parrik

Method

Security was never about response

Continuous verification: gates and sweeps · Security is the love of careful work. Response is what arrives when carefulness arrives late.

A security team that responds well is a fire department with no fire code.

The fire department is necessary. But if you are calling them, the building has already caught fire. Confusing the two is how a person ends up with great forensics and chronic leaks.

Alex builds a publish-gate

Alex has a personal site — static blog, a few public repos, a domain she registered last year. One Sunday she writes a pre-commit hook to scan staged diffs for stray API keys. She is pleased. She has a security gate.

For two weeks she edits, commits, pushes, deploys. Nothing leaks.

A friend asks: “how do you know your gate is actually firing on the edits?” She runs it by hand and the gate exits silent. The path patterns she wrote on Sunday do not match the directory she edits in. The gate has been quiet for two weeks not because nothing was caught — because nothing was checked. The reason her site stayed clean was that she happened not to write any keys into any post. There was no margin.

This is exactly Saltzer & Schroeder’s complete mediation failure1 — a gate that is supposed to check every access but doesn’t. The 1975 paper named it; fifty years later the failure mode is unchanged.

What’s in security

Security is continuous verification. Every access gets checked by something that can’t be bypassed and is small enough to audit — what Anderson in 1972 called a reference monitor.2 Verification runs at two timescales:

  • Boundary-time gates fire on an action. A pre-commit hook scanning the staged diff. A pre-deploy lint asserting no public-asset directive slipped into config. A two-factor prompt at login. Deny-by-default; allow only when a named check passes.

  • Sweep-time gates fire on a cadence. A weekly npm audit. An hourly probe asserting /admin returns 401. A monthly walk through the gates inventory itself, asking which surfaces still don’t have one. Sweeps catch what gates miss — coverage gaps where a gate exists but doesn’t fire on the actual edit path, surface drift, CVEs published after the artifact shipped.

Both are gates. Boundary-time and sweep-time are the same posture at different cadences. AWS frames the same posture in builder vocabulary. Formal methods at design time. Fuzzing at test time. Deterministic simulation against the spec. And — the move that matters here — runtime validation of execution traces, checking in production that what the system is actually doing matches what it was specified to do.3 Verification as a continuous practice, not a gate-shaped one-shot.

What’s not

Response is the work that begins after verification has failed. Rotating a leaked key. Patching a forbidden path. Running comms. Reading logs backward to figure out what came in, what left, and when.

This is DFIR — digital forensics and incident response — the discipline that begins after the fire. Its metrics live downstream of the breach: how fast we noticed, how fast we contained, how long they were in. Verification’s metric is the inverse — no leaks this quarter — the dial that is supposed to read zero.

NIST has the formal taxonomy: preventive controls block harm before it lands; detective controls notice it; responsive controls remediate it.4 Verification covers the first two. Response covers the third. Adjacent disciplines, not the same one.

In August 2025, NIST shipped SP 800-53 Rev. 5.2.0 — adding control SA-24 (“Develop Cyber-Resiliency Concept of Operations”) and SI-02(07) (root-cause analysis of failed software updates), reframing boundary-and-sweep as its own control family rather than a clever pattern.5

At personal-infrastructure scale, both hats sit on one person. The hat-switch still matters. The trap is to spend all your energy in the second — “I’ll fix it when it breaks” — and starve the first. “I’ll be careful when I commit.” “I have backups.” That is planning for the fire department’s arrival without writing the fire code.

If you are in response mode, security has already failed.

Not all gates are the same gate. Kelly Shortridge’s case against control-as-strategy and against cybersecurity-as-special is an argument against humans-as-gates — the manual review queue, the security-team-as-blocker, the change-board veto. The gates this essay defends are machines against live state: a hook on a diff, a webhook on an admission request, a probe on a URL. Different target, no contradiction.6

Back to Alex

The fix was not a better response process. The fix was extending the gate’s path patterns so they actually matched the directory she edits in, then adding a sweep that walks her live URLs on a cadence and asserts each forbidden path returns 4xx. A boundary-time fix and a sweep-time fix. No incident-response capability was built; none was needed.

The harder question is second-order — and it is Saltzer-Schroeder’s, fifty years on. She thought she had a gate; she actually had two layers (gate + sweep), only built one, and the one she built had a coverage gap — the patterns it scanned didn’t include the directory she edited in. Complete mediation isn’t a check; it’s the property that every path is checked. Most personal-infrastructure projects look like Alex’s first pass. First round buys a hook because the hook is fashionable. Second round adds a sweep because the hook had a gap. Third round adds a sweep over the sweep — was it actually running on the right paths? The gate is continuous; the verification is recursive; response stays out of scope because the verification keeps catching things while they are still cheap.

