Monday, December 25, 2017

Gujarat elections: what it represents for Indian polity

Recently, state elections concluded in Gujarat and Himachal Pradesh. Like the elections for past few years now, this one again had been a high pitched election campaign, with racial slurs, abuses and insinuating comments being thrown all around. This obviously follows the pattern from the past 1 decade onwards, whenever elections happen in a crucial state with significant electoral mass. In recent times, even the tactics have become more nuanced - for example, the award wapasi by a host of "eminent" people during 2015 Bihar elections.

What separated the Gujarat election from all these elections was the fact that Gujarat is home state of the BJP's Prime Minister and party president. Such was the importance of these elections, that national media outlets seemingly didn't care about the Himachal Pradesh election results which served more as filler news. Even the stock market dipped 850 points at one time when Congress gained a relative lead.  No wonder that there are some very important conclusions that can be drawn here that should hold true for elections to come in the next few years:

1. BJP/NDA is not invincible
Every policy decision is bound to make one section of the society happy at the cost of another section of the society. While BJP may be working hard on some reforms like taxation (GST), insolvency and bad loans (IBBI and NCLT), the benefits of all these policies are mostly being absorbed by the corporates, and is not being passed to the lower strata of the society. As such, economic disparity is widening, and there is a huge untapped frustration within the majority of the electorate, most of whom obviously don't work within corporate setups. The rural urban divide in Gujarat was massive, and it will be interesting to see how BJP bridges the gap, and how others reap benefit from it.

2. Rahul Gandhi is not Pappu anymore
Rahul Gandhi has grown, at least in the eyes of the media, from being a Pappu to more mature politician. Thankfully for Congress, Mr. Gandhi has learned restraint and didn't make any self goals when delivering his speeches in these elections. He even scored brownie points by rightly targeting Mr. Modi in his speeches, like with "Modiji always talks about Modiji". Some of his observations have resonated well with the urban masses, and Congress successfully emerged as the party of choice for regional leaders representing people's anger with the dispensation. While how much effort Mr. Gandhi himself put into the strategy and how much effort was put by his advisors and media team can always be debated, the fact is, he managed to strike at the BJP's roots in the rural areas. Going forward, he and his team will command more respect if they are able to sustain this momentum in elections to come.

3. Hindutva is no one's monopoly
Congress, and many regional parties have at times indulged in minority appeasement at the cost of the majority. While India is a secular nation, one can not forget that a majority does exist . By visiting temples, and comments like Janeudhari Brahmin, Rahul Gandhi has established his soft Hindutva credentials. While they may not be enough to convince the mature/hardline voter, there can now be enough confusion amongst the general masses to not care about it. Its interesting to see what just a few temple visits can do in politics. The re-alignment of Congress outlook is another thing to watch for in future.

4. There is greater scope for parties representing minority interests now
With Congress moving towards the Soft Hindutva bandwagon, and BJP anyway having been associated with Hindutva and RSS for long, there is a good scope for regional parties to get increased seat share in constituencies where the minorities are a sizeable chunk. While the Congress may not have had minority appeasement points in its campaigns, it had been the party of choice for the minorities. However, with the Congress having not won the elections overall, there is only so much patience minorities will have with it in the next set of elections before they start looking at other options.

5. Doubts on credibility of EVMs and VVPAT can cease now
In the Gujarat elections, the election commission did a random match at booth level to compare the EVM and VVPAT trail in each of the constituencies, and found a 100% match across constituencies. With this, the doubts on the credibility of EVMs will now hopefully be put to rest in future elections. The result tally in Gujarat would have been much more skewed if there was any malfunctioning of the EVMs, given the BJP's stated goal of 150. Any party, which seeks ballot voting system over EVMs/VVPATs would now be seen as plainly cribbing and trying to take back elections to the days of booth hijacking and fake ballots, thus loosing its appeal with the urban voters.

