIs-against-Cyber-Attack/dp/1804617121


Penetration Testing Tool Resources:

1. https://github.com/intltechventures/Lab.Security/blob/master/PenetrationTestingTools.md
   

Other Resources:

1. https://www.traceable.ai/2023-state-of-api-security
2. NIST SP 800-95: Guide to Secure Web Services
1. "The advance of Web services technologies promises to have far-reaching effects on the Internet and enterprise networks. Web services based on the eXtensible Markup Language (XML), SOAP, and related open standards, and deployed in Service Oriented Architectures (SOA) allow data and applications to interact without human intervention through dynamic and ad hoc connections. The security challenges presented by the Web services approach are formidable and unavoidable. Many of the features that make Web services attractive, including greater accessibility of data, dynamic application-to-application connections, and relative autonomy are at odds with traditional security models and controls. Ensuring the security of Web services involves augmenting traditional security mechanisms with security frameworks based on use of authentication, authorization, confidentiality, and integrity mechanisms. This document describes how to implement those security mechanisms in Web services. It also discusses how to make Web services and portal applications robust against the attacks to which they are subject."
3. NIST SP 800-204: Security Strategies for Microservices-based Application System
1. "Microservices architecture is increasingly being used to develop application systems since its smaller codebase facilitates faster code development, testing, and deployment as well as optimization of the platform based on the type of microservice, support for independent development teams, and the ability to scale each component independently. Microservices generally communicate with each other using Application Programming Interfaces (APIs), which requires several core features to support complex interactions between a substantial number of components. These core features include authentication and access management, service discovery, secure communication protocols, security monitoring, availability/resiliency improvement techniques (e.g., circuit breakers), load balancing and throttling, integrity assurance techniques during induction of new services, and handling of session persistence. Additionally, the core features could be bundled or packaged into architectural frameworks such as API gateways and service mesh. The purpose of this document is to analyze the multiple implementation options available for each individual core feature and configuration options in architectural frameworks, develop security strategies that counter threats specific to microservices, and enhance the overall security profile of the microservices-based application."
2. NIST SP 800-204A Building Secure Microservices-based Applications Using Service-Mesh Architecture 
3.  NIST SP 800-204B Attribute-based Access Control for Microservices-based Applications using a Service Mesh
4. NIST SP 800-204C Implementation of DevSecOps for a Microservices-based Application with Service Mesh 
4. https://owasp.org/www-project-api-security/
   
1. https://owasp.org/API-Security/editions/2023/en/0x11-t10/
   
2. https://content.salt.security/owasp-api-top-10-2023-ebook.html 
3. https://salt.security/blog/owasp-api-security-top-10-explained
   
4. https://snyk.io/learn/owasp-top-10-vulnerabilities/api-security-top-10/
   
5. MuleSoft: API security for the digital estate (Top 5 API Security Best Practices)
   

2023-10-15 Sunday - Sonatype’s 9th Annual State of the Software Supply Chain

 

[image credit: Sonatype, 9th Annual State of the Software Supply Chain, p-4, with my highlights added]

Noteworthy:
Why the practice of actively managing your Software Bill of Materials (SBOM) is important...

Sonatype’s 9th Annual State of the Software Supply Chain
https://www.sonatype.com/hubfs/9th-Annual-SSSC-Report.pdf

Notable citations:

• "The rate of download growth in open source consumption has slowed the past two years. In 2023, this trend continued with the average download growth rate sitting at 33%, which is exactly what it was last year. This is a stark comparison to the all-time high of 2021, which saw 73% year-over-year growth"
• "Between 2022 and 2023, the number of available open source projects grew an average of 29%"
  
•  "Maven and npm, are each estimated to reach over a trillion requests in 2023"
• "[Maven and npm] represent 90% of the request served"

 

[image credit: Sonatype, 9th Annual State of the Software Supply Chain, p-9]

2023-10-11 Wednesday - Today's mediation: "A" vs. "B" and "C" Players

[My corresponding LinkedIn post]

Today's meditation:
If you think there is no distinction between "A" players vs. "B" and "C" players - either you have not been around long enough - or you lack the basic skills to assess quality talent.

