“The questions that we must ask ourselves, and that our historians and our children will ask of us, are these: How will what we create compare with what we inherited? Will we add to our tradition or will we subtract from it? Will we enrich it or will we deplete it?”
― Leon Wieseltier
Digital transformation is all around us.
And we are all digital employees according to Gartner.
In the article, Gartner Says Every Employee Is a Digital Employee, Gartner says that the IT function no longer holds a monopoly on IT.A Greater Degree of Digital Dexterity
According to Gartner, employees are creating increasing digital dexterity from the devices and apps they use, to participating in sharing economies.
"'Today's employees possess a greater degree of digital dexterity,' said Matt Cain, research vice president at Gartner. 'They operate their own wireless networks at home, attach and manage various devices, and use apps and Web services in almost every facet of their personal lives. They participate in sharing economies for transport, lodging and more.'"Workers are Streamlining Their Work Life
More employees are using technology to simplify, streamline, and scale their work.
"This results in unprecedented numbers of workers who enjoy using technology and recognize the relevance of digitalization to a wide range of business models. They also routinely apply their own technology and technological knowledge to streamline their work life."3 Ways to Exploit Digital Dexterity
According to Gartner, there are 3 Ways the IT organization should exploit employees' digital dexterity:
- Implement a digital workplace strategy
- Embrace shadow IT
- Use a bimodal approach
While it’s happening organically, IT can also help shape the digital workplace experience. Implement a strategy that helps workers use computing resources in a more friction free way and that play better with their pains, needs, and desired outcomes.
“Making computing resources more accessible in ways that match employees' preferences will foster engagement by providing feelings of empowerment and ownership. The digital workplace strategy should therefore complement HR initiatives by addressing and improving factors such as workplace culture, autonomous decision making, work-life balance, recognition of contributions and personal growth opportunities.”2. Embrace shadow IT
Treat shadow IT as a first class citizen. IT should partner with the business to help the business realize it’s potential, and to help workers make the most of the available IT resources.
“Rather than try to fight the tide, the IT organization should develop a framework that outlines when it is appropriate for business units and individuals to use their own technology solutions and when IT should take the lead. IT should position itself as a business partner and consultant that does not control all technology decisions in the business.”3. Use a bimodal approach
Traditional IT is slow. It’s heavy in governance, standards, and procedures. It addresses risk by reducing flexibility. Meanwhile, the world is changing fast. Business needs to keep up. Business needs fast IT.
So what’s the solution?
Bimodal IT. Bimodal IT separates the fast demands of digital business from the slow/risk-averse methods of traditional IT.
“Bimodal IT separates the risk-averse and ‘slow’ methods of traditional IT from the fast-paced demands of digital business, which is underpinned by the digital workplace. This dual mode of operation is essential to satisfy the ever-increasing demands of digitally savvy business units and employees, while ensuring that critical IT infrastructure and services remain stable and uncompromised.”
Everyone has technology at their fingertips. Every worker has the chance to re-imagine their work in a Mobile-First, Cloud-First world.
With infinite compute, infinite capacity, global reach, and real-time insights available to you, how could you evolve your job?
You can evolve your digital work life right under your feet.You Might Also Like
“Courage doesn't always roar. Sometimes courage is the little voice at the end of the day that says I'll try again tomorrow.” -- Mary Anne Radmacher
Imagine if you could wake up productive, where each day is a fresh start. As you take in your morning breath, you notice your mind is calm and clear.
You feel strong and well rested.
Before you start your day, you picture in your mind three simple scenes of the day ahead:
In the morning, you see yourself complete a draft you’ve been working on.
In the afternoon, you see yourself land your idea and win over your peers in a key meeting.
In the evening, you see yourself enjoying some quiet time as you sit down and explore your latest adventures in learning.
With an exciting day ahead, and a chance to rise and shine, you feel the day gently pull you forward with anticipation.
You know you’ll be tested, and you know some things won’t work out as planned. But you also know that you will learn and improve from every setback. You know that each challenge you face will be a leadership moment or a learning opportunity. Your challenges make you stronger.
And you also know that you will be spending as much time in your strengths as you can, and that helps keeps you strong, all day long.
You motivate yourself from the inside out by focusing on your vision for today and your values. You value achievement. You value learning. You value collaboration. You value excellence. You value empowerment. And you know that throughout the day, you will have every chance to apply your skills to do more, to achieve more, and to be more.
Each task, or each challenge, is also a chance to learn more. From yourself, and from everyone all around you. And this is how you never stop learning.
You may not like some of the tasks before you, but you like the chance to master your craft. And you enjoy the learning. And you love how you get better. With each task on your To-Do list for today, you experiment and explore ways to do things better, faster, and easier.
