Jacob Kaplan-Moss

Series

Thinking About Risk

I spend what feels like a majority of my waking hours thinking about risk. Professionally, I’ve worked in computer security for fifteen years (and software engineering more generally for longer).So my work days are filled with questions about risk: how risky is this vulnerability? How dangerous is it to launch this new feature if it hasn’t gotten a proper security review yet? How much risk is left after we do that review? And then after work, all my hobbies take place outdoors in the wilderness: backpacking, trail running, packrafting, mountaineering, canyoneering. So my hobbies are also filled with questions about risk: is it safe to cross this river here? What bear safety precautions do I need to take in this area? Is this a safe rapid to run or should I portage?

Professionals who work with risk for living — security engineers, wilderness guides, insurance adjusters, investors, etc. etc. — develop sophisticated tools and mental frameworks to help them think clearly about risk and make good decisions. But people who don’t live in these worlds can often find risk discussions hard to follow. We often use jargon that seem intuitive — words like “risk”, “exposure”, “threat”, “mitigation”, etc. — but has specific and sometimes subtle valances to in-groups.

And without training, it’s easy to fall into traps — risk does weird things to our brain, making us often not think clearly about risky situations. For example, most people feel less safe on an airplane than they do in a car, despite the fact that commercial air travel is many of orders of magnitude safer than car travel. Or: when I tell people about a trip I’m taking to Alaska, most people will ask me the risk of grizzly bears, despite the fact that hypothermia is a much more significant risk. (Bears are just more exciting than shivvering!)

So this is a series about how to think about risk. This series is a crash course, a high-level introduction to the most important concepts and risk frameworks. It’s intended for people who encounter risk from time to time and need some basic tools, but don’t want to make a deep study of it. My hope is that it’ll help you better analyze risk when it comes up for you, and also make it easier to navigate conversations with risk professionals.

  1. An introduction to thinking about risk December 4th, 2024
  2. Mitigation December 10th, 2024

Estimating Software Projects

  1. Software Estimation Is Hard. Do It Anyway. May 20th, 2021
  2. My Software Estimation Technique May 25th, 2021
  3. The art of the SWAG June 2nd, 2021
  4. So you messed up. Now what? June 8th, 2021
  5. Breaking Down Tasks March 11th, 2024

Making Decisions

How should engineering organizations make big decisions?

  1. RFC processes are a poor fit for most organizations December 1st, 2023
  2. First decide how to decide: “one weird trick” for easier decisions December 5th, 2023

Professionalism

My series of professionalism: the set of workplace behaviors that are generally expected at work. These behaviors are largely unspoken, but they do exist: there are consequences for violating them. In this series, I aim to write down some of these rules and explore their implications.

  1. What is “professionalism” and why am I writing about it? April 12th, 2022
  2. Honesty is a professional behavior May 19th, 2022
  3. You should maintain a transition file November 9th, 2022
  4. No Yelling November 21st, 2023

Mailbag

  1. Adapting Interview Questions for Junior Candidates March 29th, 2021
  2. Dealing With Misalignment While Hiring May 23rd, 2022
  3. Should you give candidates feedback on their interview performance? August 25th, 2023

Checking References

Why and how to check references, and what to do with the information that comes up.

  1. Yes, You Should Check References June 22nd, 2022
  2. How to Check References June 24th, 2022
  3. What to do if a reference check goes wrong July 6th, 2022

Book Review

  1. Team Topologies July 5th, 2021
  2. Powerful (Patty McCord) January 18th, 2022

Work Sample Tests

Work sample tests are an exercise, a simulation, a small slice of real day-to-day work that we ask candidates to perform. They’re practical, hands-on, and very close or even identical to actual tasks the person would perform if hired. They’re also small, constrained, and simplified enough to be fair to include in a job selection process.

Work sample tests are a critical factor in effective hiring. Interviews aren’t enough; hiring without work sample tests risks selection people who excel at interviewing but can’t actually perform the job.

This series builds a framework for effective work sample tests, and gives a bunch of examples of effective tests.

  1. Introduction to Work Sample Tests November 9th, 2021
  2. The tradeoff between inclusivity and predictive value November 10th, 2021
  3. A Framework for Good Work Sample Tests: Eight Rules for Fair Tests November 17th, 2021
  4. Coding “Homework” November 23rd, 2021
  5. Pair Programming November 30th, 2021
  6. Bring Your Own Code December 7th, 2021
  7. ‘Reverse’ Code Review December 15th, 2021
  8. Labs & Simulation Environments December 24th, 2021
  9. What doesn't work (and why) December 30th, 2021
  10. Wrap Up and Q&A January 6th, 2022

Delegation

Most managers know that delegation is part of their job, but the vast majority of management texts are incredibly non-specific about what delegation means. This series on delegation tries to fill this gap. I’ll cover the principles and theories that guide how I think about delegation, ending with a concrete example: how to delegate meeting attendance.

  1. What's delegation? July 19th, 2021
  2. “Give Away Your Toys” July 19th, 2021
  3. Make Failure A (Safe) Option July 20th, 2021
  4. Delegate Outcomes, Not Methods July 21st, 2021
  5. Briefing a Delegate September 27th, 2021
  6. How to Delegate Meeting Attendance October 6th, 2021

Unpacking Interview Questions

A series sharing some of the questions I use when I interview for technical roles. I’ll unpack the question, when to ask it, and how to evaluate answers.

  1. “Explain a Topic At Multiple Levels…” February 8th, 2021
  2. “Tell Me About a Project You Led…” February 9th, 2021
  3. Diversity, Equity, and Inclusion February 10th, 2021
  4. “Tell Me About a Disagreement…” February 11th, 2021
  5. The Weakness Question February 12th, 2021
  6. Interview Question Series Wrap Up February 15th, 2021
  7. Types of Interview Questions March 1st, 2021
  8. Adapting Interview Questions for Junior Candidates March 29th, 2021

Articles for r2c

Articles I’ve written for r2c, a security startup I consult for. They’re building semgrep, a code search tool that understands Python syntax (and many other languages).

R2C pays me to write these articles for their blog, and gives me permission to cross-post them here.

  1. Bringing Security along on the CI/CD journey January 11th, 2021
  2. Not all attacks are equal: understanding and preventing DoS in web applications September 11th, 2020
  3. Preventing SQL Injection in Django May 15th, 2020

My Python Development Environment

Documenting my local Python Development environment.

  1. My Python Development Environment, 2020 Edition November 11th, 2019
  2. My Python Development Environment, 2018 Edition February 21st, 2018

Measuring the Django Community

  1. Circles of Django (2007) March 22nd, 2007
  2. The Django community in 2009 November 6th, 2009
  3. The Django community in 2012 March 5th, 2012

Writing Great Documentation

A series of articles laying out the tools, tips, and techniques I’ve learned over the years I’ve spent helping to write Django’s docs.

  1. What to write November 10th, 2009
  2. Technical style November 11th, 2009
  3. You need an editor November 12th, 2009