6. Modi is the only Star BJP has
While many agencies were predicting BJP defeat, BJP was able to pull back from the jaws of defeat because of the extensive campaigning Modi did in the last 30 days. However, the BJP needs to seriously build its next generation of leaders if it wants to stay relevant in another decade or so. While it has Yogi, Swaraj, Jaitely,  and a host of other politicians who score well on administration and other agendas, it doesn't have any other national leader who has the mass connect that Modi has across India. Modi is currently 67 years old, and given BJP's stated preference of retiring politicians at 75, he can only be relevant for one more term of 5 years. It is the right time now for BJP to find a batch of younger leaders, and nurture them not just administratively, but also politically, so as to stay relevant in mid 2020s. In comparison, Congress has Mr. Rahul Gandhi and Priyanka Gandhi, who could still be very relevant 10 years from now.

7. India will still take years to overthrow Caste equations with Vikas
For development to be relevant to all, its results have to reach everyone. While GST may have solved woes for many a companies, the average Indian has hardly seen any meaningful benefits so far.  In the UP elections earlier this year, caste coalitions were believed to be a major factor in BJP's massive victory in the state. With Congress hinging onto 3 regional leaders representing different strata, Hardik for Patidars, Jignesh for dalits, and Alpesh for OBC-Thakors, and BJP drawing mileage out of the "neech" comment by Mani Shankar Aiyyar, caste equations are still very relevant today. Schemes like farm waivers may work for certain sections, but the BJP will do well to be more responsive to the needs of the other strata of the society not just in name, but also in action.

8. Congress is still very much relevant in Indian politics
While the BJP/NDA may currently have Governments in 19 of the 31 Indian states, with the Gujarat election, Congress has shown that it is still relevant. Congress managed to increase its vote share, the number of seats it won, and ended up giving a tough fight to the BJP on its home turf. Even earlier this year, it managed to win Punjab (which AAP was believing it had in its pocket), and has a government in Karnataka which is another major state of India in terms of electoral mass. While it might look like the Congress is slowly dying, it could also be a case of reversal happening right now, something which will get clarified in the next couple of years.

Wednesday, December 20, 2017

Responsibility Assignment Matrix

Today, I was randomly exploring project management concepts, when I came across an interesting tool - Responsibility Assignment Matrix. Specifically, I had landed on the RACI model (Responsible, Accountable, Consulted, Informed) to manage projects.

The textbook definition of a a project is any temporary or time bound organization of resources, which helps in delivering one or more business objectives. In reality, most of the work that one does at a startup could be thought of as a project - if you are fixing issues for a group of stakeholder, with interaction from other teams, which involves doing things that are not part of day to day job, then you are working on a project.

Every project has 3 key roles(s) without fail - the project manager, the project sponsor, and the project stakeholders. While there may be multiple sponsors and stakeholders, the boundaries between them are usually virtual, and overlap of roles is possible (persons playing them) is possible in reality.

Every project can be broken down into sets of tasks. But herein lies the root of the problem - defining who is responsible for what within a project is a hard task in itself. One solution to this problem is the responsibility assignment matrix, and the prominent industry way of doing it is via the RACI matrix.

A role is not the same as a person - instead, it is a collection of tasks and responsibilities that a group of people can do, and roles may even have overlaps amongst themselves. Everyone should know who is R responsible (R) for doing every task - the foot soldier, who is accountable (A) for ensuring that the task is done right, who needs to be consulted (C), and who all need to be informed (I).

The Standard way of doing this is:
  • Identify all required tasks and activities
  • Find out the different roles (Emphasis roles and not person)
  • Now assign the RACI code, who will be accountable, responsible, consulted, or informed
  • One role can have one or more amongst RACI
  • Identify what the gaps are - only one role can have A accountability, every task must at least have one R and one A, you can’t have too many C for one task, and low number of C and I on chart means low communication between team members
  • Make improvements as a team, and get alignment on each of the steps, to minimize overheads

Projects can come in different flavors, and while RACI may be suitable for some projects, there are other ways of doing the responsibility assignment as well - for example:
  • RAPID (Recommend, Agree, Perform, Input, Decide) created by and trademark of Bain & Company
  • RACI-VS (Verifier, Signatory) - expanded version of RACI with acceptance criteria
  • PACSI (Perform, Accountable, Control, Suggest, Informed) - useful to organizations where the output can be reviewed and vetoed by multiple stakeholders
  • and so on..

Thus, depending on the project at hand, the ideal responsibility assignment matrix can be picked up, to make everyone's life easier at the end of the day.