Like a productive artist, you find ways to add unique value. You add your personal twist to everything you do. Your twist comes from your unique experience, seeing what others can’t see from your unique vantage point, and applying your unique strengths.
And that’s how you do more art. Your art. And as you do your art, you feel yourself come alive. You feel your soul sing, as you operate at a higher level. As you find your flow and realize your potential, your inner-wisdom winks in an approving way. Like a garden in full bloom on a warm Summer’s day, you are living your arête.
As your work day comes to an end, you pause to reflect on your three achievements, your three wins, for the day. You appreciate the way you leaned in on the tough stuff. You surprised yourself in how you handled some of your most frustrating moments. And you learned a new way to do your most challenging task. You take note of the favorite parts of your day, and your attitude of gratitude feels you with a sense of accomplishment, and a sense of fulfillment.
Fresh and ready for anything, you head for home.
Try 30 Days of Getting Results. It’s free. Surprise yourself with what you’re capable of.
"What lies behind us and what lies before us are small matters compared to what lies within us. And when we bring what is within us out into the world, miracles happen." -- Ralph Waldo Emerson
I've written about 30 Day Sprints before, but it's time to talk about them again:
30 Day Sprints help you change yourself with skill.
Once upon a time, I found that when I was learning a new skill, or changing a habit, or trying something new, I wasn't getting over that first humps, or making enough progress to stick with it.
At the same time, I would get distracted by shiny new objects. Because I like to learn and try new things, I would start something else, and ditch whatever else I was trying to work on, to pursuit my new interest. So I was hopping from thing to thing, without much to show for it, or getting much better.
I decided to stick with something for 30 days to see if it would make a difference. It was my personal 30 day challenge. And it worked. What I found was that sticking with something past two weeks, got me past those initial hurdles. Those dips that sit just in front of where breakthroughs happen.
All I did was spend a little effort each day for 30 days. I would try to learn a new insight or try something small each day. Each day, it wasn't much. But over 30 days, it accumulated. And over 30 days, the little effort added up to a big victory.Why 30 Day Sprints Work So Well
Eventually, I realized why 30 Day Sprints work so well. You effectively stack things in your favor. By investing in something for a month, you can change how you approach things. It's a very different mindset when you are looking at your overall gain over 30 days versus worrying about whether today or tomorrow gave you immediate return on your time. By taking a longer term view, you give yourself more room to experiment and learn in the process.
- 30 Day Sprints let you chip away at the stone. Rather than go big bang or whole hog up front, you can chip away at it. This takes the pressure off of you. You don't have to make a breakthrough right away. You just try to make a little progress and focus on the learning. When you don't feel like you made progress, you at least can learn something about your approach.
- 30 Day Sprints get you over the initial learning curve. When you are taking in new ideas and learning new concepts, it helps to let things sink in. If you're only trying something for a week or even two weeks, you'd be amazed at how many insights and breakthroughs are waiting just over that horizon. Those troughs hold the keys to our triumphs.
- 30 Day Sprints help you stay focused. For 30 days, you stick with it. Sure you want to try new things, but for 30 days, you keep investing in this one thing that you decided was worth it. Because you do a little every day, it actually gets easier to remember to do it. But the best part is, when something comes up that you want to learn or try, you can add it to your queue for your next 30 Day Sprint.
- 30 Day Sprints help you do things better, faster, easier, and deeper. For 30 days, you can try different ways. You can add a little twist. You can find what works and what doesn't. You can keep testing your abilities and learning your boundaries. You push the limits of what you're capable of. Over the course of 30 days, as you kick the tires on things, you'll find short-cuts and new ways to improve. Effectively, you unleash your learning abilities through practice and performance.
- 30 Day Sprints help you forge new habits. Because you focus for a little bit each day, you actually create new habits. A habit is much easier to put in place when you do it each day. Eventually, you don't even have to think about it, because it becomes automatic. Doing something every other day, or every third day, means you have to even remember when to do it. We're creatures of habit. Just replace how you already spend a little time each day, on your behalf.
And that is just the tip of the iceberg.
The real power of 30 Day Sprints is that they help you take action. They help you get rid of all the excuses and all the distractions so you can start to achieve what you’re fully capable of.Ways to Make 30 Day Sprints Work Better
When I first started using 30 Day Sprints for personal development, the novelty of doing something more than a day or a week or even two weeks, was enough to get tremendous value. But eventually, as I started to do more 30 Day Sprints, I wanted to get more out of them.
Here is what I learned:
- Start 30 Day Sprints at the beginning of each month. Sure, you can start 30 Day Sprints whenever you want, but I have found it much easier, if the 17th of the month, is day 17 of my 30 Day Sprint. Also, it's a way to get a fresh start each month. It's like turning the page. You get a clean slate. But what about February? Well, that's when I do a 28 Day Sprint (and one day more when Leap Year comes.)
