I’ve been thinking a lot about the iron triangle lately… fast, cheap, good: pick 2.

Fast and Cheap costs more
Cheap and Good is s l o w
Good and Fast is low quality

I’ve heard people claim that lean methodology achieves all three, but I’ve never actually seen it deliver. 1/ What I’ve seen is a fast and cheap MVP’s followed by chaotic, distracted, randomized iterations that have no coherent plan. Or worse, abandoned MVPs that are deemed “good enough” for internal customers. 2/

@TrainOfError @WhyHiAnnabelle I’m familiar with how bounty programs work.

Launching a bounty without the proper security foundation means you will 1. Be overwhelmed with vuln reports for things you should have already found and fixed through static / dynamic analysis, pen tests, security assessments, etc. @TrainOfError @WhyHiAnnabelle 2. Once overwhelmed with a flood of reports your triage and fix rate will grind to a halt and your duplicate report rate will skyrocket. Researchers will get frustrated and angry.

Anyone that thinks victims of domestic abuse should just move out is so unbearably privileged, they have no grasp of the reality. Where do you go? How do you pay for anything when your abuser controls finances? All you and your kids have are the clothes you were able to take. 1/ Sure you have your cell phone, but your abuser controls that too, because of course they do. They’ve spent months if not years expanding their control of everything. Now they use your phone to stalk you and monitor who you call or text. 2/

Funny story about everyday sexism tonight. My rideshare driver (mid-30’s) mentioned he came to the USA 3 years ago as an architect, but went back to school to study cybersecurity and drives weekends. Obviously I’m interested and start chatting. 1/8 We get to talking about colleges and he opined that expensive universities create an alumni network that maintains their power. I point out that going to security conferences & networking is incredibly valuable for career development and opportunities. 2/8