You get a matrix like below at the end, which keeps everyone in the team aligned on who is contributing where. In my opinion, it doesn't matter who you are interacting with, this kind of matrix would always help you with the "non-developer" stuff that you can take care of as a developer, so as to maintain your visibility and keep everyone around you happy. I also helps you be selective in who you can be proactive with, and at what stages, so that you are in everyone's good books - something that should help in longevity at any organization :)

Friday, December 08, 2017

Startups of China

For the past few years, I've been generally curious about Alibaba, and Jack Ma, and the other Asian companies and their founders of the internet era. Much of this interest has been generated by the kind of billion dollar investments these organizations are pumping into the Indian startup ecosystem right now. FWIW, I've worked at Ibibo in the past, which had Tencent as one of its shareholder. But so far, the kind of narratives I had come across were the same stories of individuals retold by different persons. Getting the bird's eye view of the whole ecosystem while understanding the general environment had been hard.

I was finally spurred into action when I saw the trailer for Jack Ma's movie, Gong Shou Dao.

Now anyone can start a company, but it is completely another thing to turn it into a $500 billion business. And, amongst all the $100 billion business creating first generation founders I know of, I can't recall any other who starred in his own movie. But that is not the point. What I realized was that there was much more to Jack Ma than the press would tell. So far, every article I've read about him would mention for sure that he used to be an English teacher. But nobody ever wrote that the he is a master of Taichi, or commended him for the master networker he is.

So this time, curiosity got the better of procrastination, and I began researching books on Jack Ma. After carefully going through reviews on Amazon and Goodreads for many of books on him, I decided to get a copy of Alibaba: The House that Jack Ma Built, written by Duncan Clark.

At best, what I had hoped for was a thorough account of Jack's life, and the eulogising content that biographies usually have. After reading the book, I will admit that I had set my expectations far too low.

The book tells an excellent narrative of not just Jack Ma's life, but of the whole startup ecosystem, since the early internet days in China. It has ample sections on many other entrepreneurs, who were running some of the hot ventures of their time, before Alibaba became the hottest venture of all time out there. And of course, how the Chinese government initially struggled to classify internet as a communication tool, the strategy they adopted, and the impact these companies have had on businesses and consumers in China. The Taobao feature of haggling over chat was a real eye opener - every feature is worth building if the customers need it. The message, that customer is the king is hard to miss, chapter in, chapter out.

It is one of the best books out there for getting a 10000 feet view of the ecosystem. I learnt more about the other internet companies of China - like and tencent, than I've learnt so far from the news article and other profiles. Some other lessons, like the humiliation faced by ebay China, are worth remembering for future executives when entering a new geography. The perspective that many a investors, including Masayoshi Son, used to hold in those days are well documented.

Having read the book, its clear the kind of strategies the trio of Softbank - Alibaba - Tencent are now employing in the Indian ecosystem. Tag teaming for many investment opportunities, the kind of consolidation they are aiming for and the general parallels in the trend to China is hard to miss. This is a must read book for anyone who wants to get the hang of Indian startup scene over the next 5-10 years, and where the direction mid to large players are going to move in.

PS: I've one advice for any future reader - the book, at a lot of places tries to underplay the kind of numbers that Alibaba was achieving. While it looks unintentional to me - it could be done so as to maintain a modest or underdog-ly narrative, or because Alibaba is so successful today that the milestones seem small in comparison - I'm pretty sure many startup founders today would be shouting their mouths off if they achieved one such metric. 

Wednesday, December 06, 2017

Robo-recruiters and Github commit history

Some time ago, when I was looking out for a job change, I had an interesting conversation with a recruitment consultant X.

Now most of these consultants just look for buzzwords in candidate resumes, without understanding the true meaning of those requirements. In the days of linkedin and other tools, this search has been made even more pedestrian. So you hear of cases, like a recruiter asking candidate why he has no experience with NoSQL even though Cassandra and Redis are on the resume, or recruiter assuming that candidate is hard core iOS developer because he wrote Java and mobile web development on resume, even though iOS or Objective-C or Android wasn't mentioned.