- Same Time, Same Place. I've found it much easier and more consistent, when I have a consistent time and place to work on my 30 Day Sprint. Sure, sometimes my schedule won't allow it. Sure, some things I'm learning require that I do it from different places. But when I know, for example, that I will work out 6:30 - 7:00 A.M. each day in my living room, that makes things a whole lot easier. Then I can focus on what I'm trying to learn or improve, and not spend a lot of time just hoping I can find the time each day. The other benefit is that I start to find efficiencies because I have a stable time and place, already in place. Now I can just optimize things.
- Focus on the learning. When it's the final inning and the score is tied, and you have runners on base, and you're up at bat, focus is everything. Don't focus on the score. Don't focus on what's at stake. Focus on the pitch. And swing your best. And, hit or miss, when it's all over, focus on what you learned. Don't dwell on what went wrong. Focus on how to improve. Don't focus on what went right. Focus on how to improve. Don't get entangled by your mini-defeats, and don't get seduced by your mini-successes. Focus on the little lessons that you sometimes have to dig deeper for.
Obviously, you have to find what works for you, but I've found these ideas to be especially helpful in getting more out of each 30 Day Sprint. Especially the part about focusing on the learning. I can't tell you how many times I got too focused on the results, and ended up missing the learning and the insights.
If you slow down, you speed up, because you connect the dots at a deeper level, and you take the time to really understand nuances that make the difference.Getting Started
Keep things simple when you start. Just start. Pick something, and make it your 30 Day Sprint.
In fact, if you want to line your 30 Day Sprint up with the start of the month, then just start your 30 Day Sprint now and use it as a warm-up. Try stuff. Learn stuff. Get surprised. And then, at the start of next month, just start your 30 Day Sprint again.
If you really don't know how to get started, or want to follow a guided 30 Day Sprint, then try 30 Days of Getting Results. It's where I share my best lessons learned for personal productivity, time management, and work-life balance. It's a good baseline, because by mastering your productivity, time management, and work-life balance, you will make all of your future 30 Day Sprints more effective.Boldly Go Where You Have Not Gone Before
But it's really up to you. Pick something you've been either frustrated by, inspired by, or scared of, and dive in.
Whether you think of it as a 30 Day Challenge, a 30 Day Improvement Sprint, a Monthly Improvement Sprint, or just a 30 Day Sprint, the big idea is to do something small for 30 days.
If you want to go beyond the basics and learn everything you can about mastering personal productivity, then check out Agile Results, introduced in Getting Results the Agile Way.
Who knows what breakthroughs lie within?
May you surprise yourself profoundly.
“Let him who would move the world first move himself.” ― Socrates
At work, and in life, you need every edge you can get.
Personal development is a process of realizing and maximizing your potential.
It’s a way to become all that you’re capable of.
One of the most powerful books on personal development is Unlimited Power, by Tony Robbins. In Unlimited Power, Tony Robbins shares some of the most profound insights in personal development that world has ever known.Develop Your Abilities and Model Success
Through a deep dive into the world of NLP (Neuro-Linguistic Programming) and Neuro-Associative Conditioning, Robbins shows you how to master you mind, master your body, master your emotional intelligence, and improve what you’re capable of in all aspects of your life. You can think of NLP as re-programming your mind, body, and emotions for success.
We’ve already been programmed by the shows we watch, the books we’ve read, the people in our lives, the beliefs we’ve formed. But a lot of this was unconscious. We were young and took things at face value, and jumped to conclusions about how the world works, who we are, and who we can be, or worse, who others think we should be.
NLP is a way to break way from limiting beliefs and to model the success of others with skill. You can effectively reverse engineer how other people get success and then model the behavior, the attitudes, and the actions that create that success. And you can do it better, faster, and easier, than you might imagine.
NLP is really a way to model what the most successful people think, say, and do.Unlimited Power at Your Fingertips
I’ve created a landing page that is a round up and starting point to dive into some of the book nuggets from Unlimited Power:
On that page, I also provided very brief summaries of the core personal development insight so that you can get a quick sense of the big ideas.
A Book Nugget is simply what I call a mini-lesson or insight from a book that you can use to change what you think, feel, or do.
Unlimited Power is not an easy book to read, but it’s one of the most profound tombs of knowledge in terms of personal development insights.Personal Development Insights at Your Fingertips
If you want to skip the landing page and just jump into a few Unlimited Power Book Nuggets and take a few personal development insights for a spin, here you go:
As you’ll quickly see, Unlimited Power remains one of the most profound sources of insight for realizing your potential and becoming all that you’re capable of.
It truly is the ultimate source of personal development in action.
Hugh is the creative director at Gaping Void. I got to meet Hugh, along with Jason Korman (CEO), and Jessica Higgins, last week to talk through some ideas.
