What if we stop treating security testing as a separate thing?
Prioritize using your existing unit, integration, and end-to-end testing frameworks to cover security cases
Security-oriented reflections on Rosa's uncontrollability Applying Hartmut Rosa's concepts of controllability and resonance to the security space
Attack surface minimization The sooner you start doing it, the easier it is to get done!
How some Let's Encrypt renewal failures pointed to an AWS traffic hijacking issue tl;dr A BGP-based feature of the AWS Direct Connect service allowed a third party to inject an incorrect route for an external IP assigned to me, effectively hijacking my AWS-sourced traffic.
What's the word for a large collection of fraudulent web stores? It started simply enough...
Using Cosign (and Vault and Fulcio and Rekor) to sign binaries Code signing, what is it good for?
select * from cloud; with Steampipe A SQL-like abstraction over all your cloudy things
Severity ratings should mean something Perhaps we do not share the same definition of "critical"?
Automating security things with GitHub Actions "Give a small boy a hammer and he will find that everything he encounters needs a pounding."
Simulated phishing is not so great 1) Don't be a jerk, and 2) consider the alternatives
Participating in the GitHub token scanning program General impressions, and a little Python to validate the signature on incoming alerts.
Complement my nets Calculating IP range reversals with Python 3's ipaddress
Startup-friendly security, CI/CD, and continuous assurance Automated, low-effort security is the best kind
Listing O365 group members Powershell is an ugly hammer but it occasionally drives a nail effectively, or at least saves a bunch of copy-paste-reformat busy-work
Startups and security questionnaires Get me off this never-ending hamster wheel of pain
Security is not a binary thing Balancing, estimation, & trade-offs
Assessing security posture Some open-ended questions
Startup security Smart decisions in the early stages...
Security's need to be named An argument against DevSecOps (SecDevOps?) & secure development lifecycles
HIPAA musings Security regulation that doesn't suck.
Removing metadata from PDF files Dealing with 'informational' risk penetration test findings, one at a time...
Security-oriented reflections on Rosa's uncontrollability Applying Hartmut Rosa's concepts of controllability and resonance to the security space
Attack surface minimization The sooner you start doing it, the easier it is to get done!
How some Let's Encrypt renewal failures pointed to an AWS traffic hijacking issue tl;dr A BGP-based feature of the AWS Direct Connect service allowed a third party to inject an incorrect route for an external IP assigned to me, effectively hijacking my AWS-sourced traffic.
What's the word for a large collection of fraudulent web stores? It started simply enough...
Using Cosign (and Vault and Fulcio and Rekor) to sign binaries Code signing, what is it good for?
select * from cloud; with Steampipe A SQL-like abstraction over all your cloudy things
Severity ratings should mean something Perhaps we do not share the same definition of "critical"?
Automating security things with GitHub Actions "Give a small boy a hammer and he will find that everything he encounters needs a pounding."
Simulated phishing is not so great 1) Don't be a jerk, and 2) consider the alternatives
Participating in the GitHub token scanning program General impressions, and a little Python to validate the signature on incoming alerts.
Complement my nets Calculating IP range reversals with Python 3's ipaddress
Startup-friendly security, CI/CD, and continuous assurance Automated, low-effort security is the best kind
Listing O365 group members Powershell is an ugly hammer but it occasionally drives a nail effectively, or at least saves a bunch of copy-paste-reformat busy-work
Startups and security questionnaires Get me off this never-ending hamster wheel of pain
Security is not a binary thing Balancing, estimation, & trade-offs
Assessing security posture Some open-ended questions
Startup security Smart decisions in the early stages...
Security's need to be named An argument against DevSecOps (SecDevOps?) & secure development lifecycles
HIPAA musings Security regulation that doesn't suck.
Removing metadata from PDF files Dealing with 'informational' risk penetration test findings, one at a time...