Jacob Kaplan-Moss

I'm a software developer, co-creator of Django, and an experienced engineering leader. I previously ran teams at 18F and Heroku. I'm currently the Principal Engineer at Hangar, and available for limited consulting engagements through my consultancy, REVSYS.


Measuring Hiring Manager Effectiveness September 14th, 2020

Hiring is one of the most important parts of a manager’s job. Make good hires and your team (and thus the whole company) will have better results. Make poor hires, and those people will drag the team down. In the worst cases, a toxic hire can drive other staff to quit, totally destroying the team. Strangely, for such an important part of the job, hiring performance seems to be very poorly measured.…

Not all attacks are equal: understanding and preventing DoS in web applications September 11th, 2020

Denial-of-Service (DoS) vulnerabilities are common, but teams frequently disagree on how to treat them. The risk can be difficult to analyze: I’ve seen development teams argue for weeks over how to handle a DoS vector. This article tries to cut through those arguments. It provides a framework for engineering and application security teams to think about denial-of-service risk, breaks down DoS vulnerabilities into high-, medium-, and low-risk classes, and has recommendations for mitigations at each layer.

Training Interviewers September 8th, 2020

What’s the best way to train folks to conduct job interviews? I have a process I’ve used for about five years that seems to work well. It’s loosely based on the “see one, do one, teach one” methodology used by many medical schools.

Preventing SQL Injection in Django May 15th, 2020

I wrote this article for r2c, a security startup I’ve been consulting for. They’ve been building Bento, a program analysis toolkit that can find bug through static anaylsys of Python code. It uses semgrep, a code search tool that understands Python syntax. I’ve been helping them figure out which kinds of checks matter to Django developers. SQL injection is one of the places we decided to start, and I wrote this article to explain the problem, solutions, and how Bento/semgrep can help.…

What accomplishments sound like on software engineering resumes May 8th, 2020

Effective resumes need to contain two things: responsibilities and accomplishments. The first tells the read what your job was; the second, what your results were. Unfortunately, most people fail at the second part. I’ve seen thousands — maybe tens of thousands — of resumes, and most don’t contain accomplishments. This makes it difficult for a hiring manager to get excited about your resume: knowing what you were supposed to do doesn’t tell a reader how well you did that thing.…

Full Archive →