Hugh uses cartoons as a snappy and insightful way to change the world. You can think of it as “Motivational Art for Smart People.”The Illustrated Guide to Life Inside Microsoft
One of Hugh’s latest creations is the Illustrated Guide to Life Insight Microsoft. It’s a set of cards you can flip, with a cartoon on the front, and a quote on the back. It’s truly insight at your fingertips.
I like them all … from “Microsoft is a ‘Get Stuff Done’ company” to “Software is the thing between the things”, but my favorite is:
“It’s more fun being the underdog.”
It’s a reminder how you can take the dog out of the fight, but you can’t take the fight out of the dog, and as long as you’re still in the game, and you are truly a learning company, and a company that continues to grow and evolve, you can change the world … your unique way.Tweaking People in the Right Direction
Hugh is an observer and participant who inspires and prods people in the right direction …
“’Attaching art to business outcomes can articulate deep emotions and bring things to light fast,’ said MacLeod. To get there requires MacLeod immersing himself within a company, so he can look for what he calls ‘freaks of light’—epiphanies about a company that express the collected motivations of its people. ‘My cartoons make connections,’ said MacLeod. ‘I create work in an ambient way to tweak people in the right direction.’”
“He’s an observer and a participant, mingling temporarily within a culture to better understand it. He’s also a listener, taking your thoughts and combining them with his own to piece together the puzzle he is trying to solve about the human condition and business environment.”
Check out the Illustrated Guide to Life Inside Microsoft and some of the ideas just might surprise you, or, at least inspire and motivate you today – you smart person, you.
"A moment's insight is sometimes worth a life's experience." -- Oliver Wendell Holmes, Sr.
Some say we’re in the Age of Insight. Others say insight is the new currency in the Digital Economy.
And still others say that insight is the backbone of innovation.
Either way, we use “insight” an awful lot without talking about what insight actually is.
So, what is insight?
I thought it was time to finally do a deeper dive on what insight actually is. Here is my elaboration of “insight” on Sources of Insight:
You can think of it as “insight explained.”
The simple way that I think of insight, or those “ah ha” moments, is by remembering a question Ward Cunningham uses a lot:
“What did you learn that you didn’t expect?” or “What surprised you?”
Ward uses these questions to reveal insights, rather than have somebody tell him a bunch of obvious or uneventful things he already knows. For example, if you ask somebody what they learned at their presentation training, they’ll tell you that they learned how to present more effectively, speak more confidently, and communicate their ideas better.
But if you instead ask them, “What did you learn that you didn’t expect?” they might actually reveal some insight and say something more like this:
“Even though we say don’t shoot the messenger all the time, you ARE the message.”
“If you win the heart, the mind follows.”
It’s the non-obvious stuff, that surprises you (at least at first). Or sometimes, insight strikes us as something that should have been obvious all along and becomes the new obvious, or the new normal.
Ward used this insights gathering technique to more effectively share software patterns. He wanted stories and insights from people, rather than descriptions of the obvious.
I’ve used it myself over the years and it really helps get to deeper truths. If you are a truth seeker or a lover of insights, you’ll enjoy how you can tease out more insights, just by changing your questions. For example, if you have kids, don’t ask, “How was your day?” Ask them, “What was the favorite part of your day?” or “What did you learn that surprised you?”
Wow, I now this is a short post, but I almost left without defining insight.
According to the dictionary, insight is “The capacity to gain an accurate and deep intuitive understanding of a person or thing.” Or you may see insight explained as inner sight, mental vision, or wisdom.
I like Edward de Bono’s simple description of insight as “Eureka moments.”
Some people count steps in their day. I count my “ah-ha” moments. After all, the most important ingredient of effective ideation and innovation is …yep, you guessed it – insight!
For a deeper dive on the power of insight, read my page on Insight explained, on Sources Of Insight.com
We take productivity seriously at Microsoft. Ask any Softie. I never have a lack of things to do, or too much time in my day, and I can't ever make "too much" impact.
To be super productive, I've had to learn hard-core prioritization techniques, extreme energy management, stakeholder management, time management, and a wealth of productivity hacks to produce better, faster results.
We don’t learn these skills in school. But if we’re lucky, we learn from the right mentors and people all around us, how to bring out our best when we need it the most.Download the 30 Days of Getting Results Free eBook
You can save years of pain for free:
There’s always a gap between books you read and what you do in the real world. I wanted to bridge this gap. I wanted 30 Days of Getting Results to be raw and real to help you learn what it really takes to master productivity and time management so you can survive and thrive with the best in the world.
It’s not pretty. It’s super effective.30 Days of Getting Results is a 30 Day Personal Productivity Improvement Sprint
I wrote 30 Days of Getting Results using a 30 Day Sprint. Each day for that 30 Day Sprint, I wrote down the best information I learned from the school of hard knocks about productivity, time management, work-life balance, and more.