Cases like the above are understandable - in the ever changing technological landscape, technologies come and get outdated every 2 years, and keeping track of which technology is used for what is a hard thing to do. This makes the recruiter's job challenging. For a consultant working with multiple partners, it can get only more confusing.

However, my conversation with X was different at a fundamental level - the kind of contributions and skills I had. Though I had worked at multiple startups on many key projects, and am otherwise a high contributing user on StackOverflow, recruiter X began questioning me on my open source contributions. Specifically, why the commit history on my Github was sparse. I mean an open contribution is an open contribution, be it github or stack overflow, and I'm anyway well conversant with the major technologies and paradigms of the day.

Though I could convince X that I had the skills the job required, this episode made me realize the kind of power these robo-recruiters hold. Most of these robo-recruiters don't understand technology or technological concepts, and yet, they have an immense amount of power in the hiring decision at the onset during shortlisting. The fact that most robo-recruiters are working to maximize their commissions, and not the applicant's interests, doesn't help either. So, the idea germinated - write a script that creates a commit history, to bypass in future the set of rob-recruiters who overlook other competencies in absence of Github activity.

Now git provides two excellent environment variables, which it uses while setting the time of a commit:

So all we need to do is execute the below in a loop, with commit dates in past:
git commit -m "commit for $COMMIT_DATE" --quiet

Relying on this information, I created a basic script which on execution would create a fresh git repository, add commits from a year in past to an year in future, and push them to your github account. The number of commits per day would be random, and the number of lines per commit would again be random to fool anyone using naive programmatic bots.

So, all that is needed is download the script, and run it as
sh <Your name> <Your primary github email> <An empty repo>

And viola! You now have a github commit graph, ready to bypass the next Robo-recruiter :)

PS: If you are wondering why I am pushing the commits in two phases in the script, it is due to the way github's streak feature is implemented. It only checks for the top 1000 commits in a single push for the purpose of creating a commit graph, which I detected by trial and error. So, in the interest of time, I decided to lazily copy paste and execute code again rather than cleanly breaking this into chunks of 1000.

PPS: Tested on Mac, comes with no warranties.
You can Download from Github

Tuesday, October 31, 2017

A journey by train

Going through my old email archives, I found this story from 2012 which I never posted. Now that I've this blog, here it goes after some formatting. 

After getting the news that I have a job offer, I spent friday idling my time away in office. Though I had earlier applied for a holiday for Friday since I was flying in the morning, however my KingFisher flight was cancelled and so I turned up in office for the basic necessities - Free AC, high speed internet, and people for company at lunch time. And thus the wheels were set in motion for an epic train ride.

Saturday started at 11am. I had tickets for two trains for Saturday booked via irctc - one for my hometown Jaipur and another for Kota, 3 hours from Jaipur. Both were in waiting list, the trains separated by an hour. Both of them were booked in July, 118 days before the date of travel (the booking starts 120 days before the day of journey). Neither had been confirmed yet, on the morning of the date of travel.

It was 3PM by the time I left my home. The chart for first train would be ready at 4. I reached the station at 4.10, only to find that my ticket was not confirmed.

I had hope - there was another train, and who knows, one of the TT's might have a seat to spare for me in this train. Standing at the junction waiting for the trains was an experience in itself. Rows of men and women sitting and waiting for trains to arrive in serpentine queues to take them to their home. With the occasional babies and oldies dotting the lines.

After some 30 minutes of queue watching, the charts for the second trains were up, and I got the confirmed news about my second ticket remaining unconfirmed. I didn't know what I should do next - I had a confirmed ticket for departure the next day, but I wanted to leave the same day.

Another 15 minutes were spent in consternation, when the first train arrived on the platform. I saw the TT and started walking towards him. Many others saw him as well, and everyone rushed to bribe their way through. After some tiring rounds, each of which saw me and a horde of others pleading with a different TT for a seat in his bogie, I realised - these TT were acting tough, more so because the train had only AC coaches, and chances of getting a seat were nil.

Lesson learnt - Sleeper me dhandhli hoti rehti hai, AC me mushkil se hi hoti hai. And that the system does work, though sometimes it may not work, and at other times it may work against you.

I was frustrated with the situation I was in. I had a confirmed ticket for departure the next day, but some part of me wanted to travel on the Saturday itself. Soon this minor part convinced the major part of me. And I literally ended up joining the ticket queue instead of getting out of the station, as I was on my way walking out of the station.