Here are some suggested clues to help you identify the players:

"A" players:
1. Execute consistently
2. Deliver results
3. Their quality is consistently exceptional
4. Can quickly assess/identify other "A" players
5. They actively and instinctively mentor others - and can help elevate a "B" to "A" level; or a "C" to "B"
6. Their presence can elevate an entire organization
7. They break logjams
8. Insatiably curious - constantly expanding/renewing their skills.
9. Actively seek to collaborate, communicate, document, share
10. Easily and quickly focus on what matters, what will move the needle, what is essential

"B" players:
1. Execute inconsistently
2. Frequently make excuses for why they didn't deliver
3. Their quality is not consistently of a high degree - sporadically produce exceptional results
4. Have difficulty discerning "A" vs. "B" talent - and will sometimes end up hiring "C" players
5. Have difficulty mentoring others - or lack the interest/initiative/drive to mentor others
6. In the absence of any "A" players - they can actively impede the growth of an organization
7. They nibble at logjams
8. Minimal investment in personal growth, very low level of curiosity, skills atrophy over time.
9. Expend the minimum effort in collaboration, communication, documenting, and sharing
10. Have trouble identifying what matters, where to focus, what will move the needle, and what is essential.

"C" players: 
1. Consistently fail to execute
2. Consistently fail to deliver
3. Their quality is consistently at a sub-optimal level
4. Do not realize their incompetence (re: Dunning–Kruger)
5. Actively impede attempts to mentor/improve a team
6. Are only able to hire "C" and "D" players ("A" and "B" players will decline job offers from a "C" player)
7. They create logjams
8. No curiosity, have no interest in investing in personal/professional growth, skills are consistently insufficient for their role.
9. Consistently demonstrate zero effort in collaboration, communication, documenting, sharing.
10. Excel at focusing on things that do not matter, that create the appearance of work - but does not actually produce value, and have no clue what is essential. 

2023-10-06 Friday - Today's meditation: On the value of "Wall Walks"

[Image by meineresterampe from Pixabay.com]

Today's meditation: On the value of "Wall Walks"

A Wall Walk - is a technique for breaking siloed thinking, for encouraging innovation, for identifying dependencies & risks, and for encouraging open communication & collaboration.

It is a periodic meeting (quarterly usually feels like a good cadence - however, during periods of rapid change - monthly may be appropriate), that pulls together participants from all of the disciplines across a company - and each area is given [n] minutes to give a brief talk, with a question & answer session following.

What makes the Wall Walk *fundamentally* different from almost every other presentation you will see in any company - is that it isn't intended as an opportunity for the team to proclaim their glorious achievements - or show how many areas they are reporting as GREEN to management (when in reality, we all know, some of them are actually RED).

The goal for a Wall Walk talk should be to cover:
- What we recently delivered
- What we we are working on - and how it may impact the rest of you
- Experiments we've tried - what worked - and what didn't
- *Challenges* we are struggling with - would love to have follow-ups to hear your ideas
- Future planned work - in areas in which we know (or believe) that there will be dependencies that impact you.

To implement Wall Walks requires courage - and a willingness to tell the unvarnished truth.

Other variations on the concept of Wall Walks:

• https://www.oreilly.com/library/view/contextual-design-2nd/9780128011362/XHTML/B9780128008942000107/B9780128008942000107.xhtml
  
• https://medium.com/@armypublicaffairscenter/wall-walk-yourself-and-your-team-to-better-briefings-and-papers-ad744733642
• https://carolmassa.medium.com/walking-the-creative-wall-focus-on-the-outcome-not-the-deliverable-d0f8a4ac5cb
• https://miro.com/miroverse/walk-the-wall-user-story-review/ 
  

2023-10-02 Monday - Research Notes: Hoshin Kanri ("Compass Management") and X-Matrix in strategic planning

 

[image credit: Clker-Free-Vector-Images on Pixabay]

  
https://en.wikipedia.org/wiki/Hoshin_Kanri

• ...a 7-step process used in strategic planning in which strategic goals are communicated throughout the company and then put into action.

• The Hoshin Kanri strategic planning system originated from post-war Japan, but has since spread to the U.S. and around the world. Translated from Japanese, Hoshin Kanri aptly means "compass management". The individual words "hoshin" and "kanri" mean direction and administration, respectively.

• Hoshin Kanri requires a strategic vision in order to succeed. 
  

• From there, strategic objectives need to be clearly defined, with goals being written for long periods of a one to five-year-long timeframe
  

• Once the long term timeframe goals are completed, the team can focus on yearly objectives

• Management needs to avoid picking too many vital goals in order to stay focused on what is strategically important

• Hoshin Kanri is a top-down approach, with the goals being mandated by management and the implementation being performed by employees.

• Companies that use Hoshin Kanri often follow a Think, Plan, Implement, and Review process, which is comparable to W. Edwards Deming's Plan Do Check Act cycle

    
If you are pressed for time, read this:

The Ultimate Guide to Strategy Deployment using Hoshin Kanri (X-Matrix)
https://www.linkedin.com/pulse/ultimate-guide-strategy-deployment-using-hoshin-kanri-vetriko/
(See triangle in diagram, Principles of Hoshin Kanri - nice graphics)