For each day, I share a lesson, a story, and an exercise.
I wanted to make it easy to practice productivity habits.Agile Results is a Fire Starter for Personal Productivity
The thing that’s really different about Agile Results as a time management system is that it’s focused on meaningful results. Time is treated as a first-class citizen so that you hit your meaningful windows of opportunity, and get fresh starts each day, each week, each month, each year. As a metaphor, you get to be the author of your life and write your story forward.
For years, I’ve received emails from people around the world how 30 Days of Getting Results was a breath of fresh air for them.
It helped them find their focus, get more productive, enjoy what they do, renew their energy, and spend more time in their strengths and their passions, while pursuing their purpose.
It’s helped doctors, teachers, students, lawyers, developers, grandmothers, and more.Learn a New Language, Change Careers, or Start a Business
You can use Agile Results to learn better, faster, and deeper because it helps you think better, feel better, and take better action.
You can use Agile Results to help you learn a new language, build new skills, learn an instrument, or whatever your heart desires.
I used the system to accidentally write a book in a month.
I didn’t set out to write a book. I set out to share the world’s best insight and action for productivity and time management. I wrote for 20 minutes each day, during that month, to share the best lessons and the best insights I could with one purpose:
Help everyone thrive in work and life.
Over the coming months, I had more and more people ask for a book version. As much as they liked the easy to flip through Web pages, they wanted to consume it as an eBook. So I turned 30 Days of Getting Results into a free eBook and made that available.
Here's the funny part:
I forgot I had done that.The Accidental Free Productivity Book that Might Just Change Your Life
One day, I was having a conversation with one of my readers, and they said that I should sell 30 Days of Getting Results as a $30 work book. They liked it much more than the book, Getting Results the Agile Way. They found it to be more actionable and easier to get started, and they liked that I used the system as a way to teach the system.
They said I should make the effort to put it together as a PDF and sell it as a workbook. He said people would want to pay for it because it’s high-value, real-world training, and he said it was better than any live training he had ever taken (and he had taken a lot.)
I got excited by the idea, and it made perfect sense. After all, wouldn’t people want to learn something that could impact every single day of their lives, and help them achieve more in work and life and help them adapt and compete more effectively in our ever-changing world?
I went to go put it together, and I had already done it.Set Your Productivity on Fire
When you’re super productive, it’s easy to forget some of the things you create because they so naturally flow from spending the right time, on the right things, with the right energy. You’ll naturally leave a trail of results from experimenting and learning.
Whether you want to be super productive, or do less, but accomplish more, check out the ultimate free productivity guide:
Share it with friends, family, colleagues, and whoever else you want to have an unfair advantage in our hyper-competitive world.
Lifting others up, lifts you up in the process.
If you have a personal story of how 30 Days of Getting Results has helped you in some way, feel free to share it with me. It’s always fun to hear how people are using Agile Results to take on new challenges, re-invent their productivity, and operate at a higher level.
Or simply get started again … like a fresh start, for the first time, full of new zest to be your best.
"Whatever you do in life, surround yourself with smart people who'll argue with you." -- John Wooden
There’s a very simple way to get smarter.
You can get smarter by creating categories.
Not only will you get smarter, but you’ll also be more mindful, and you’ll expand your vocabulary, which will improve your ability to think more deeply about a given topic or domain.
In my post, The More Distinctions You Make, the Smarter You Get, I walk through the ins and outs of creating categories to increase your intelligence, and I use the example of “fat.” I attempt to show how “Fat is bad” isn’t very insightful, and how by breaking “fat” down into categories, you can dive deeper and reveal new insight to drive better decisions and better outcomes.
I’m this post, I’m going to walk this through with an example, using “security” as the topic.
The first time I heard the word “security”, it didn’t mean much to me, beyond “protect.”
The next thing somebody taught me, was how I had to focus on CIA: Confidentiality, Integrity, and Availability.
That was a simple way to break security down into meaningful parts.
And then along came Defense in Depth. A colleague explained that Defense in Depth meant thinking about security in terms of multiple layers: Network, Host, Application, and Data.
But then another colleague said, the real key to thinking about security and Defense in Depth, was to think about it in terms of people, process, and technology.
As much as I enjoyed these thought exercises, I didn’t find them actionable enough to actually improve software or application security. And my job was to help Enterprise developers build better Line-Of-Business applications that were scalable and secure.
So our team went to the drawing board to map out actionable categories to take application security much deeper.