I thus bought a general ticket to Kota station. Papa had booked a confirmed ticket from Kota to Jaipur for me, just in case I was able to board the AC train. By the time I came back in, the second train was scheduled to arrive on the platform, and the first one had already departed.

Waiting for the second train at the platform, I found an aged man with a hardened face gazing at me. Roughly in his early 50's, with his white hairs and brown scalp dyed black. We established eye contact, and I asked him if he had a confirmed ticket for Sleeper class. He replied in the negative. He asked me if I had a confirmed ticket for Sleeper class. I replied in the negative.

A smile passed both our faces, and In that instance we both knew we would board the train togather once it arrived.

Luck was on our side when the train arrived. One of the coaches was locked from inside, and we were standing outside the one next to it. We quickly entered and occupied seats in the locked one, by travelling through the one next to it. Within minutes the coach was full with people without tickets, before the doors were opened to people, some of whom actually had reserved seats in the train. I was to learn later that this was typical of the trains in season times.

The train was doubly full even before it had left.

By the time we left the next station, every nook and corner of the train was occupied, with 3 people occupying seats meant for 2 and 5 occupying seats meant for 3. The upper berths, meant for sleeping in the night were being occupied either by luggage, or by mid age children, and occasionally by fat but athletic mango mans. The slim minded the corridor.

I knew it was going to be a rough journey, but hadn't fancied the rock and roll to start so early. 

I was sitting on seat number 6, opposite to the TT. Now the TT for this bogie was a character in himself. He was a veteran - almost 60 years old, nearing his retirement. The previous year, he had managed to escape an untimely death at the hands of the crowd aboard the same train. You see, it was his first time on this train after a recent transfer, and he had gotten down from the train to get a bottle of water and fetch the updated charts. Poor chap wasn't allowed to re-enter because the people inside had closed the door for people outside in the meantime, He ended up having to travel hanging at the window adjoining the gate for almost 2km, before someone pitied his screams and pulled the chain.
He also was an expert paan maker. Later in the journey, passengers would watch him patiently cracking the suparis, making his own paan with his bottles of katha and chuna, chewing a fresh betel every hour.

But that was not all - he was also an expert at hiding in the plain sight. He had left his coat in the bag, his charts tucked in the pants, and his shirt hanging loose. Even the 2 girls and 1 child sitting beside him didn't realise he was the TT, till he had to shout at them for occupying his side of the seat. He later explained why he wasn't wearing the coat - to protect himself from the swarms of the ignorant common man, who would eat his head asking if there was a spare seat, even though they could very well see there wasn't even half a feet of corridor free. He was a great source of entertainment throughout - when people complained about anyone else, train being full due to diwali, all he would say was "Uski bhi diwali hai, sirf tumhari thodi hai". When people started complaining about him, he changed it to "Meri bhi diwali hai"

Which made me have the lightbulb moment - the system doesn't work because people and resources are so heavily burdened. Neither the rail network, nor the RPF, nor the TT could do anything about situations like this - when they are outnumbered 1 to 100 or 1 to 200.


At the second station, 3 kids boarded the train(~8, 10, 14). They were somehow able to occupy a pie of the seats proportionate to the eldest's size. It was when the youngest one started crying, that their mother peeked from outside the window, trying to console him (she couldn't have managed to both enter and exit at the same station), when she started asking each of us (15 people sitting among those berths) where we all were headed, and if we could look after the boys. The sum total of all responses was that none of us were having confirmed ticket, and no one other than the TT should have been sitting in there. But hell, no one cares about the ideal case when they are at the receiving end of it.

When the TTs started checking the tickets, 5 of us happily paid a fine of some 400 odd bucks each for travelling in the sleeper class with a general class ticket.

And so the night began.

2 stations passed. It was an hour now since the train had started, and people had started settling down.
The TT took his coat out, and went for a customary round around the bogie. He could return only after 3 hours and another 4 stations had passed. By now it was 11, and people were feeling sleepy already. Of course, there was no place for sleep to come.