The mnemonic — “security lives at the gates, not the response” — rhymes with Brendan Burns’ EarlyWatch7, a Kubernetes plug-in that intercepts cluster changes at the API boundary and rejects unsafe ones before they apply, declaratively, against live state. EarlyWatch is the modern instance; Saltzer-Schroeder is the original. The extension this essay puts down is that sweeps are gates too. Same posture, different cadence.

The thing that gets tired isn’t the gate. It’s the engineer holding it. The 2025–2026 industry conversation about shift-left fatigue — moving security checks earlier in the development cycle until the people doing the checking are buried — is about humans: review queues piled onto developers, alerts piled onto developers, security work pushed onto people who already have a job. A machine gate firing on every commit doesn’t burn out; an engineer triaging every commit does. The point of the gate is that the human stops being the gate.8

Security is continuous verification. Gates fire on action; sweeps fire on cadence. Together they are security’s entire scope. Response is what fires when verification fails — and that is a different discipline. Every response firing is a signal that verification has a gap; the goal is to close the gap, not to staff response.

Series complete. The three parts, read together: I — A self was never flat · II — Search was never about humans · III. Start a graph: github.com/parrik/know-thyself.

Footnotes

  1. Jerome H. Saltzer & Michael D. Schroeder, “The Protection of Information in Computer Systems,” Proceedings of the IEEE 63(9), 1975. The paper enumerates eight design principles; two govern this essay. Complete mediation: every access to every object must be checked for authority — a partial gate is not a gate. Fail-safe defaults: access decisions should be based on permission rather than exclusion (deny-by-default). Alex’s pre-commit hook violated complete mediation: the path patterns excluded her edit directory, so the gate, while present, did not mediate.

  2. James P. Anderson, Computer Security Technology Planning Study (USAF ESD-TR-73-51, 1972). Volume II names the reference monitor — the abstraction of an access mediator that (1) is invoked on every reference, (2) is tamper-proof, (3) is small enough to be analyzed and tested for correctness. Every gate this essay names — pre-commit hook, admission webhook, CEL policy in the apiserver — is a reference-monitor instance. Fifty-four years on, the three properties still define what a gate has to be.

  3. Marc Brooker & Ankush Desai, “Systems Correctness Practices at AWS: Leveraging Formal and Semi-formal Methods,” Communications of the ACM / ACM Queue, February 2025 (queue.acm.org). AWS pairs formal methods (TLA+, P) with deterministic simulation, fuzzing, and runtime validation of execution traces — checking, in production, that observed behavior matches the specification. Builder-voice register; direct adjacent vocabulary to “verification = continuous.” The gate doesn’t only fire at boundary-time; it keeps firing against live traces.

  4. NIST SP 800-53 Rev. 5 (csrc.nist.gov/pubs/sp/800/53/r5) formalizes the preventive / detective / responsive split. Verification covers the first two; DFIR covers the third. OPA/Gatekeeper generalizes the gate to declarative policy-as-code.

  5. NIST SP 800-53 Rev. 5.2.0, August 2025 (csrc.nist.gov/News/2025/nist-releases-revision-to-sp-800-53-controls). Adds SA-24 — Develop Cyber-Resiliency Concept of Operations (treating resiliency as a system-architecture concern with its own control family) and SI-02(07) — Root-Cause Analysis of Failed Software Updates (the sweep over the sweep, in standards form). The 5.2.0 update is the formal acknowledgment that boundary-and-sweep is not a clever pattern but a control-family discipline.

  6. Kelly Shortridge, “Cybersecurity Isn’t Special” and “Leading Cybersecurity with a Control vs. Resilience Strategy”. Shortridge’s case against control-as-strategy is a case against humans-as-gates: the security-team-as-blocker, the change-advisory-board veto, the manual review queue that slows delivery without changing outcomes. Productive tension, not contradiction — this essay’s gates are machines (a hook, a webhook, a probe) against live state. The argument against gatekeeping by humans is compatible with the argument for mediation by machines.

  7. github.com/brendandburns/early-watch — a Kubernetes validating admission webhook that denies unsafe operations against live cluster state (e.g. deleting a Service while Pods matching its selector still run). The design philosophy — prevent the unsafe operation at the API boundary, against live state — is what this essay’s “gate is continuous” framing extends into the personal-infrastructure case.

  8. 2025–2026 industry coverage of “shift-left fatigue” — e.g. Help Net Security, “Shift left strategy creates heavy burden for developers” (May 2025); Dark Reading, “‘Shift Left’ Gets Pushback, Triggers Security Soul Searching”. The pattern in these pieces: review queues, alert volume, and approval gates moved earlier in the SDLC overload the engineers expected to clear them. A pre-commit hook firing on every diff doesn’t fatigue; a person hand-reviewing every diff does. The fatigue is a symptom of human gating where machine mediation belongs.