Right off the bat, just focusing on “application” security vs. “network” security or “host” security, helped us to get more specific and make security more tangible and more actionable from an Line-of-Business application perspective.Security Categories
Here are the original security categories that we used to map out application security and make it more actionable:
- Input and Data Validation
- Configuration Management
- Sensitive Data
- Session Management
- Exception Management
- Auditing and Logging
Each of these buckets helped us create actionable principles, patterns, and practices for improving security.Security Categories Explained
Here is a brief description of each application security category:
Input and Data Validation
How do you know that the input your application receives is valid and safe? Input validation refers to how your application filters, scrubs, or rejects input before additional processing. Consider constraining input through entry points and encoding output through exit points. Do you trust data from sources such as databases and file shares?
Who are you? Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a user name and password.
What can you do? Authorization is how your application provides access controls for resources and operations.
Who does your application run as? Which databases does it connect to? How is your application administered? How are these settings secured? Configuration management refers to how your application handles these operational issues.
How does your application handle sensitive data? Sensitive data refers to how your application handles any data that must be protected either in memory, over the network, or in persistent stores.
How does your application handle and protect user sessions? A session refers to a series of related interactions between a user and your Web application.
How are you keeping secrets (confidentiality)? How are you tamper-proofing your data or libraries (integrity)? How are you providing seeds for random values that must be cryptographically strong? Cryptography refers to how your application enforces confidentiality and integrity.
When a method call in your application fails, what does your application do? How much do you reveal? Do you return friendly error information to end users? Do you pass valuable exception information back to the caller? Does your application fail gracefully?
Auditing and Logging
Who did what and when? Auditing and logging refer to how your application records security-related events.
As you can see, just by calling out these different categories, you suddenly have a way to dive much deeper and explore application security in depth.The Power of a Security Category
Let’s use a quick example. Let’s take Input Validation.
Input Validation is a powerful security category, given how many software security flaws and how many vulnerabilities and how many attacks all stem from a lack of input validation, including Buffer Overflows.
But here’s the interesting thing. After quite a bit of research and testing, we found a powerful security pattern that could help more applications stand up to more security attacks. It boiled down to the following principle:
Validate for length, range, format, and type.
That’s a pithy, but powerful piece of insight when it comes to implementing software security.
And, when you can’t validate the input, make it safe by sanitizing the output. And along these lines, keep user input out of the control path, where possible.
All of these insights flow from just focusing on Input Validation as a security category.Threats, Attacks, Vulnerabilities, and Countermeasures
Another distinction our team made was to think in terms of threats, attacks, vulnerabilities, and countermeasures. We knew that threats could be intentional and malicious (as in the case of attacks), but they could also be accidental and unintended.
We wanted to identify vulnerabilities as weaknesses that could be addressed in some way.
We wanted to identify countermeasures as the actions to take to help mitigate risks, reduce the attack surface, and address vulnerabilities.
Just by chunking up the application security landscape into threats, attacks, vulnerabilities, and countermeasures, we empowered more people to think more deeply about the application security space.Security Vulnerabilities Organized by Security Categories
Using the security categories above, we could easily focus on finding security vulnerabilities and group them by the relevant security category.
Here are some examples:
- Using non-validated input in the Hypertext Markup Language (HTML) output stream
- Using non-validated input used to generate SQL queries
Relying on client-side validation
- Using input file names, URLs, or user names for security decisions
- Using application-only filters for malicious input
- Looking for known bad patterns of input
- Trusting data read from databases, file shares, and other network resources
- Failing to validate input from all sources including cookies, query string parameters, HTTP headers, databases, and network resources
- Using weak passwords
- Storing clear text credentials in configuration files
- Passing clear text credentials over the network
- Permitting over-privileged accounts
- Permitting prolonged session lifetime
- Mixing personalization with authentication
- Relying on a single gatekeeper
- Failing to lock down system resources against application identities
- Failing to limit database access to specified stored procedures
- Using inadequate separation of privileges
- Using insecure administration interfaces
- Using insecure configuration stores
- Storing clear text configuration data
- Having too many administrators
- Using over-privileged process accounts and service accounts
- Storing secrets when you do not need to
- Storing secrets in code
- Storing secrets in clear text
- Passing sensitive data in clear text over networks
- Passing session identifiers over unencrypted channels
- Permitting prolonged session lifetime
- Having insecure session state stores
- Placing session identifiers in query strings
- Using custom cryptography
- Using the wrong algorithm or a key size that is too small
- Failing to secure encryption keys
- Using the same key for a prolonged period of time
- Distributing keys in an insecure manner
- Failing to use structured exception handling
- Revealing too much information to the client
Auditing and Logging
- Failing to audit failed logons
- Failing to secure audit files
- Failing to audit across application tiers
Again, using our security categories, we could then group threats and attacks by relevant security categories.