And then I heard the voice of an uncleji. "Kaha tak ja rahe ho?", he asked me. I responded "Jaipur". He told me that he was also going there. He asked me where I work. And then told me where he works. Some government bank he used to work at. He then turned to the person next to me, asked him the same questions he had asked me and had the same conversation as he had with me. He then moved on to the person next to the person next to me, and later, to the person next to the person next to the person next to me.
Half an hour later, he had broken ice with everyone in there. Or so he thought. For, the way he had interacted with everyone, it was obvious to everyone he was a person who could easily be pushed down in that crowd of humans. Boss, if this train was a jungle, then everyone knew they could outrun this man so that the tiger feeds on him, not the others.
After he had asked and talked about all of our final destinations aboard that train sharing a compartment with him, he started talking that he had a confirmed seat from ahead of Ratlam. I could only wryly laugh from the inside thinking of the fate his confirmed seat was going to have. And then I noticed a slight but devious smile on the face of the dyed hair uncle. And then I noticed similar expressions on the face of the kids. From kids to the oldies, everyone knew where his seat was going to go ahead of Ratlam - he had familiarised himself too well with everyone and convincing anyone to give away his portion of the seat would be an impossible task for him.

(*It later turned out, he lives only 2 km away from my home.)

And then I fell asleep. A couple of hours passed, when I woke up to find that the to-be-pushed-around uncle had somehow found some space in the corridor to himself, and had laid his bed sheet there in an attempt to rest. I was the only one awake, so he smiled, and talked how his life would change at Ratlam station. And I smiled back, thinking how wrong time was going to prove him to be.

Soon it was time for a major station to appear, and the sudden increase in decibel levels caused all the people to wake up. And then the station appeared. The Ratlam-se-seat-hai uncle climbed back to some seat, lest he be overrun by a suitcase or trolley. His bed sheet was however not that lucky - it hadn't been picked up by its master. It laid there, getting soiled under the shoes and luggage of the passers. And everyone knew the seat after Ratlam was a common property now - there was no chance this man would defend a seat when he couldn't defend his bed sheet.

And so the compartment went back to sleep again.

At about 5 in the morning, I was woken up by the violent thumping of the gates. A women's voice was audible, and she was shouting from outside "Bho*** ke gate kholo, Kholo ma*** c***". It was Ratlam, and the lady was from a nearby village travelling in family of 4, with confirmed tickets. She had been denied entry by the same rituals - gates shut from inside because the train was already over(overcrowded). Folks had managed to keep the gates closed for past 4 stations.

But she was no ordinary woman - she knew enough profanities to cajole the men near the gate to open the door. Of course, opening the door didn't save them - they were now delivered those colourful words face to face. Her vocabulary of the cuss words seemed unparalleled, and people couldn't stop laughing listening to the some of the utterances she made.

My laughter stopped when the bomb dropped - her confirmed seats included the the one I was sitting on. So, I had to get up, and sit on the floor and sleep now. Luckily, there was little luggage below the seats, and hence ample leg room, a fact observed only by me in the compartment. Because others had some why failed to notice it, I took this opportunity to go and ease myself in the toilet, and returned to sleep in peace. You see, folks with more premium space were afraid someone else would come and squat it if they vacated the space.

I had returned to find everything the way it was before Ratlam had arrived. The Ratlam wale uncle still did not have a full seat to himself even though Ratlam had already passed

After some 4 hours, Kota arrived, and the train's upper berths got somewhat empty. 3 Hours later, I finally managed to reach Jaipur after what was the most eventful and adventurous train journey I ever had.

Sunday, March 26, 2017

Building MVP for developers

Usually when building a MVP, the developer's focus is on getting things done and shipping as fast as possible. While this is a good thing to do - spending energy only where it is needed the most, it can result in an unusual problem. Many a times, when the product becomes a hit, the technical debt that has been accumulated in earlier iterations impedes rollout of features for larger audience in future and slows down growth. In other scenarios, the lack of a structured approach comes back to bite the developers hard, since they didn't think through all angles of the problem.

Developers usually end up making a lot of these mistakes early on in the development cycle, and the end cost is significantly much more as a consequence. So this problem inspired me to research strategies and best practices, that help one develop fast, but still avoid future churn.

