Kilala.nl - Personal website of Tess Sluijter

Unimportant background
Login
  RSS feed

About me

Blog archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

> Weblog

> Sysadmin articles

> Maths teaching

<< 6 / 2024 8 / 2024 >>

New points of view on vulnerability management

2024-07-26 10:27:00

This morning on my way to work I listened to the latest episode of Open Source Security podcast. Their topic was very relevant to a past-intern Jana's master's research and to my current intern Cynthia's software project. 

Specifically, episode 438: CISA's bad OSS advice, vs the White House's good advice 

They made some very good points speaking against our team's ideas of doing risk analysis on open source dependencies. I really like it when smart people provide counterpoints to my own thoughts. 

My teams and interns followed a classical approach, where we discern a number of key factors and metrics to determine whether a software dependency is "trustworthy".

I still like that we did these projects, because they can provide insight into our risk exposure. But I agree with the podcast's presenters that such a tool doesn't provide a solution to the problem.  

They pointed to CISA's recent document about this very same problem, which they dubbed unhelpful. And they referred to Mitre's Hipcheck, which is another software solution for risk assessment on open source dependencies. 

It all sounds like great materials to read into! It might even make for some interesting conclusions and counterpoints for our current intern's final report.


kilala.nl tags: ,

View or add comments (curr. 0)

Introspection: pitfalls which hamper my development

2024-07-22 11:15:00

A mindmap showing my strengths and weaknesses

Here's a bigger version of the mindmap shown above.

After last week's introspection about my career, I've been doing a lot more thinking. I've put a lot of thought into which technical and non-technical skills I need to develop, to stay current in today's market. I'll talk about that another day.

I also realized that I left out one important thing in my mindmap: my personal pitfalls.


kilala.nl tags: ,

View or add comments (curr. 0)

Introspection: rethinking my career

2024-07-18 21:52:00

A mind map where I think about my career.

The past few days I’ve felt a bit stuck in my work, feeling the need for some change although I’m not quite sure what yet. My weekly routine has been quite that: routine.

 

Every week, I spend four days with my primary consulting customer and the fifth day I teach classes at ITVitae. For over a year I’ve been thinking how I could change that up, especially now that I’m self-employed and “a businessperson”. I don’t just get to run my own career, I have to!

 

I’ve been juggling all kinds of options.

 

  • Can I maybe split my four days among more than one customer?
  • Could I maybe split weeks between teaching for another company and doing smaller contracting gigs?
  • Could I do three days of contracting, having one day for “management” work? Does that mean I could try and get an employee?
  • Am I really happy with the direction my consulting gigs have had, these past years?

 

After a rather big family event (one of our two cats passed away) I turned all the sourer and more introspective. I think I want something to change, but I’m not sure what.

 

So, I got to mind mapping and brainstorming. Thinking about things that give me energy and things that really eat energy from me. I put those into clouds of “things I like which help others”, “things I like which feed my ego”, “things I enjoy”, “things I dislike” and “things I’m not good at”.

 

Which resulted in the overview you see above (here’s a larger image). EDIT: Just to give more insight into my process, here's what the whiteboarding session ended up looking like

 

I then looked at where those things either feed upon another, or where they clash.

 

For example:

 

  • Ever since I took over as CEO of Unixerius, I’ve been thinking about helping juniors by employing them, getting them into IT. But after guiding five interns across four organizations I have learned two things: I’m not good at “bossing” someone if they underperform and between all my other work I don’t have/make/take enough time to manage them.

    So, if I really want to do this, then I really need to drop hands-on work. Which clashes with the fact that I really, really enjoy doing my own hands-on work. 

    Conclusion: it is not a good idea for me to hire a junior employee of my own. If I can help another senior who is self-reliant like I was when Dick was CEO, I’ll do it! But I can’t in good conscience hire a newcomer.

  • Some of the best fun I had while contracting, was four customers ago when I worked for a government subcontractor. At the time I speced, designed, built and documented three key infrastructures for a green fields IT environment. I built an HSM-backed PKI, a Graylog central logging system and a PAM solution as core infra for hundreds of servers. 

    That was a huge challenge and it let me run three whole projects by myself. I was hands-on with everything, and I loved it!

    Yes, I also had to deal with some of the formal architecture stuff which I loathed, but it was worth it. But I do know for a fact that I do not want to make architecture my main activity. Never ever. 

    Conclusion: I want to do more hands-on work again, building something real instead of telling people how to do it. 

  • There’s a big clash between my dislike of not understanding something I work with and me wanting to really learn in-depth about the tech I work with. This frequently leads to imposter syndrome because I keep learning how little I really know. 

    That’s not something easily fixed. That’s not something you take away. It’s something I need to learn how to cope with through introspection, mindfulness, and acceptance.

    Conclusion: I should find exercises to accept my limitations, while also investing time and money into learning what I want and need.

  • The last three of my assignments were all about DevSecOps. I very much enjoy the tech aspect of it, helping people by building pipelines and tools that make developers’ lives easier. I love teaching people how to improve their work, giving them new skills. And I don’t even mind working with architects to help clarify security and compliance requirements.

    But I have a hard time dealing with management BS and politics. And it grates on me when people willingly refuse to learn new things. Fighting against the momentum and drudgery of a slow turning ship wears me down. I really do want to help people, but from time to time I need a change of pace. 

    Heck, last year my WICCON presentation covered all this stuff!

    Conclusion: Next time, maybe less with the AppSec coaching stuff, no?

  • I really want to spend MORE time learning, spending time and money on my own education. To be open: I’m afraid of falling behind! I am afraid of losing relevance in the consulting market. 

    But I don’t have time enough! I already spend many of my evenings on learning, or on preparing classes for my students, so there’s no more room over there. 

    I could switch back to three days of consulting, one day of teaching and then have one day for learning. I could do that for a few months and then go back to four days consulting. That would work!

    Of course, the alternative to staying relevant as consultant would be to hire a few people and manage them while they bring in money. But we already covered that: I don’t know how to pivot into that successfully and I don’t know if I want to.

 

So… Decisions!

 

  • I have already started pitching lines to new potential consulting customers, so I can do a 2/2 split in my days and work on two different assignments. 

  • I have informed my current primary customer that I will be decreasing my hours a bit. This will either give me the room I need for that second customer, or it gives me temporary respite for some additional learning!

  • I have discussed my desire for more hands-on work with my coworkers at my current consulting customer. I had already set wheels in motion for a project to implement a new infra and app stack, so we decided that I would do the who shebang. 

    That means moving part of my DevSecOps coaching and managerial work to the new internal hire, which is a good thing. 

  • I have become a lot more “selfish” insofar that I’m outright decreasing my availability to my primary customer, to make room for teaching and learning. 

    I’m teaching my week-long DevSecOps intro class twice this fall and I’m doing SANS Amsterdam this October.

 

This introspection has been useful! 

 

I’m not done yet though. I need to rethink my planned learning path, to make sure I’m still investing time in the right things.


kilala.nl tags: ,

View or add comments (curr. 0)

<< 6 / 2024 8 / 2024 >>