Here are some examples of security threats and attacks organized by security categories:
- Buffer overflows
- Cross-site scripting
- SQL injection
- Canonicalization attacks
- Query string manipulation
- Form field manipulation
- Cookie manipulation
- HTTP header manipulation
- Network eavesdropping
- Brute force attacks
- Dictionary attacks
- Cookie replay attacks
- Credential theft
- Elevation of privilege
- Disclosure of confidential data
- Data tampering
- Luring attacks
- Unauthorized access to administration interfaces
- Unauthorized access to configuration stores
- Retrieval of clear text configuration secrets
- Lack of individual accountability
- Accessing sensitive data in storage
- Accessing sensitive data in memory (including process dumps)
- Network eavesdropping
- Information disclosure
- Session hijacking
- Session replay
- Man-in-the-middle attacks
- Loss of decryption keys
- Encryption cracking
- Revealing sensitive system or application details
- Denial of service attacks
Auditing and Logging
- User denies performing an operation
- Attacker exploits an application without trace
- Attacker covers his tracks
Now here is where the rubber really meets the road. We could group security countermeasures by security categories to make them more actionable.
Here are example security countermeasures organized by security categories:
- Do not trust input
- Validate input: length, range, format, and type
- Constrain, reject, and sanitize input
- Encode output
- Use strong password policies
- Do not store credentials
- Use authentication mechanisms that do not require clear text credentials to be passed over the network
- Encrypt communication channels to secure authentication tokens
- Use HTTPS only with forms authentication cookies
- Separate anonymous from authenticated pages
- Use least privilege accounts
- Consider granularity of access
- Enforce separation of privileges
- Use multiple gatekeepers
- Secure system resources against system identities
- Use least privileged service accounts
- Do not store credentials in clear text
- Use strong authentication and authorization on administrative interfaces
- Do not use the Local Security Authority (LSA)
- Avoid storing sensitive information in the Web space
- Use only local administration
- Do not store secrets in software
- Encrypt sensitive data over the network
- Secure the channel
- Partition site by anonymous, identified, and authenticated users
- Reduce session timeouts
- Avoid storing sensitive data in session stores
- Secure the channel to the session store
- Authenticate and authorize access to the session store
- Do not develop and use proprietary algorithms (XOR is not encryption. Use platform-provided cryptography)
- Use the RNGCryptoServiceProvider method to generate random numbers
- Avoid key management. Use the Windows Data Protection API (DPAPI) where appropriate
- Periodically change your keys
- Use structured exception handling (by using try/catch blocks)
- Catch and wrap exceptions only if the operation adds value/information
- Do not reveal sensitive system or application information
- Do not log private data such as passwords
Auditing and Logging
- Identify malicious behavior
- Know your baseline (know what good traffic looks like)
- Use application instrumentation to expose behavior that can be monitored
As you can see, the security countermeasures can easily be reviewed, updated, and moved forward, because the actionable principles are well organized by the security categories.
There are many ways to use creating categories as a way to get smarter and get better results.
In the future, I’ll walk through how we created an Agile Security approach, using categories.
Meanwhile, check out my post on The More Distinctions You Make, the Smarter You Get to gain some additional insights into how to use empathy and creating categories to dive deeper, learn faster, and get smarter on any topic you want to take on.
"Innovation—the heart of the knowledge economy—is fundamentally social." -- Malcolm Gladwell
I’m a big believer in having clarity around what you help your customers do.
I was listening to Satya Nadella’s keynote at the Microsoft Worldwide Partner Conference, and I like how he put it so simply, that we help our customers transform.
Here’s what Satya had to say about how we help our customers transform their business:
“These may seem like technical attributes, but they are key to how we drive business success for our customers, business transformation for our customers, because all of what we do, collectively, is centered on this core goal of ours, which is to help our customers transform.
When you think about any customer of ours, they're being transformed through the power of digital technology, and in particular software.
There isn't a company out there that isn't a software company.
And our goal is to help them differentiate using digital technology.
We want to democratize the use of digital technology to drive core differentiation.
It's no longer just about helping them operate their business.
It is about them excelling at their business using software, using digital technology.
It is about our collective ability to drive agility for our customers.
Because if there is one truth that we are all faced with, and our customers are faced with, it's that things are changing rapidly, and they need to be able to adjust to that.
And so everything we do has to support that goal.
How do they move faster, how do they interpret data quicker, how are they taking advantage of that to take intelligent action.
And of course, cost.
But we'll keep coming back to this theme of business transformation throughout this keynote and throughout WPC, because that's where I want us to center in on.
What's the value we are adding to the core of our customer and their ability to compete, their ability to create innovation.
And anchored on that goal is our technical ambition, is our product ambition.”
Transformation is the name of the game.You Might Also Like
You hear Mobile-First, Cloud-First all the time.
But do you ever hear it really explained?
I was listening to Satya Nadella’s keynote at the Microsoft Worldwide Partner Conference, and I like how he walked through how he thinks about a Mobile-First, Cloud-First world.
Here’s what Satya had to say:
“There are a couple of attributes.