In this post, I'm summarizing some principles that would be important to adopt early on:

1. Identify the opportunity before beginning the solution
It all begins with what market opportunity you have identified within your domain. Be sure that you understand the requirements from how your users would want it, and ensure that you've brainstormed on the requirements enough to have crystal clarity on the delivery plan. Know what your target customer segment is, and what they need.

2. Account for Biases
It is very easy to be blinded by assumptions. What works at one place may not work at another, and what works for one user may not work for other users. Try to think of the problem from the point of view of multiple customer segments, and identify the solution that would provide the maximum coverage. Every bias you uncover is an opportunity to sharpen your understanding of the opportunity you have

3. Establish success metrics early on
For every feature that you do, establish how would you check if it was successful or not. Build these metrics from both the technical and business angles, and get buy-in from any other stakeholders. This helps ensure that your scope is well defined, and makes the steps byte sized for everyone to follow. It is okay if the metrics are sometimes not monetary or performance related - but they have to be present to justify why you are spending time on this feature.

4. Ensure that you build for everyone in your target customer base
If this means having personalization, regionalization or internationalization then let so be it. Make preparations for this from the beginning if it is part of the end goal but don't obsess over it. Most frameworks have internationalization APIs and packages, use them for formatting your results. It is always better to externalize resources and never hard code, as otherwise you would end up doing technical rework and more quality checks. As general rules, avoid string concatenation, and make sure that your images are appropriate, i.e, they avoid metaphors and cultural sensitivities

5. Iterate based on customer feedback
It is very important to listen to what your users are saying in the early phases, but don't be blindsided by their comments. It is your job to figure out what the user is saying, and extract meaningful parts which apply to most of your customer base. Prioritize solving for issues that affect the larger customer segments.

Thursday, January 26, 2017

Information Security: DREAD and Mitigation of Threat Models

Continuing from the last post in which we discussed data flow diagrams, which are useful in building threat model, in this post, we will discuss about mitigation strategies for threat model.

The first important step in mitigation is knowing how serious (or trivial) the vulnerabilities are. For risk-assessing computer security threats, Microsoft came up with a simple a mnemonic that helps in rating risk associated with security threats using five categories. It is referred to as DREAD, and denotes:
  • Damage: This aspect refers to the possible bad effect that can be caused to the system, program, data, reputation or brand. It seeks answers to the question - how bad would the attack be?
  • Reproducibility: This aspect relates to the act of reproducing the attack by an attacker. It seeks answers to the question - how easy is it to re-do the attack? 
  • Exploitability: This trait refers to the difficulty of exploiting the vulnerability. As such, it looks at the barrier to launch an attack, and seeks answer to the question - how much work is it to launch the attack?
  • Affected Users: This represents the number of users / systems that could get affected by a threat, and refers to the blast radius. In short, it tries to gauge how many people will be impacted?
  • Discoverability: It discusses the discovery of the vulnerability, and gauges how easy is it to discover the threat?

In a nutshell, DREAD is an important categorization that helps one prioritize vulnerabilities and threats based on practical data points.

Once the associated risk has been assessed, it is important to actually mitigate. While the actual changes may vary basis the vulnerabilities, in general, there are some rule of thumb which can be used to mitigate threats associated with STRIDE. These are:
  • Spoofing: can be countered with proper authentication of the user
  • Tampering: cryptographic protection and proper authentication will help remove any vulnerability here
  • Repudiation: this is generally managed with auditing and digital signatures (private keys)
  • Information disclosure: digital signatures and cryptographic protection help here 
  • DoS: these are generally mitigated via network level restrictions
  • Elevation of Privilege: usually proper authorization and least privileges check help here

To further ensure that all known threats have been mitigated, developers can play the Elevation of Privilege cards game - that simply proceeds with the least privilege and try to check for all the possible breaches in STRIDE above.

With that, I hope the series of posts was helpful in understanding basics of information security. It is important to remember that security testing is an ever evolving list of action items - new threat vectors keep cropping up at different levels within the system, and constant vigilance is the only solution.

Even when the threat models have been done, and proper security testing has happened, it is important that due revisits are done to the threat model regularly on any new feature release. Software and services change during design and code release, and mitigation of STRIDE provide great security tests which can continuously evolve.