When we talk about Mobile-First, we are talking about the mobility of the experience.
What do we mean by that?
As we look out, the computing that we are going to interface with, in our lives, at home and at work, is going to be ubiquitous.
We are going to have sensors that recognize us.
We are going to have computers that we are going to wear on us.
We are going to have computers that we touch, computers that we talk to, the computers that we interact with as holograms.
There is going to be computing everywhere.
But what we need across all of this computing, is our experiences, our applications, our data.
And what enables that is in fact the cloud acting as a control plane that allows us to have that capability to move from device to device, on any given day, at any given meeting.
So that core attribute of thinking of mobility, not by being bound to a particular device, but it's about human mobility, is very core to our vision.
Second, when we think about our cloud, we think distributed computing will remain distributed.
In fact, we think of our servers as the edge of our cloud.
And this is important, because there are going to be many legitimate reasons where people will want digital sovereignty, people will want data residency, there is going to be regulation that we can't anticipate today.
And so we have to think about a distributed cloud infrastructure.
We are definitely going to be one of the key hyper-scale providers.
But we are also going to think about how do we get computing infrastructure, the core compute, storage, network, to be distributed throughout the world.
These may seem like technical attributes, but they are key to how we drive business success for our customers, business transformation for our customers, because all of what we do, collectively, is centered on this core goal of ours, which is to help our customers transform.”
That’s a lot of insight, and very well framed for creating our future and empowering the world.You Might Also Like
It’s great to get back to the basics, and purpose is always a powerful starting point.
I was listening to Satya Nadella’s keynote at the Microsoft Worldwide Partner Conference, and I like how he walked through the Microsoft mission in a mobile-first, cloud-first world.
Here’s what Satya had to say:
“Our mission: Empowering every person and every business on the planet to achieve more.
(We find that by going back into our history and re-discovering that core sense of purpose, that soul ... a PC in every home, democratizing client/server computing.)
We move forward to a Mobile-First, Cloud-First world.
We care about empowerment.
There is no other ecosystem that is primarily, and solely, built to help customers achieve greatness.
We are focused on helping our customers achieve greatness through digital technology.
We care about both individuals and organizations. That intersection of people and organizations is the cornerstone of what we represent as excellence.
We are a global company. We want to make sure that the power of technology reaches every country, every vertical, every organization, irrespective of size.
There will be many goals.
What remains constant is this sense of purpose, the reason why this ecosystem exists.
This is a mission that we go and exercise in a Mobile-First, Cloud-First world.”
If I think back to why I originally joined Microsoft, it was to empower every person on the planet to achieve more.
And the cloud is one powerful enabler.You Might Also Like
A while back, a colleague challenged me to find something simple and sticky for the big idea behind Sources of Insight. After trying several phrases, here’s the one that stuck:
Skilled for Life
He liked it because it had punch. It also had a play on words, and you could read it two different ways.
I like it because it captured the big idea behind Sources of Insight. The whole purpose behind the site is to help as many people improve the quality of their life as possible.
I’ve found that skills can make or break somebody’s chance for success. And, I don’t just mean from a career perspective. To be effective in all areas of our life, we need skills across several domains:
Skilled for Life is meant to be a very simple phrase, with a very intentional outcome:
Equip you with the skills you need to survive and thrive in today’s world.
It’s all about personal empowerment.
Not everybody gets the right mentors, or the right training, or the right breaks. So Sources of Insight is designed from the ground up to be your personal success library that helps you make your own breaks, create your opportunities, and own your destiny.
By sharing the world’s best insight and action for work and life. By providing you with very real skills for mastering emotional intelligence, intellectual horsepower, creative brilliance, interpersonal relationships, career growth, health, and happiness (yeah, happiness is a skill you can learn). And by providing you with principles, patterns, and practices for a smarter, more creative, and more capable you.
To give you one simple example of how happiness is a skill, let me tell you about the three paths of happiness according to Dr. Martin Seligman:
- The Pleasant Life
- The Good Life
- The Meaningful Life
You can think of them like this: The Pleasant Life is all about pleasures, here and now. The Good Life is about spending more time in your values. The Meaningful Life is about fulfillment by helping the greater good, using your unique skills. It’s giving our best where we have our best to give, and moving up Maslow’s stack.
When you know the three paths of happiness, you can more effectively build your happiness muscles. For example, you can Discover Your Values, so that you can spend more time in them, and live life on your terms.
That’s just one example of how you can improve your self-efficacy with skill.
There is a vast success library of everything from inspirational quotes to inspirational heroes, as well as principles, patterns, and practices for skills to pay the bills and lead a better life. Sources of Insight is a dojo of personal development, and your jump start for realizing your potential.
I invite you to check out the following page on Sources of Insight, where I share what Skilled for Life is all about:
Skills empower you.